Network sniffer with tcpdump – example commands

→ Are you a new visitor? Please visit the page guidance for new visitors ←

Network sniffer with tcpdump – example commands

The other day while I was inspecting my network traffic usage, I noticed a slitght increase in the incoming traffic. At first I really thought someone was just uploading something on the server using php or FTP, haven’t really put much thought since the increase it was just 1 Mbps. However after a few hours of continuosly using the same amount of traffic, just to be sure, I checked the logs for any FTP activity and the Webserver logs for any web uploading, my surprise came when I didn’t found anything. My only option then was to only scan the entire network traffic. This is what I’m going to write about, I’ll be showing you some simple commands on how to use a network sniffer like tcpdump.

Heads up! These commands will only just collect the network traffic and either output it to the screen or write it to the file. It will not interpret it for you.

So yeah, any network tool used for sniffing the traffic will not really interpret the traffic for you, however there are tools that can help you do that more easily. In my case, I wrote the output of the tcpdump to a file and imported the file inside wireshark.

What I noticed then, there were a lot of incoming SMTP connection from one single IP address, I then checked the IP address inside my mail server log and noticed there were a lot of incoming emails dropped for having a large attachment to the email, hence the increase in traffic. So yeah, it help me find out what caused the increase, I really didn’t thought at the time that the increase could have come from the mail server, it was a constant usage for over 4 hours …

Note! To be able to use tcpdump you need to have root privileges.

How to install tcpdump

Well anyway, back to our main topic. First we should install tcpdump if its not already installed, commands used are:

  • CentOS, Redhat, Fedora

  • Debain, Ubuntu

I just noticed that on my laptop where I have Ubuntu installed, tcpdump is already there by default.

Find network interface

Then you would normally know which interface you plan to sniff packets, but you do have the option to view all interfaces that you are able to sniff packets from:

The output would be similar to:

Capture packets from your network

So in my case I know I’m using eth2 as my network connection, so my command would be

Then for example I do not wish to scan port 22 since its used for ssh by me:

You can also have this output written on a file for later inspection:

If you wish to capture traffic only from one source IP, then you use:

The ouput would be similar to the one bellow, I’m only going to show you the output from the first command:

The command I personally used in my little test was the one to write in a file for later inspection in wireshark.

Request an article ←