In a recent article here on UptimeMadeEasy about setting up NTP, I mentioned and showed an example on using tcpdump to watch the ntp traffic in and out of your server. I realized that the very short example was just far too short to be a valid tutorial on the usage of tcpdump. So in this article, I thought I would give a list of examples that may help you as you troubleshoot your IP traffic and your servers. So below are 10 Tcpdump Examples to Help You Watch Your IP Traffic:
Example 1 – Show All Traffic on an Interface (Eth0 in this case)
First, the typical first try with tcpdump dumping all traffic on eth0 to the screen. This is a crazy example because you will likely have way too much output for it to be usable:
$ tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:13:36.271308 IP google-public-dns-a.google.com.domain > obelix.39752: 958 1/1/0 CNAME uptimemadeeasy.com. (120) 13:13:36.286153 IP uptime.ssh > 64.55.129.224.23019: Flags [P.], seq 1563263555:1563263747, ack 3258119244, win 116, options [nop,nop,TS val 826863592 ecr 2232231881], length 192 13:13:36.289395 IP uptime.49706 > google-public-dns-a.google.com.domain: 27223+ PTR? 8.8.8.8.in-addr.arpa. (38) ... 98786 packets captured 98786 packets received by filter
You can see that it just pumps the data out and you will be unable to process it.
Example 2 – Show All Traffic Except from IP Address…
The first thing to realize is that if you are using ssh to connect to the machine, then you are generating traffic to that machine and then if it sends you tcpdump info, then that traffic is being sent, and it multiples and goes on and on. You want to filter out the traffic that your session is generating. In the next example, I am filtering out traffic from my ssh client’s ip address:
$ tcpdump -i eth0 not host 10.99.231.76 (put your ip address instead)
Example 3 – Save Tcpdump Output to a File
Sometimes you want to save the report in a file that you keep for later or send to others.
$ tcpdump -w mytcpdumpoutput tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 13 packets captured 13 packets received by filter
Be aware that the output file will be binary and unreadable by anything other than tcpdump itself.
Example 4 – Read Tcpdump Data from a Previously Created File
This example will take the file we created in example 3 above, read its contents and spew them on the screen:
# tcpdump -r ./mytcpdumpoutput reading from file ./mytcpdumpoutput, link-type EN10MB (Ethernet) 13:32:21.090113 IP uptime.ssh > 10.99.231.76.23019: Flags [P.], seq 1563600867:1563600995, ack 3258137436, win 116, options [nop,nop,TS val 827988396 ecr 2233353497], length 128 13:32:21.111492 IP 10.99.231.76.23019 > upime.ssh: Flags [.], ack 0, win 8189, options [nop,nop,TS val 2233353530 ecr 827988385], length 0 13:32:21.122560 IP 10.99.231.76.23019 > uptime.ssh: Flags [.], ack 128, win 8184, options [nop,nop,TS val 2233353541 ecr 827988396], length 0 ... 13:32:24.593152 IP 10.99.231.76.23019 > uptime.ssh: Flags [P.], seq 1:49, ack 128, win 8192, options [nop,nop,TS val 2233357006 ecr 827988396], length 48
Example 5 – Use Tcpdump to Watch a Specific Port or Protocol
The example below will show me all of the DNS Lookups (udp 53) that my machine is doing.
$ tcpdump udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:54:41.068949 IP uptime.36195 > google-public-dns-a.google.com.domain: 22276+ PTR? 2.207.236.125.in-addr.arpa. (44) 13:54:41.069590 IP uptime.49122 > google-public-dns-a.google.com.domain: 52476+ PTR? 8.8.8.8.in-addr.arpa. (38) 13:54:41.095345 IP google-public-dns-a.google.com.domain > uptime.36195: 22276 1/0/0 PTR 125-236-207-2.adsl.xtra.co.nz. (87) 13:54:41.095591 IP uptime.53654 > google-public-dns-a.google.com.domain: 22454+ A? 125-236-207-2.adsl.xtra.co.nz. (47) 13:54:41.095621 IP uptime.53654 > google-public-dns-a.google.com.domain: 3451+ AAAA? 125-236-207-2.adsl.xtra.co.nz. (47) 13:54:41.095832 IP google-public-dns-a.google.com.domain > uptime.49122: 52476 1/0/0 PTR google-public-dns-a.google.com. (82) 13:54:41.119694 IP google-public-dns-a.google.com.domain > uptime.53654: 22454 1/0/0 A 125.236.207.2 (63) 13:54:41.119712 IP google-public-dns-a.google.com.domain > uptime.53654: 3451 0/1/0 (93) ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel
Example 6 – Display More Information (Verbose)
Sometimes, you want more information from tcpdump, so you would use the -v (verbose flag)
$ tcpdump -v udp port 53 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:59:06.200497 IP (tos 0x0, ttl 64, id 38818, offset 0, flags [DF], proto UDP (17), length 72) uptime.51126 > google-public-dns-a.google.com.domain: 56099+ PTR? 2.207.236.125.in-addr.arpa. (44) 13:59:06.202583 IP (tos 0x0, ttl 64, id 38820, offset 0, flags [DF], proto UDP (17), length 66) uptime.51977 > google-public-dns-a.google.com.domain: 11445+ PTR? 8.8.8.8.in-addr.arpa. (38) 13:59:06.224594 IP (tos 0x0, ttl 49, id 10498, offset 0, flags [none], proto UDP (17), length 115) google-public-dns-a.google.com.domain > uptime.51126: 56099 1/0/0 2.207.236.125.in-addr.arpa. PTR 125-236-207-2.adsl.xtra.co.nz. (87) 13:59:06.224828 IP (tos 0x0, ttl 64, id 38842, offset 0, flags [DF], proto UDP (17), length 75) uptime.39941 > google-public-dns-a.google.com.domain: 6058+ A? 125-236-207-2.adsl.xtra.co.nz. (47) 13:59:06.224854 IP (tos 0x0, ttl 64, id 38843, offset 0, flags [DF], proto UDP (17), length 75) uptime.39941 > google-public-dns-a.google.com.domain: 9537+ AAAA? 125-236-207-2.adsl.xtra.co.nz. (47) 13:59:06.226778 IP (tos 0x0, ttl 49, id 47129, offset 0, flags [none], proto UDP (17), length 110) google-public-dns-a.google.com.domain > uptime.51977: 11445 1/0/0 8.8.8.8.in-addr.arpa. PTR google-public-dns-a.google.com. (82) 13:59:06.248941 IP (tos 0x0, ttl 49, id 22995, offset 0, flags [none], proto UDP (17), length 121) google-public-dns-a.google.com.domain > uptime.39941: 9537 0/1/0 (93) 13:59:06.248974 IP (tos 0x0, ttl 49, id 55622, offset 0, flags [none], proto UDP (17), length 91) google-public-dns-a.google.com.domain > uptime.39941: 6058 1/0/0 125-236-207-2.adsl.xtra.co.nz. A 125.236.207.2 (63) ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel
Example 7 – Or Display Even More Information (Verbose, Verbose)
The -vv flag gives more verbose information:
$ tcpdump -vv udp port 53 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:03:02.433361 IP (tos 0x0, ttl 64, id 12907, offset 0, flags [DF], proto UDP (17), length 72) obelix.38467 > google-public-dns-a.google.com.domain: [udp sum ok] 13599+ PTR? 2.207.236.125.in-addr.arpa. (44) 14:03:02.433983 IP (tos 0x0, ttl 64, id 12907, offset 0, flags [DF], proto UDP (17), length 66) obelix.54731 > google-public-dns-a.google.com.domain: [udp sum ok] 56705+ PTR? 8.8.8.8.in-addr.arpa. (38) 14:03:02.457570 IP (tos 0x0, ttl 49, id 55622, offset 0, flags [none], proto UDP (17), length 115) google-public-dns-a.google.com.domain > obelix.38467: [udp sum ok] 13599 q: PTR? 2.207.236.125.in-addr.arpa. 1/0/0 2.207.236.125.in-addr.arpa. PTR 125-236-207-2.adsl.xtra.co.nz. (87) ... 14:03:02.794622 IP (tos 0x0, ttl 49, id 22996, offset 0, flags [none], proto UDP (17), length 91) google-public-dns-a.google.com.domain > obelix.46775: [udp sum ok] 48424 q: A? 125-236-207-2.adsl.xtra.co.nz. 1/0/0 125-236-207-2.adsl.xtra.co.nz. A 125.236.207.2 (63) ^C 20 packets captured 20 packets received by filter 0 packets dropped by kernel
Example 8 – Or Just Spew Out All of the Information Posible (Verbose, Verbose, Verbose)
Use the -vvv options to make tcpdump as absolutely verbose as possible.
$ tcpdump -vvv udp port 53 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:06:09.214317 IP (tos 0x0, ttl 64, id 3080, offset 0, flags [DF], proto UDP (17), length 72) obelix.53688 > google-public-dns-a.google.com.domain: [udp sum ok] 26322+ PTR? 2.207.236.125.in-addr.arpa. (44) 14:06:09.214923 IP (tos 0x0, ttl 64, id 3080, offset 0, flags [DF], proto UDP (17), length 66) obelix.40779 > google-public-dns-a.google.com.domain: [udp sum ok] 3112+ PTR? 8.8.8.8.in-addr.arpa. (38) ... 14:06:09.888379 IP (tos 0x0, ttl 49, id 47129, offset 0, flags [none], proto UDP (17), length 121) google-public-dns-a.google.com.domain > obelix.42394: [udp sum ok] 40840 q: AAAA? 125-236-207-2.adsl.xtra.co.nz. 0/1/0 ns: adsl.xtra.co.nz. [57s] SOA alien.xtra.co.nz. soa.xtra.co.nz. 2005092600 10800 3600 360000 1800 (93) ^C 32 packets captured 32 packets received by filter 0 packets dropped by kernel
Example 9 – Sometimes You Want to Watch Traffic Specifically Between 2 Machines or IP Addresses Rather
Show the traffic between two specific machines by listing the IP Addresses and the “host” keyword:
$ tcpdump host 192.241.213.28 and host 205.204.33.32 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:21:39.431700 IP 205.204.33.32.43153 > uptime.http: Flags [S], seq 1207189516, win 65535, options [mss 1260,nop,wscale 4,nop,nop,TS val 2236301733 ecr 0,sackOK,eol], length 0 14:21:39.431792 IP uptime.http > 205.204.33.32.43153: Flags [S.], seq 3006560670, ack 1207189517, win 14480, options [mss 1460,sackOK,TS val 830946737 ecr 2236301733,nop,wscale 8], length 0 ... 14:21:43.441150 IP 205.204.33.32.39252 > uptime.http: Flags [.], ack 1489, win 8175, options [nop,nop,TS val 2236305653 ecr 830950707], length 0 ^C 209 packets captured 209 packets received by filter 0 packets dropped by kernel
Example 10 – Tell Tcpdump to Skip DNS Lookup for Hosts and Ports
Sometimes, tcpdump will hang on resolving machines through DNS lookup. You can turn off DNS lookup with tcpdump using:
Use the -n tcpdump option to not resolve the hostname
Use the -nn tcpdump option to not resolve hostnames or ports
# tcpdump -nn host 192.241.213.28 and host 205.204.33.32 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:27:51.500011 IP 205.204.33.32.57698 > 192.241.213.28.80: Flags [F.], seq 4104591745, ack 232982717, win 8230, options [nop,nop,TS val 2236672790 ecr 831315158], length 0 14:27:51.500066 IP 192.241.213.28.80 > 205.204.33.32.57698: Flags [.], ack 1, win 67, options [nop,nop,TS val 831318806 ecr 2236672790], length 0 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel
Extra Credit – TcpDump packets larger than a Certain Size
One more example, just because. Sometimes, you may want to see only the larger packets your machine is dealing with.
$ tcpdump -nn greater 1024 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:37:44.493474 IP 205.204.33.32.17442 > 192.241.213.28.80: Flags [.], seq 213926:215174, ack 766661479, win 8268, options [nop,nop,TS val 2237263268 ecr 831911762], length 1248 14:38:21.972012 IP 205.204.33.32.9754 > 192.241.213.28.80: Flags [.], seq 267276885:267278133, ack 721065966, win 8268, options [nop,nop,TS val 2237300532 ecr 831949241], length 1248 ... 14:38:22.045252 IP 205.204.33.32.9754 > 192.241.213.28.80: Flags [.], seq 12531:13779, ack 1, win 8268, options [nop,nop,TS val 2237300602 ecr 831949314], length 1248 14:38:44.492727 IP 205.204.33.32.29751 > 192.241.213.28.80: Flags [.], seq 3210540997:3210542245, ack 1994278312, win 8268, options [nop,nop,TS val 2237322999 ecr 831971762], length 1248 ^C 13 packets captured 13 packets received by filter 0 packets dropped by kernel
The following two tabs change content below.
Jeff has 20 years of professional IT experience, having done nearly everything in his roles of IT consultant, Systems Integrator, Systems Engineer, CNOC Engineer, Systems Administrator, Network Systems Administrator, and IT Director. If there is one thing he knows for sure, it is that there is always a simple answer to every IT problem and that downtime begins with complexity. Seasoned IT professional by day, Jeff hopes to help other IT professionals by blogging about his experiences at night on his blog: http://uptimemadeeasy.com. You can find Jeff on Google+ or LinkedIn at: LinkedIn or Twitter at: Twitter
Latest posts by Jeff Staten (see all)
- Configure Your HP Procurve Switch with SNTP - May 5, 2015
- Configuring HP Procurve 2920 Switches - May 1, 2015
- Troubleshooting Sendmail - November 28, 2014
Jeff, thanks for such tips with explanation.
I am researching on some DNS activities so I have a client and a DNS server for this test. One of my goal is to be able to capture read (DNS lookup) command and nsupdate (write) command between the say the Client or DNS node. I am not sure if tcpdump will give me such info because my little understanding and usage of tcp dump seem to be restricted to packet level. Any advice or ideas?