Packet Tracing Reference
Posted by Kyle Pericak in systems administration
Regular TCPDUMP
Since tcpdump is installed by default, it's the first thing to use
# Only listen on one interface
tcpdump -i <interface/any>
# Filter to a host
tcpdump 'host <ip address/fqdn>'
# filter to a port
tcpdump 'tcp port 5000'
# combine filters
tcpdump '(tcp port 5000 or tcp port 35357) and host 192.168.0.100'
# print packets in ascii (basically always want this)
tcpdump -A
Using tshark
Another option is wireshark's command line, tshark:
apt-get install tshark
Note that tshark is really slow to get started compared to tcpdump, you need to wait a good while until it says something like "Capturing on 'eno1'"
# show interfaces
tshark -D
# Capture everything from a given source and interface
tshark -i eno1 -Y "ip.src == 10.1.0.76"
# Capture HTTP to and from a given source
tshark -i eno1 -Y "ip.addr == 10.1.0.76 and http"