Skip to navigation
Observe network traffic with linux
23.04.26
On a Linux server, you have several powerful tools to observe network traffic. The best choice depends on your needs: whether you want to see real-time traffic, capture it for later analysis, filter it, or focus on specific protocols or hosts. Here are the most common and effective methods: ### 1. `tcpdump` (Command-line packet capture) `tcpdump` is a ubiquitous command-line packet analyzer. It's ideal for capturing raw network packets, filtering them, and saving them to a file for later analysis with tools like Wireshark. **Installation:** ```bash sudo apt update # For Debian/Ubuntu sudo apt install tcpdump # Or for RHEL/CentOS/Fedora sudo yum install tcpdump # Or sudo dnf install tcpdump ``` **Basic Usage:** * **Capture all traffic on a specific interface (e.g., `eth0`):** ```bash sudo tcpdump -i eth0 ``` * `-i eth0`: Specifies the network interface to listen on. Use `any` to listen on all interfaces: `sudo tcpdump -i any`. * **Capture traffic to/from a specific host:** ```bash sudo tcpdump -i any host 192.168.1.100 ``` * **Capture traffic to/from a specific port:** ```bash sudo tcpdump -i any port 22 ``` * **Capture TCP traffic to/from a specific host and port:** ```bash sudo tcpdump -i any tcp and host 192.168.1.100 and port 1433 ``` * **Save captured traffic to a file (`.pcap` format):** ```bash sudo tcpdump -i any -w capture.pcap ``` You can then open `capture.pcap` in Wireshark on another machine. * **Increase verbosity (show more details):** ```bash sudo tcpdump -vvv -i any host 192.168.1.100 ``` **Key `tcpdump` options:** * `-n`: Don't resolve hostnames (faster, shows IPs). * `-nn`: Don't resolve hostnames or port numbers (shows IPs and port numbers). * `-X`: Show packet content in both hex and ASCII. * `-A`: Show packet content in ASCII. * `-S`: Print TCP sequence numbers in large, absolute values. * `-c <count>`: Capture only `<count>` packets. ### 2. Wireshark (GUI Packet Analyzer) Wireshark is the de facto standard for graphical network protocol analysis. While `tcpdump` is excellent for capturing on servers (especially headless ones), Wireshark is unparalleled for detailed, interactive analysis. **Installation:** * **On your Linux desktop:** ```bash sudo apt update && sudo apt install wireshark # Debian/Ubuntu sudo dnf install wireshark # Fedora ``` During installation on Debian/Ubuntu, you might be asked if non-superusers should be able to capture packets. It's often recommended to say 'yes' and add your user to the `wireshark` group: ```bash sudo usermod -aG wireshark $USER # You might need to log out and back in for the group change to take effect. ``` * **On a remote server:** You can install `tcpdump` on the server, capture traffic to a `.pcap` file, and then transfer that file to your local machine to open in Wireshark. **Usage:** 1. Launch Wireshark. 2. Select the network interface you want to capture from. 3. Apply display filters to narrow down the traffic you see (e.g., `ip.addr == 192.168.1.100`, `tcp.port == 1433`, `http`, `ssl`). 4. You can also apply capture filters *before* starting the capture (similar to `tcpdump`'s options). ### 3. `netstat` / `ss` (Network Statistics and Connections) These tools don't capture packet content but show you active network connections, listening ports, routing tables, and interface statistics. They are excellent for seeing *what* is happening on the network at a connection level. **`ss` (Socket Statistics) - modern and preferred:** * **Show all active TCP connections:** ```bash ss -tulnp ``` * `-t`: TCP sockets. * `-u`: UDP sockets. * `-l`: Listening sockets. * `-n`: Don't resolve service names (show port numbers). * `-p`: Show the process using the socket. * **Show connections for a specific port:** ```bash ss -tulnp | grep :1433 ``` **`netstat` (Network Statistics) - older, but still common:** * **Show all active TCP connections:** ```bash sudo netstat -tulnp ``` (Options are similar to `ss`). **Use cases:** * Is your MSSQL server listening on port 1433? * What other services are running and listening on ports? * Are there any unexpected outbound connections? ### 4. `nmap` (Network Scanner) While primarily a port scanner, `nmap` can also be used for network discovery and some traffic analysis. You can scan a host to see open ports and services, which indirectly tells you about network traffic potential. * **Scan a host for open TCP ports:** ```bash nmap -p- your_target_host ``` * `-p-`: Scans all 65535 TCP ports. * **Scan for specific services and versions:** ```bash nmap -sV your_target_host ``` ### Which Tool to Use? * **For real-time, interactive packet analysis:** Wireshark (on your desktop, or by transferring `.pcap` files from `tcpdump`). * **For capturing raw packets on a server (especially headless):** `tcpdump`. This is indispensable for debugging complex network issues. * **To see active connections and listening ports:** `ss` (or `netstat`). * **To discover open ports and services on a network:** `nmap`. For your goal of observing *any kind* of network traffic, `tcpdump` (for capturing) and Wireshark (for analysis) are your most comprehensive tools. Start with `tcpdump` to capture the traffic and then analyze the `.pcap` file.
https://www.tcpdump.org/
Reply
Anonymous
Information Epoch 1777128162
Worse is better.
Home
Notebook
Contact us
