TCPDump: Capture and Record Specific Protocols / Port

Q. How do I capture specific protocol or port such as 80 ( http ) using TCPDump tool under Linux / UNIX? How do I recording Traffic with TCPDump and find problems later on?

A. TCPDump is a tool for network monitoring and data acquisition. It can save lots of time and can be used for debugging network or server related problems. Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.

ADVERTISEMENTS

Monitor all packets on eth1 interface

tcpdump -i eth1

Monitor all traffic on port 80 ( HTTP )

tcpdump -i eth1 'port 80'

Monitor all traffic on port 25 ( SMTP )

tcpdump -vv -x -X -s 1500 -i eth1 'port 25'
Where,

  • -vv : More verbose output
  • -x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.
  • -X : hen parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.
  • -s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.
  • -i eth1 : Monitor eth1 interface

Capturing traffic information using cronjobs

tcpdump can be used to find out about attacks and other problems. Let us say your webserver facing problem everday at midnight. Enter following command into cron. It will schedule capturing of 30,000 packets and writing raw data to a file called port.80.debug.txt:
@midnight /usr/sbin/tcpdump -n -c 30000 -w /root/port.80.debug.txt
Next day you can log into your box and read the /root/port.80.debug.txt file:
tcpdump -X -vv -r /root/port.80.debug.txt
This simple technique can be used record and debug problems.

Further readings:

  • man page tcpdump
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
9 comments… add one
  • Gagan Brahmi Sep 1, 2008 @ 11:08

    hey Vivek,

    Nice read. One question that I need the answer for. What are the possible details that we can get from the tcpdump output?

    I can see that it contains a whole lot of information, but not sure what is the important part of it.

  • Dylan Oct 2, 2008 @ 2:18

    Remember to load the saved capture file into Wireshark for a great help on analysis.
    Nice article thanks.

  • lady Feb 19, 2009 @ 3:39

    hye dylan,
    can u tell me how to save the capture file from tcpdump?
    i tried this command:tcpdump -w new.pcap -i eth1
    but the result is this:tcpdump: socket: Operation not permitted
    what i did wrong?
    should i create the folder first?

  • Fer Mar 9, 2009 @ 1:27

    Hi!
    Nice explanation … I wonder, could I use it to capture squid proxy traffic? and use it to resolve user/pass data?
    Dont get me wrong… I have a traitor on my organization so I’m trying to figure out who is it.
    Sorry if this question is out ettical for you
    FER

  • Kiambang Oct 24, 2011 @ 11:38

    ….or using justniffer. http://justniffer.sourceforge.net/

    Kyam

  • Ben Nov 11, 2011 @ 0:02

    Am doing a project to analyze network traffic of bit torrent clients . So I when I initiate a download from my comp (using my wireless internet connection) , I need to start collection the tcpdump and I need to store it in another file .
    i tried using sudo tcpdump –i wlan0 –w xyz.dmp , but doesnt work ..what do I do ?

  • Panda Sep 6, 2012 @ 21:49

    Ben try this:

    sudo tcpdump -D

    change wlan0 for something else :D

  • skybridgedomains Jun 12, 2016 @ 10:25

    Hello, this will monitor ALL port 80 website traffic, on interface 0, and display 1000 lines of tcpdump then it will cancel automatically.

    as follows, tcpdump -nl -s 0 -A -i eth0 -c 500 port 80

    Really good command to monitor just one single port.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.