Basics

TcpDump is a command line network monitoring tool for viewing packets, in real time, as they pass through the server network interface. Specifically, it can be used to view and record packets going into and out of a network interface.

I use this tool to see if logs are actually coming into a server, typically over syslog, and what port are they being received on or are going to.

Inbound traffic from IP 10.16.28.143

tcpdump -i ens160 -nn 'src 10.16.28.143'

-i = listen on network card ens160
-n = do not translate IP address to DNS names
-nn = do not translate IP to DNS names or ports to service names
-v = verbose

Inbound traffic to a specific port

tcpdump -i eth0 -nn 'dst port 12017'

Either inbound or outbound traffic to/from port 12011

tcpdump -i any port 12011

Outbound traffic to IP 10.16.1.121

tcpdump -nn -i eth0 'dst 10.16.1.121'

Outbound traffic on port 443

Only capture TCP outbound traffic going to IP 10.10.192.30 on port 443. 

tcpdump -i ens160 'tcp and port 443 and dst 10.10.192.30'

See if you are getting syslog data

Only capture data coming from subnets 10.10.149.0/24 or 10.10.153.0/24 and arriving on port 514.

tcpdump -i ens160 'dst port 514 and (src net 10.10.149.0/24 or src net 10.10.153.0/24)'

Outbound traffic going to port 443

tcpdump -i eth0 'src port 443'

Related Posts

Linux

Backup Files to a Remote Server using a Bash Script

mark_user
Linux

Users & Groups in Ubuntu

mark_user