This utility is a useful tool for interception and collection of packets coming to and from the server.
TCPDump installation
For Ubuntu/Debian:
For Red Hat / CentOS:
Argument for the command
Using
In order not to clog our dump with extra packages, you should choose a specific interface from which we want to collect information, not all. You can view a list of all interfaces by using this command:
To display the logs of our network interface in real time, use the command:
Don’t forget that TCPDump requires root rights, so you should run these commands as root or by using sudo.
After using the command we will see many running lines, to stop the dump use the key combination Ctrl + C
Try to see more information about packages using the argument -v
Filtering argument
An equally powerful feature is the additional argument that allows us to filter out different types of packages according to the following parameters:
For example, we can view all packets that go from our server to the final address:
Conversely, all packets that are sent to our server from the source subnet (you can also use a specific IP address, as in the example above):
You can use arguments to find packages of the required size
Let’s say you have several Garry’s Mod servers on different ports and you want to check if they are currently running a DDoS attack. For this we will fit a team:
Note the specified port range.
The -w dump will be compiled into the garrysmod.dump file
Extended operators
In addition, TCPDump has operators for creating different combinations of arguments.
Suppose we want to print out all the traffic of MySQL queries, which sends 192.168.1.1 to port 3306 (to any addresses).
Completion
Thanks for reading it! We have familiarized ourselves in detail with TCPDump, which is a very useful tool that is an integral part of the work of network engineers, as well as necessarily useful for ordinary users.
Last updated