Tcpdump is one of the standard tools used  by network administrators to analyse the network traffic. It is essentially a command line TCP (or other transport layer ones) packet sniffer which can capture all the incoming and outgoing traffic. It allows you to see the exact TCP connections made between the entities in the network.

Since this being a command line way many users may find it hard to use the same. But the fact is that you can use this simple command line tool to log all the activities and later use some GUI enabled tools (like wireshark) for analysing the output.

Basic Commands

Here is the summary of the basic operations that you can perform using TCPDump.

• tcpdump -i eth0:  This command is the most commonly used one and can be  used to capture all the traffic on any interface. Here is the demo

• tcpdump port portvalue: If you wish to analyse a particular port and see the incoming and outgoing traffic flowing through that port, you can use this command. All you need is to change the text ‘portvalue’ by the actual value of the port. This is quite handy when you have service applications running on different ports.

• tcpdump -c n  :  You may use this command to stop the capturing process after ‘n’ packets. (You need to replace ‘n’ by an integer value)

• tcpdump -d any  : This is used to capture all traffic flowing through all ports and interfaces (not just the default one)

• tcpdump –v  : You can enable the verbose output using this command

If you wish to tweak further, then the official manual page will be the best resource.

You may also notice that once you close the utility it will give the summary of the network activities captured by it.

In Windows

Microsoft systems are not having a good reputation among the network administrators who cares much about the security aspects. But, still there are many who are using this environment for networking. If you are using Windows, then you can try WinDump (which is the MS Windows version of the tcpdump utility). It uses WinPcap, which is the port of the library libpcap to windows platform.

GUI Tools

As I said before, it is hard to analyse the entire data using the command line mode. Hence the best way is just to use it for real time monitoring (yes, it is very good for that!) and then dump the data to a log directory.

You can use tools like Wireshark for analysing this data. If you have installed Wireshark in your system, you can do the monitoring using this tool as well. But, for me the command line output is much for appealing – for real time analysis.

In Wireshark  you can choose the interface that you want to monitor and see the traffic in the GUI mode.

Once advantage in this case is that, when you see the real time data you can click on any particular item and see the complete details associated. (see the diagram shown below)

Thus it will appear less cluttered. And this will be an issue in command line mode unless you put restrictions on the details.