Skip to main content

SUSE Lesson 18 Packet captures with TCPDUMP

By October 2, 2013September 12th, 2022No Comments

Here we will take a visit into the command world of packet capture that is : tcpdump. Don’t be put off by the words command line; you will soon learn the tcpdump is a quick and easy tool to use in network diagnostics:
tcpdump -i eth0

The command in its simplest format will display all traffic that can be seen from eth0, usually the first network card in Linux. If we see too much we could then start adding in filters.

tcpdump -i eth0 ip6  #show only ip version 6 traffic
tcpdump -i eth0 udp port 1812  #capture RADIUS traffic on udp port 1812
tcpdump -i eth0 not port 22 # exclude port 22 (ssh)
tcpdump -nn -i eth0 #will display the ip address and not dns names and will not translate port numbers to names (yes double n)

You may also need to put you network card into promiscuous mode to stat it will snoop all traffic not just destined for its own address. Although this is less useful nowadays with switches replacing hubs.

ip link set eth0 promisc on ##turns it on for the command line session
Adding PROMISC='yes' to your network card configuration adds it permanently.