You can monitor and analyze network traffic in real-time on Linux systems using packet sniffing tools. tcpdump is a widely-used packet sniffer that is typically available in default package managers for most Linux distributions.
You can use tcpdump from the terminal to capture network packets in Linux.
$ ip address show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:c1:c7:27 brd ff:ff:ff:ff:ff:ff inet 192.168.111.209/24 brd 192.168.111.255 scope global dynamic ens33 valid_lft 1686sec preferred_lft 1686sec inet6 fe80::20c:29ff:fec1:c727/64 scope link valid_lft forever preferred_lft forever 3: ens38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:c1:c7:31 brd ff:ff:ff:ff:ff:ff inet 10.1.11.168/24 brd 10.1.11.255 scope global dynamic ens38 valid_lft 553sec preferred_lft 553sec inet6 fe80::20c:29ff:fec1:c731/64 scope link valid_lft forever preferred_lft forever
$ sudo apt update && sudo apt install --assume-yes tcpdump # Ubuntu and Debian
$ sudo tcpdump --interface=ens33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:51:33.441598 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271 23:51:33.443678 IP host.38511 > _gateway.domain: 59312+ PTR? 255.111.168.192.in-addr.arpa. (46) 23:51:33.457610 IP _gateway.domain > host.38511: 59312 NXDomain*- 0/0/0 (46) 23:51:33.458205 IP host.36456 > _gateway.domain: 45040+ PTR? 1.111.168.192.in-addr.arpa. (44) 23:51:33.472273 IP _gateway.domain > host.36456: 45040 NXDomain*- 0/0/0 (44) 23:51:33.473799 IP host.48347 > _gateway.domain: 21130+ PTR? 2.111.168.192.in-addr.arpa. (44) 23:51:33.488758 IP _gateway.domain > host.48347: 21130 NXDomain*- 0/0/0 (44)
$ sudo tcpdump --interface=ens33 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:53:03.560835 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271 23:53:05.017192 ARP, Request who-has 192.168.111.209 tell 192.168.111.1, length 46 23:53:05.017275 ARP, Reply 192.168.111.209 is-at 00:0c:29:c1:c7:27, length 28 23:53:05.017603 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 0, length 64 23:53:05.017652 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 0, length 64 23:53:06.020939 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 1, length 64 23:53:06.021010 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 1, length 64 23:53:07.024389 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 2, length 64
$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:55:40.546464 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 0, length 64 23:55:40.546517 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 0, length 64 23:55:41.551452 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 1, length 64 23:55:41.551485 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 1, length 64 23:55:42.556106 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 2, length 64 23:55:42.556243 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 2, length 64 23:55:43.561055 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 3, length 64 23:55:43.561094 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 3, length 64 23:55:43.955857 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [SEW], seq 3194582235, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243647685 ecr 0,sackOK,eol], length 0 23:55:43.955909 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [S.E], seq 4099266365, ack 3194582236, win 65160, options [mss 1460,sackOK,TS val 1285093713 ecr 243647685,nop,wscale 7], length 0 23:55:43.956230 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 0 23:55:43.956250 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 79: HTTP: GET / HTTP/1.1 23:55:43.956385 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285093713 ecr 243647685], length 0 23:55:43.957093 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285093714 ecr 243647685], length 7240: HTTP: HTTP/1.1 200 OK 23:55:43.957218 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243647686 ecr 1285093714], length 0
$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:56:55.050784 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [SEW], seq 2286192876, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243718593 ecr 0,sackOK,eol], length 0 23:56:55.050827 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [S.E], seq 3111916818, ack 2286192877, win 65160, options [mss 1460,sackOK,TS val 1285164808 ecr 243718593,nop,wscale 7], length 0 23:56:55.051071 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051080 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 79: HTTP: GET / HTTP/1.1 23:56:55.051099 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 0 23:56:55.051375 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 7240: HTTP: HTTP/1.1 200 OK 23:56:55.051501 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 3933: HTTP 23:56:55.051565 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051570 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051572 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051573 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051574 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.052608 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243718594 ecr 1285164808], length 0 23:56:55.053149 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243718595 ecr 1285164808], length 0 23:56:55.053527 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285164810 ecr 243718595], length 0 23:56:55.054224 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243718595 ecr 1285164810], length 0
$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80 -w packet-dump.pcap tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes ^C16 packets captured 16 packets received by filter 0 packets dropped by kernel
$ file packet-dump.pcap packet-dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
$ tcpdump -r packet-dump.pcap reading from file packet-dump.pcap, link-type EN10MB (Ethernet) 00:00:12.131083 IP 192.168.111.1.53895 > host.http: Flags [SEW], seq 863662690, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243914992 ecr 0,sackOK,eol], length 0 00:00:12.131113 IP host.http > 192.168.111.1.53895: Flags [S.E], seq 2897562547, ack 863662691, win 65160, options [mss 1460,sackOK,TS val 1285361888 ecr 243914992,nop,wscale 7], length 0 00:00:12.131274 IP 192.168.111.1.53895 > host.http: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 0 00:00:12.131280 IP 192.168.111.1.53895 > host.http: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 79: HTTP: GET / HTTP/1.1 00:00:12.131300 IP host.http > 192.168.111.1.53895: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285361888 ecr 243914992], length 0 00:00:12.131855 IP host.http > 192.168.111.1.53895: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 7240: HTTP: HTTP/1.1 200 OK 00:00:12.131917 IP host.http > 192.168.111.1.53895: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 3933: HTTP 00:00:12.132149 IP 192.168.111.1.53895 > host.http: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132180 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132184 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132185 IP 192.168.111.1.53895 > host.http: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132188 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132801 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.133426 IP 192.168.111.1.53895 > host.http: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243914994 ecr 1285361889], length 0 00:00:12.133545 IP host.http > 192.168.111.1.53895: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285361890 ecr 243914994], length 0 00:00:12.133772 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243914994 ecr 1285361890], length 0
Comment anonymously. Login not required.