Linux based TCPDFMP capture
Introduction
A network packet interception and analysis tool that allows users to filter traffic based on various criteria such as network layers, protocols, hosts, networks, or ports. It also supports logical operators like 'and', 'or', and 'not' to help eliminate irrelevant data and focus on specific packets.
Tcpdump - a command-line packet analyzer for network traffic
Example Usage
By default, tcpdump listens on the first available network interface. However, if your system has multiple NICs, it's often necessary to specify the correct one.
Command: tcpdump
To listen on a specific network interface:
Command: tcpdump -i en0
To monitor traffic involving a specific host (both incoming and outgoing):
Command: tcpdump host 182.254.38.55
To capture packets from a specific source or destination:
Source: tcpdump src host hostname
Destination: tcpdump dst host hostname
If neither 'src' nor 'dst' is specified, it will capture all traffic involving the given host.
To monitor traffic on a specific port:
Command: tcpdump port 3000
To capture only TCP or UDP packets:
For TCP: tcpdump tcp
For UDP: tcpdump udp
To capture TCP packets from a specific source IP on a particular port:
Command: tcpdump tcp port 22 and src host 123.207.116.169
To capture communication between two hosts:
Command: tcpdump ip host 210.27.48.1 and 210.27.48.2
To capture traffic between two hosts excluding one of them:
Command: tcpdump ip host 210.27.48.1 and ! 210.27.48.2
Detailed Example:
Command: tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
Explanation:
(1) tcp: Filters for TCP packets.
(2) -i eth1: Captures packets only on the eth1 interface.
(3) -t: Disables timestamp display.
(4) -s 0: Captures full packet size (default is 68 bytes).
(5) -c 100: Stops after capturing 100 packets.
(6) dst port ! 22: Excludes packets with destination port 22.
(7) src net 192.168.1.0/24: Filters packets from the specified network.
(8) -w ./target.cap: Saves captured packets to a file for later analysis using Wireshark.
Capturing HTTP Packets
TODO: To capture HTTP traffic, you can use tcpdump port 80.
Limiting the Number of Packets
To stop after capturing a certain number of packets:
Command: tcpdump -c 1000
Saving Captured Packets Locally
By default, tcpdump buffers output. To save directly to disk:
Command: tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap
Note: You can force immediate write using -U, but this may impact performance.
Practical Use Case
Consider a scenario where a Node.js server runs on port 3000, and an Nginx reverse proxy listens on port 80, forwarding requests to the Node.js server at 127.0.0.1:3000.
Browser → Nginx → Node.js Server
Problem: A user (IP: 183.14.132.117) accesses the browser, but the request doesn’t return. How to troubleshoot?
Step 1: Check if the request reaches the Node.js server via logs.
Step 2: Verify if Nginx forwards the request correctly.
Command: tcpdump port 8383
If no output is seen, even though the server receives the request, it might be because Nginx uses 127.0.0.1, which is not on the default interface. In that case, specify the loopback interface:
Command: tcpdump port 8383 -i lo
Note: Ensure Nginx includes the client’s IP in the request headers so that the source IP can be captured properly.
Command: tcpdump port 8383 -i lo and src host 183.14.132.117
Step 3: Confirm the request arrives at the server:
Command: tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117
Limit Switch,Micro Limit Switch,High Limit Switch,Telemecanique Limit Switch
Shanghai Janetec Electric Co., Ltd. , https://www.janetecelectric.com