How to sniff network traffic in Linux
Network traffic could be captured and monitored in real-time for analysis and troubleshooting using packet sniffing tools. tcpdump is the most commonly used Linux packet sniffer and is available in most Linux distribution's default package manager.
tcpdump can be installed and used to capture network packets from the terminal in Linux.
Steps to capture network traffic in Linux:
-
Launch terminal.
-
Identify the network interface that you want to capture the network traffic packets.
$ ip address show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:c1:c7:27 brd ff:ff:ff:ff:ff:ff inet 192.168.111.209/24 brd 192.168.111.255 scope global dynamic ens33 valid_lft 1686sec preferred_lft 1686sec inet6 fe80::20c:29ff:fec1:c727/64 scope link valid_lft forever preferred_lft forever 3: ens38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:c1:c7:31 brd ff:ff:ff:ff:ff:ff inet 10.1.11.168/24 brd 10.1.11.255 scope global dynamic ens38 valid_lft 553sec preferred_lft 553sec inet6 fe80::20c:29ff:fec1:c731/64 scope link valid_lft forever preferred_lft forever
-
Install tcpdump for your Linux distribution if it's not already installed.
$ sudo apt update && sudo apt install --assume-yes tcpdump # Ubuntu and Debian
-
Run tcpdump against the network interface that you've selected.
$ sudo tcpdump --interface=ens33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:51:33.441598 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271 23:51:33.443678 IP host.38511 > _gateway.domain: 59312+ PTR? 255.111.168.192.in-addr.arpa. (46) 23:51:33.457610 IP _gateway.domain > host.38511: 59312 NXDomain*- 0/0/0 (46) 23:51:33.458205 IP host.36456 > _gateway.domain: 45040+ PTR? 1.111.168.192.in-addr.arpa. (44) 23:51:33.472273 IP _gateway.domain > host.36456: 45040 NXDomain*- 0/0/0 (44) 23:51:33.473799 IP host.48347 > _gateway.domain: 21130+ PTR? 2.111.168.192.in-addr.arpa. (44) 23:51:33.488758 IP _gateway.domain > host.48347: 21130 NXDomain*- 0/0/0 (44)
-
Disable resolution of IP address to names.
$ sudo tcpdump --interface=ens33 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:53:03.560835 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271 23:53:05.017192 ARP, Request who-has 192.168.111.209 tell 192.168.111.1, length 46 23:53:05.017275 ARP, Reply 192.168.111.209 is-at 00:0c:29:c1:c7:27, length 28 23:53:05.017603 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 0, length 64 23:53:05.017652 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 0, length 64 23:53:06.020939 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 1, length 64 23:53:06.021010 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 1, length 64 23:53:07.024389 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 2, length 64
-
Set a filter to view network only for and from a specific IP address.
$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:55:40.546464 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 0, length 64 23:55:40.546517 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 0, length 64 23:55:41.551452 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 1, length 64 23:55:41.551485 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 1, length 64 23:55:42.556106 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 2, length 64 23:55:42.556243 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 2, length 64 23:55:43.561055 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 3, length 64 23:55:43.561094 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 3, length 64 23:55:43.955857 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [SEW], seq 3194582235, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243647685 ecr 0,sackOK,eol], length 0 23:55:43.955909 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [S.E], seq 4099266365, ack 3194582236, win 65160, options [mss 1460,sackOK,TS val 1285093713 ecr 243647685,nop,wscale 7], length 0 23:55:43.956230 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 0 23:55:43.956250 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 79: HTTP: GET / HTTP/1.1 23:55:43.956385 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285093713 ecr 243647685], length 0 23:55:43.957093 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285093714 ecr 243647685], length 7240: HTTP: HTTP/1.1 200 OK 23:55:43.957218 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243647686 ecr 1285093714], length 0
-
Filter to only view traffic of specific port.
$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:56:55.050784 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [SEW], seq 2286192876, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243718593 ecr 0,sackOK,eol], length 0 23:56:55.050827 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [S.E], seq 3111916818, ack 2286192877, win 65160, options [mss 1460,sackOK,TS val 1285164808 ecr 243718593,nop,wscale 7], length 0 23:56:55.051071 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051080 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 79: HTTP: GET / HTTP/1.1 23:56:55.051099 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 0 23:56:55.051375 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 7240: HTTP: HTTP/1.1 200 OK 23:56:55.051501 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 3933: HTTP 23:56:55.051565 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051570 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051572 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051573 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.051574 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243718593 ecr 1285164808], length 0 23:56:55.052608 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243718594 ecr 1285164808], length 0 23:56:55.053149 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243718595 ecr 1285164808], length 0 23:56:55.053527 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285164810 ecr 243718595], length 0 23:56:55.054224 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243718595 ecr 1285164810], length 0
-
Write network packet to disk.
$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80 -w packet-dump.pcap tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes ^C16 packets captured 16 packets received by filter 0 packets dropped by kernel
-
Verify network traffic file is saved correctly.
$ file packet-dump.pcap packet-dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
-
Read saved network packet dump using tcpdump.
$ tcpdump -r packet-dump.pcap reading from file packet-dump.pcap, link-type EN10MB (Ethernet) 00:00:12.131083 IP 192.168.111.1.53895 > host.http: Flags [SEW], seq 863662690, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243914992 ecr 0,sackOK,eol], length 0 00:00:12.131113 IP host.http > 192.168.111.1.53895: Flags [S.E], seq 2897562547, ack 863662691, win 65160, options [mss 1460,sackOK,TS val 1285361888 ecr 243914992,nop,wscale 7], length 0 00:00:12.131274 IP 192.168.111.1.53895 > host.http: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 0 00:00:12.131280 IP 192.168.111.1.53895 > host.http: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 79: HTTP: GET / HTTP/1.1 00:00:12.131300 IP host.http > 192.168.111.1.53895: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285361888 ecr 243914992], length 0 00:00:12.131855 IP host.http > 192.168.111.1.53895: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 7240: HTTP: HTTP/1.1 200 OK 00:00:12.131917 IP host.http > 192.168.111.1.53895: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 3933: HTTP 00:00:12.132149 IP 192.168.111.1.53895 > host.http: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132180 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132184 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132185 IP 192.168.111.1.53895 > host.http: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132188 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.132801 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0 00:00:12.133426 IP 192.168.111.1.53895 > host.http: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243914994 ecr 1285361889], length 0 00:00:12.133545 IP host.http > 192.168.111.1.53895: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285361890 ecr 243914994], length 0 00:00:12.133772 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243914994 ecr 1285361890], length 0