Linux based TCPDFMP capture
Introduction
A network packet interception and analysis tool. It allows users to filter traffic based on network layers, protocols, hosts, networks, or ports. Logical operators such as 'and', 'or', and 'not' can be used to refine the data and eliminate irrelevant information.
Tcpdump - a command-line packet analyzer for network traffic
Example
Running tcpdump without any parameters will start capturing packets on the first available network interface. If your system has multiple network cards, it's usually necessary to specify which one to use.
Tcpdump
Listening on a specific network interface
Tcpdump -i en0
Monitoring traffic involving a specific host
For example, to monitor all communication between your machine and the host with IP address 182.254.38.55. This includes both incoming and outgoing packets.
Tcpdump host 182.254.38.55
Filtering by source or destination address
To monitor packets from a specific source host:
Tcpdump src host hostname
To monitor packets destined for a specific host:
Tcpdump dst host hostname
If neither 'src' nor 'dst' is specified, it will capture packets where either the source or destination is the given host.
Tcpdump host hostname
Capturing traffic on a specific port
Tcpdump port 3000
Filtering by transport protocol (TCP or UDP)
Since different services use TCP or UDP as their transport layer, you can limit the capture to only TCP packets.
Tcpdump tcp
Combining source, port, and protocol
To capture TCP packets from a specific IP on port 22:
Tcpdump tcp port 22 and src host 123.207.116.169
Monitoring communication between two hosts
Tcpdump ip host 210.27.48.1 and 210.27.48.2
Monitoring traffic between two hosts excluding one of them
Tcpdump ip host 210.27.48.1 and ! 210.27.48.2
More detailed example
Tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
(1) tcp: Used to filter for TCP packets. Other options like 'ip', 'icmp', 'arp', 'rarp', etc., must be placed at the beginning of the command.
(2) -i eth1: Capture packets only on the eth1 interface.
(3) -t: Disable timestamp output.
(4) -s 0: Capture full packets instead of the default 68 bytes.
(5) -c 100: Capture only 100 packets before exiting.
(6) dst port ! 22: Exclude packets with destination port 22.
(7) src net 192.168.1.0/24: Filter packets from the source network 192.168.1.0/24.
(8) -w ./target.cap: Save captured packets to a .cap file for later analysis using Wireshark.
Capturing HTTP traffic
TODO
Limiting the number of captured packets
To stop after capturing 1000 packets:
Tcpdump -c 1000
Saving to local disk
By default, tcpdump writes to a buffer. Only when the buffer is full or when the program exits does it write to the disk. To force immediate writing, use the -U option (not recommended due to performance impact).
Tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap
Practical scenario
Let’s look at a common deployment: a Node.js server running on port 3000, with Nginx acting as a reverse proxy on port 80, forwarding requests to 127.0.0.1:3000.
Browser → Nginx → Node.js Server
Problem: A user (183.14.132.117) accesses the browser, but the request doesn't return. How to troubleshoot?
Step 1: Check if the request reaches the Node.js server via logs.
Step 2: Verify that Nginx forwards the request to the Node.js server.
Tcpdump port 8383
You may see no output even if the Node.js server receives the request, because Nginx uses 127.0.0.1, which is not on the default interface. Specify the loopback interface instead.
Tcpdump port 8383 -i lo
Note: Configure Nginx to include the client's IP in the request headers, otherwise the Node.js server won't get the correct source IP, making certain filters invalid.
Tcpdump port 8383 -i lo and src host 183.14.132.117
Step 3: Confirm the request reaches the server
Tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117
Shanghai Janetec Electric Co., Ltd. , https://www.janetecelectric.com