Monitoring network traffic is crucial for understanding the behavior of systems and identifying potential issues. On Linux, this is typically done using packet sniffers like tcpdump. These tools allow real-time capture and analysis of network packets on a specified interface. Capturing this traffic provides visibility into the data traversing the network, which can be useful for both troubleshooting and security purposes.

The tcpdump tool is widely used for packet capture in Linux systems and is available through the default package manager in most distributions. It can be run directly from the terminal to capture all incoming and outgoing network traffic on a specified interface. This makes it a powerful tool for network diagnostics, letting you see detailed packet-level data.

To capture network traffic effectively, selecting the correct network interface is essential. tcpdump also offers flexible filtering options, allowing you to isolate traffic to specific IP addresses or ports. Captured data can be saved for further analysis or reviewed in real-time, depending on your requirements.

Steps to capture network traffic in Linux:

  1. Open the terminal.
  2. Identify the network interface to monitor.
    $ ip address show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:c1:c7:27 brd ff:ff:ff:ff:ff:ff
        inet 192.168.111.209/24 brd 192.168.111.255 scope global dynamic ens33
           valid_lft 1686sec preferred_lft 1686sec
        inet6 fe80::20c:29ff:fec1:c727/64 scope link
           valid_lft forever preferred_lft forever
    3: ens38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:c1:c7:31 brd ff:ff:ff:ff:ff:ff
        inet 10.1.11.168/24 brd 10.1.11.255 scope global dynamic ens38
           valid_lft 553sec preferred_lft 553sec
        inet6 fe80::20c:29ff:fec1:c731/64 scope link
           valid_lft forever preferred_lft forever

    Choose the relevant interface for capturing traffic, e.g., ens33.

  3. Install tcpdump if it's not already installed.
    $ sudo apt update && sudo apt install --assume-yes tcpdump # Ubuntu and Debian
  4. Run tcpdump on the desired interface.
    $ sudo tcpdump --interface=ens33
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    23:51:33.441598 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271
    23:51:33.443678 IP host.38511 > _gateway.domain: 59312+ PTR? 255.111.168.192.in-addr.arpa. (46)
    23:51:33.457610 IP _gateway.domain > host.38511: 59312 NXDomain*- 0/0/0 (46)
    23:51:33.458205 IP host.36456 > _gateway.domain: 45040+ PTR? 1.111.168.192.in-addr.arpa. (44)
    23:51:33.472273 IP _gateway.domain > host.36456: 45040 NXDomain*- 0/0/0 (44)
    23:51:33.473799 IP host.48347 > _gateway.domain: 21130+ PTR? 2.111.168.192.in-addr.arpa. (44)
    23:51:33.488758 IP _gateway.domain > host.48347: 21130 NXDomain*- 0/0/0 (44)

    This captures all traffic on ens33. Use ctrl + C to stop the capture.

  5. Disable IP address name resolution for clearer output.
    $ sudo tcpdump --interface=ens33 -n
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    23:53:03.560835 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271
    23:53:05.017192 ARP, Request who-has 192.168.111.209 tell 192.168.111.1, length 46
    23:53:05.017275 ARP, Reply 192.168.111.209 is-at 00:0c:29:c1:c7:27, length 28
    23:53:05.017603 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 0, length 64
    23:53:05.017652 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 0, length 64
    23:53:06.020939 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 1, length 64
    23:53:06.021010 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 1, length 64
    23:53:07.024389 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 2, length 64
  6. Filter network traffic by a specific IP address.
    $ sudo tcpdump --interface=ens33 -n host 192.168.111.1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    23:55:40.546464 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 0, length 64
    23:55:40.546517 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 0, length 64
    23:55:41.551452 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 1, length 64
    23:55:41.551485 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 1, length 64
    23:55:42.556106 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 2, length 64
    23:55:42.556243 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 2, length 64
    23:55:43.561055 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 3, length 64
    23:55:43.561094 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 3, length 64
    23:55:43.955857 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [SEW], seq 3194582235, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243647685 ecr 0,sackOK,eol], length 0
    23:55:43.955909 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [S.E], seq 4099266365, ack 3194582236, win 65160, options [mss 1460,sackOK,TS val 1285093713 ecr 243647685,nop,wscale 7], length 0
    23:55:43.956230 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 0
    23:55:43.956250 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 79: HTTP: GET / HTTP/1.1
    23:55:43.956385 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285093713 ecr 243647685], length 0
    23:55:43.957093 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285093714 ecr 243647685], length 7240: HTTP: HTTP/1.1 200 OK
    23:55:43.957218 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243647686 ecr 1285093714], length 0
  7. Filter network traffic by a specific port.
    $ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    23:56:55.050784 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [SEW], seq 2286192876, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243718593 ecr 0,sackOK,eol], length 0
    23:56:55.050827 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [S.E], seq 3111916818, ack 2286192877, win 65160, options [mss 1460,sackOK,TS val 1285164808 ecr 243718593,nop,wscale 7], length 0
    23:56:55.051071 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
    23:56:55.051080 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 79: HTTP: GET / HTTP/1.1
    23:56:55.051099 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 0
    23:56:55.051375 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 7240: HTTP: HTTP/1.1 200 OK
    23:56:55.051501 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 3933: HTTP
    23:56:55.051565 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
    23:56:55.051570 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
    23:56:55.051572 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
    23:56:55.051573 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
    23:56:55.051574 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
    23:56:55.052608 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243718594 ecr 1285164808], length 0
    23:56:55.053149 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243718595 ecr 1285164808], length 0
    23:56:55.053527 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285164810 ecr 243718595], length 0
    23:56:55.054224 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243718595 ecr 1285164810], length 0
  8. Save captured packets to a file for analysis.
    $ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80 -w packet-dump.pcap
    tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C16 packets captured
    16 packets received by filter
    0 packets dropped by kernel

    This saves the output to a file named packet-dump.pcap.

  9. Verify the saved packet capture file.
    $ file packet-dump.pcap
    packet-dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
  10. Read the saved packet capture using tcpdump.
    $ tcpdump -r packet-dump.pcap
    reading from file packet-dump.pcap, link-type EN10MB (Ethernet)
    00:00:12.131083 IP 192.168.111.1.53895 > host.http: Flags [SEW], seq 863662690, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243914992 ecr 0,sackOK,eol], length 0
    00:00:12.131113 IP host.http > 192.168.111.1.53895: Flags [S.E], seq 2897562547, ack 863662691, win 65160, options [mss 1460,sackOK,TS val 1285361888 ecr 243914992,nop,wscale 7], length 0
    00:00:12.131274 IP 192.168.111.1.53895 > host.http: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 0
    00:00:12.131280 IP 192.168.111.1.53895 > host.http: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 79: HTTP: GET / HTTP/1.1
    00:00:12.131300 IP host.http > 192.168.111.1.53895: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285361888 ecr 243914992], length 0
    00:00:12.131855 IP host.http > 192.168.111.1.53895: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 7240: HTTP: HTTP/1.1 200 OK
    00:00:12.131917 IP host.http > 192.168.111.1.53895: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 3933: HTTP
    00:00:12.132149 IP 192.168.111.1.53895 > host.http: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
    00:00:12.132180 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
    00:00:12.132184 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
    00:00:12.132185 IP 192.168.111.1.53895 > host.http: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
    00:00:12.132188 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
    00:00:12.132801 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
    00:00:12.133426 IP 192.168.111.1.53895 > host.http: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243914994 ecr 1285361889], length 0
    00:00:12.133545 IP host.http > 192.168.111.1.53895: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285361890 ecr 243914994], length 0
    00:00:12.133772 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243914994 ecr 1285361890], length 0
Discuss the article:

Comment anonymously. Login not required.