tcpdump is a packet sniffer it captures the network packets (traffic) that pass through a machine, enabling you to examine and analyze the traffic afterward. It is capable of becoming very complex, but the basics are pretty straightforward and useful for network troubleshooting.
To invoke it, you must be root. The absolute basic command is just tcpdump, which captures every package into or out of the system and print a line of text to standard out. This is great if you're directly logged into a machine, but not so good if you're using ssh because every time tcpdump prints to stdout, it sends a packet with this information across the ssh connection, producing another packet whose information is printed to stdout, which is then sent across ssh ... and so on. So to filter out ssh packets, try:
tcpdump not port 22
The output will start with a precise timestamp, identify the packet as IP or as a type of TCP, and then give source and destination (both with port), followed by some packet information. Check the man page for more detail.
12:28:02.958545 IP client.example.com.59713 > ldap.example.com.ldaps: P 170:367(197) ack 149 win 60 <nop,nop,timestamp 731749928 3462143864>
There are also options to, among other things: Turn off name resolution; specify a particular network interface; get a sample of packets then exit; capture output to a file; replay information from a file; and do packet match filtering. Check the manpage for further information.
This article was first published on ServerWatch.com.