Since tcpdump is installed by default, it's the first thing to use
# Only listen on one interface tcpdump -i <interface/any> # Filter to a host tcpdump 'host <ip address/fqdn>' # filter to a port tcpdump 'tcp port 5000' # combine filters tcpdump '(tcp port 5000 or tcp port 35357) and host 192.168.0.100' # print packets in ascii (basically always want this) tcpdump -A
Another option is wireshark's command line, tshark:
apt-get install tshark
Note that tshark is really slow to get started compared to tcpdump, you need to wait a good while until it says something like "Capturing on 'eno1'"
# show interfaces tshark -D # Capture everything from a given source and interface tshark -i eno1 -Y "ip.src == 10.1.0.76" # Capture HTTP to and from a given source tshark -i eno1 -Y "ip.addr == 10.1.0.76 and http"