tcpdump infrequently enough that I don’t have the arguments memorized, but frequently enough that I don’t like digging through the manual to find all the arguments I want. I originally posted this on my old employer’s community portal, but I find myself referring back to it enough that I thought I should copy it here.
Using tcpdump to capture packets on a Linux system
Sometimes when trying to debug a problem with a network application, it’s helpful to sniff the connection between the client and the server to get a better idea of what’s going on and which component is to blame. If you’re using a graphical environment, Wireshark (formerly Ethereal) makes it easy to capture and analyze packets, but if the server is a “headless” Linux machine, it’s not as straightforward. In this situation, I’ve used the
tcpdump utility to capture packets on the server to a file, then transferred the file to my computer for analyzing with Wireshark.
The following command will capture all packets on the
eth0 network interface and log them to a file called
tcpdump -i eth0 -s 0 -U -w packets.tcpdump
tcpdump will continue to run in the foreground while you generate the network activity. When you’re done, press CTRL+C to stop tcpdump. Note that running tcpdump in this manner could have an adverse effect on network performance, so you should not leave this running in a production environment.
Capturing all packets also has a potential to use a lot of disk space if your network is busy. If you’re having trouble finding the traffic you want because the dump is too large, consider passing additional arguments to tcpdump to filter the types of packets that are captured, e.g., only packets from a certain IP address or only packets on a certain port.
The following command will only capture TCP packets destined for or originating from port 80.
tcpdump -i eth0 -s 0 -U -w port-80-packets.tcpdump tcp port 80
Of course, the downside to filtering the dump at capture-time is that you may miss something that helps you debug the problem you’re encountering. If you can afford the disk space and your network is not that busy, it may be better to capture all packets and just use a view filter in Wireshark to help you find what you’re looking for.