tcpdump is a packet sniffer — it captures the network packets (traffic) that pass through a machine, enabling you to examine and analyze the traffic afterward. It is capable of becoming very complex, but the basics
are pretty straightforward and useful for network troubleshooting.
To invoke it, you must be root. The absolute
basic command is just tcpdump, which captures every package
into or out of the system and print a line of text to standard out. This is great if you’re directly logged into a machine, but not so good if you’re using ssh because every time tcpdump prints to stdout, it sends a
packet with this information across the ssh connection, producing another
packet whose information is printed to stdout, which is then sent across ssh … and
so on. So to filter out ssh packets, try:
tcpdump not port 22
The output will start with a precise timestamp, identify the packet as IP
or as a type of TCP, and then give source and destination (both with port),
followed by some packet information. Check the man page for more detail.
12:28:02.958545 IP client.example.com.59713 > ldap.example.com.ldaps: P 170:367(197) ack 149 win 60
There are also options to, among other things: Turn off name resolution;
specify a particular network interface; get a sample of packets then exit;
capture output to a file; replay information from a file; and do packet match
filtering. Check the manpage for further information.
This article was first published on ServerWatch.com.