Watching Traffic with tcpdump
This famous command-line packet capture tool is invaluable for troubleshooting thorny network problems.
Virtually
all modern
variations of Unix ship with the tcpdump
utility. Its deceptively simple interface hides a very powerful and
complex tool designed to capture data from a network interface,
filter it, and print it out so you can get a better grasp of what is
really happening on your network. Note that you need to be root to
capture packets with tcpdump.
The simplest way to start it is to run it while specifying the network device you would like to listen to:
remote:~# tcpdump -i eth0
If you are logged into a remote machine while doing this, you will see a flood of traffic fly by, even on an unloaded machine. This is because tcpdump is capturing your ssh session traffic and displaying it to your terminal, which generates more traffic, which is again displayed, in an endless loop of wasted bits. This is easily avoided by using a simple filter. For example, you could just ignore all ssh traffic:
remote:~# tcpdump -i eth0 -n 'port ! 22'
Here I also specified the -n
switch, which tells tcpdump to skip DNS lookups for every host it encounters. When capturing network data, the name of the game is speed. If your machine is tied up with some other network function (like looking up DNS names), it could miss packets as they fly past, particularly on a busy network. Skipping lookups speeds up capturing, but it means that you will be looking at IP addresses and ...
Get Wireless Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.