tcpdump Tips

I tend to use tcpdump when working on remote servers with multiple services running.

Thus it’s important to specify exactly which hosts and ports I want to see, or end up buried in output.

Here’s a canonical example of looking at output from a REST service on a remote host that’s listening on port 8080:

# CentOS 6/7

sudo yum -y install tcpdump
sudo tcpdump -nn -vv -i eth0 -s0 -A host X.X.X.X and port 8080

Options decoder: -nn is no name or port lookups, -i is network interface, -s0 is unlimited snapshot length, -A is ASCII output.

# Mac OS X

brew install tcpdump
sudo tcpdump -nn -vv -i en0 -s0 -A host X.X.X.X and port 8080

A more advanced example is to only capture on HTTP data packets on port 80. Avoid capturing the TCP session setup (SYN / FIN / ACK):

sudo tcpdump 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Some tips:

  1. use tcpdump, wireshark, telnet, netcat and nmap periodically so that you’re familiar with your environment, and proficient when you need them. Ensure you have permission for those hosts!
  2. if you’re using ssh, ensure you’re not dumping port 22 to avoid excessive display output
  3. seeing zero-length responses is worth paying attention to, but some listeners just work that way
  4. seeing duplicate responses is also worth paying even closer attention to as that usually indicates an unexpected problem (unless you’re dumping on localhost)
  5. seeing unexpected responses from port 3128 usually means there is a proxy
  6. if you nuke your terminal with binary data, try the clear or reset commands, or redirect to a file
  7. on a physical server you can see actual packets with MTU size, but in virtualized/cloud environments they will likely be merged before you can see them.
  8. when things just don’t seem to make sense, the ip route, tcproute and telnet commands take you down to bedrock.

Using tcpdump to see HTTP requests and responses
FAQ: Questions about CentOS 7
A Previous Post

This entry was posted in Open Source, Tech. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.