The tcpdump utility is a command-line network packet analyser. It is absolutely essential for diagnosing networking issues from the server side.
The basic format of the tcpdump command is:
~ # tcpdump [ options ] [ filter ] ~ # tcpdump -A -i eth0 -vv 'port 80' ~ # tcpdump -i eth0 -vv -x -X -s 1500 'port 80'
Capturing Packets
He are various methods to capture packets using tcpdump, output to terminal.
All Interfaces
Use the special value any as the interface
~ # tcpdump -i any
By Host and/or Port
~ # tcpdump -i eth0 'port 80' ~ # tcpdump -i eth0 'host edoceo-demo.com and port 80' ~ # tcpdump -i eth1 'port 5060'
By Protocol
~ # tcpdump -i eth0 'port 80' ~ # tcpdump -i eth1 'port 5060'
Displaying Output
There are various output formats supported by tcpdump, they would be specified before the filter.
ASCII Output
~ # tcpdump -A -i eth0 ~ # tcpdump -A -i eth0 'port 80'
More Packet Data
Specific length, or zero to get entire packet
~ # tcpdump -s 256 -i eth0 ~ # tcpdump -s 0 -i eth0 ~ # tcpdump -A -s 0 -i eth0 'port 80'
Numeric Hosts/Ports
~ # tcpdump -n -i eth0 ~ # tcpdump -A -n -i eth0 'port 80'
Shorter Hosts/Ports
~ # tcpdump -N -i eth0 ~ # tcpdump -A -N -i eth0 'port 80'
Queiter
Using -q supresses some protocol information, -t supresses timestamps.
~ # tcpdump -q -i eth0 ~ # tcpdump -t -i eth0 ~ # tcpdump -A -n -q -i eth0 'port 80' ~ # tcpdump -A -n -q -t -i eth0 'port 80'
Very Verbose
~ # tcpdump -v -i eth0 ~ # tcpdump -vv -i eth0 ~ # tcpdump -A -n -vv -i eth0 'port 80'
Advanced Filtering
Print only useful packets from the HTTP traffic
~ # tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'
Dump SIP Traffic
This is useful for debugging Asterisk or FreeSWITCH.
tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4