Tracing packets with tcpdump
Just knowing which applications are using a given port may not be sufficient information to trace down a problem. Sometimes you need to check the data that is being transferred as well.
Getting ready
You need to be a root user to run tcpdump
. The tcpdump
application may not be installed in your system by default. So install it with your package manager:
$ sudo apt-get install tcpdump $ sudo yum install libpcap tcpdump
How to do it...
The tcpdump
application is the frontend to Wireshark and other network sniffer programs. The GUI interface supports many of the options we'll describe shortly.
This application's default behavior is to display every packet seen on the primary Ethernet link. The format of a packet report is as follows:
TIMESTAMP SRC_IP:PORT > DEST_IP:PORT: NAME1 VALUE1, NAME2 VALUE2,...
The name-value pairs include:
- The term
S
stands for SYN (Start Connection) - The term
F
stands for FIN (Finish Connection) - The term
P
stands for PUSH (Push data) - The term
R
stands...