TCP dump and Wireshark

TCPDump is a tool for network monitoring and data acquisition. It can be used for debugging network/server related problems. Tcpdump prints out a description of the contents of packets on a network interface that match the Boolean expression and move the contents to a file as well. We can also listen on a particular port number to monitor the data flow

Run the below command to install TCPDump in Ubuntu
sudo apt-get install tcpdump

Assume that you want to capture the traffic coming from and to port number 80 run the below command to take the Dump
sudo tcpdump -i any -w dump-file.pcap port 80

You should exit by entering Ctrl + C, otherwise it will be running continuously
The above command listens for the incoming and outgoing connections and capture it and move the data to dump-file.pcap file.

Once you have the file, then you can use Wireshark to view the data

Run the below command to install Wireshark in Ubuntu
sudo apt-get install wireshark

Then view the output by running the below command
wireshark dump-file.pcap

It will open up the Wireshark UI where you can view all the traffic. Just right click on any one the link and give “Follow TCP stream” and you can view all the streaming content.

Advertisements