Monitoring network traffic with tcpdump
The following procedure demonstrates how to use tcpdump to sniff and log packets going in and out of a machine's network interfaces.
1. Identify the network interfaces available.
user@host: $ tcpdump --list-interfaces
1.wlp6s0 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
2. Set the sniffing tool to listen on a network interface for packets and send the output to a file for easy review later.
2.1. To and from a target port, such as HTTP, regardless of host.
user@host: $ sudo tcpdump -A -i any -l -s 0 -vvv tcp port 80 > mytcpdumpout.txt 2>&1
2.2. To and from a target host, regardless of port.
user@host: $ sudo tcpdump -A -i any -l -s 0 -vvv host nameOfMachine > mytcpdumpout.txt 2>&1
2.3. The flags used to adjust the behavior of tcpdump are as follows.
[ -A ] prints packets in ASCII format and make them readable, excluding data link layer headers.
[ -i any ] captures packets from any network interface.
[ -l ] prints the output in lines for easy reading.
[ -s 0 ] limits the packet length captured to default (262144 bytes).
[ -vvv ] produces very, very verbose output.
3. Open another terminal and follow the output on the file using tail.
user@host: $ tail -f mytcpdumpout.txt
4. End the tcpdump capture by press Ctrl-C on the listening terminal.