Menu Search Sign up

tcpdump

Capture TCP packets used in establishing a TCP connection

$ /usr/sbin/tcpdump -ni eth0 port 9443 and ‘tcp[13]&2==2’ and ‘src net 142.122.9.26/32’

$ /usr/sbin/tcpdump -n -i eth0 -i eth1|grep 142.117.206

Monitor HTTP Traffic

Here is how to monitor HTTP traffic on the web server:

1. To monitor HTTP traffic including request and response headers and message body:

/usr/sbin/tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

2. To monitor HTTP traffic including request and response headers and message body from a particular source:

/usr/sbin/tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

3. To monitor HTTP traffic including request and response headers and message body from local host to local host:

/usr/sbin/tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo

4. To only include HTTP requests, modify “tcp port 80” to “tcp dst port 80” in above commands

5. To only incldue HTTP responses, modify "tcp port 80" to "tcp src port 80" in above commands

Capture TCP packets from local host to local host

/usr/sbin/tcpdump -i lo

Capture TCP packets (HL7 traffic)

/usr/sbin/tcpdump -vv -x -X -s 1500 -i bond0:1 'port 2399'

Or:

/usr/sbin/tcpdump -A -s 0 -i bond0:1 'port 2399' 

Capture TCP packets into pcap file and display back in Wireshark

Some TCP traffic, for example, DICOM traffic, are binary data and you need to decode with tools like Wireshark in order to see what's going on. In this case, use the -w parameter to write the tcpdump output to raw pcap data format and then use tools like Wireshark to decode and display the traffic:  

/usr/sbin/tcpdump -A -s 0 'port 104' -w $HOME/capture.pcap

References

http://www.tcpdump.org/tcpdump_man.html

http://www.alexonlinux.com/tcpdump-for-dummies

http://serverfault.com/questions/123540/tcpdump-filter-that-excludes-private-ip-traffic