Looking at low level network traffic is often useful to diagnose application/system problems.
This is easy to do in modern browsers using devtools network capture widgets and extensions such as postman, but sometimes you need to diagnose traffic between servers in a live application, as opposed to being able to do the requests yourself from your browser. In these cases, tcpdump shines.
This article will cover how to use tcpdump to diagnose non-encrypted traffic. For encrypted traffic, ssldump can be used provided you have access to the private key used to encrypt the traffic.
To listen for traffic and write to stdout, the snippet is:
tcpdump -i any -s 65535 -n -A expression
- -i The interface id to listen on ( run tcpdump -D to get a list of available interfaces, or just use the keyword “any” to listen in all network interfaces )
- -n Don’t convert host addresses to names (avoid dns resolution, makes things faster)
- -A Print packets in ASCII, excluding link level headers. Use -X for both hex and ASCII printout.
- -s By default tcpdump only captures the first 68 bytes of each packet. This option allows you specify how much of each packet to capture. The maximum IP packet size is 65535.
See man pcap-filter for a full description of ‘expression’
tcpdump -i 11 -n -A -s 65535 port 80 tcpdump -i 11 -n -A -s 65535 dst host 10.0.0.1
Other useful flags:
- -w write packets to a file which can later be replayed
- -r read packets written with -w
tcpdump -i any -n -A -s 65535 -w network_traffic.capture tcpdump -n -r network_traffic.capture -A port 80
The examples above will get you started, but for more detail, check the man pages and cheat sheet: