id="info"

Networking

Use tcpdump for network debugging

Tcpdump is an extremely useful network packet tracing system. While not as feature-rich as programs such as Wireshark, its packet "dump" output can be used as input by other programs to analyze the dump. In a pinch, and for network debugging, tcpdump works wonders.

For instance, if you were interested in viewing the incoming packets to port 80 in real-time, i.e., to see where packets were coming from or being sent to, you would use:

# tcpdump -i eth1 tcp port 80

This will monitor the interface eth1 for all traffic being sent to or from port 80. Suppose you suspect your system of high amounts of outbound traffic to other Web sites; you can tune this command further so that it only watches outbound traffic to port 80, ignoring all inbound traffic on port 80:

# tcpdump -i eth1 tcp dst port 80 and src host 192.168.0.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:23:02.435235 IP localsystem.47270 > frontal2.mandriva.com.http: S 1119588236:1119588236(0) win 5840 <mss 1460,sackOK,timestamp 5110073 0,nop,wscale 2>
15:23:02.603021 IP localsystem.47270 > frontal2.mandriva.com.http: . ack 2575114973 win 1460 <nop,nop,timestamp 5110114 53440877>
...

In the above example, the IP address 192.168.0.10 is the IP address associated with the interface eth1 on the system, and frontal2.mandriva.com is the remote address being contacted.

As you can see from the output, tcpdump provides a lot of information. If you don't need all the extraneous information and just want to see the connections directly, use:

# tcpdump -q -i eth1 tcp dst port 80 and src host 192.168.0.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:23:53.198419 IP localsystem.47271 > frontal2.mandriva.com.http: tcp 0
15:23:53.366309 IP localsystem.47271 > frontal2.mandriva.com.http: tcp 0
...

If you are only interested in IP addresses, use the -n option. This will not translate host or port numbers into names, so 192.168.0.10 would not be translated to "localsystem" (the hostname associated with the IP), and port 80 would not be translated to "http."

In a pinch, despite being a command-line tool, tcpdump can make network diagnosis and troubleshooting easy. The output can be dumped to a file for later analysis, or you can view it in real-time for quick on-the-job diagnostics. It uses a very flexible command line that allows you to fine-tune and customize exactly what packets you want to see. Tcpdump is typically included with every Linux distribution, although it may not be installed by default.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks