Kyle Pericak

"It works in my environment."

Thu 04 June 2020

Packet Tracing Reference

Posted by Kyle Pericak in systems administration   

Regular TCPDUMP

Since tcpdump is installed by default, it's the first thing to use

# Only listen on one interface
tcpdump -i <interface/any>

# Filter to a host
tcpdump 'host <ip address/fqdn>'

# filter to a port
tcpdump 'tcp port 5000'

# combine filters
tcpdump '(tcp port 5000 or tcp port 35357) and host 192.168.0.100'

# print packets in ascii (basically always want this)
tcpdump -A

Using tshark

Another option is wireshark's command line, tshark:

apt-get install tshark

Note that tshark is really slow to get started compared to tcpdump, you need to wait a good while until it says something like "Capturing on 'eno1'"

# show interfaces
tshark -D

# Capture everything from a given source and interface
tshark -i eno1 -Y "ip.src == 10.1.0.76"

# Capture HTTP to and from a given source
tshark -i eno1 -Y "ip.addr == 10.1.0.76 and http"

Javascript appears to be disabled. Comments can't load.