Skip to content

CompTIA Linux+ XK0-005 - 1.5 - Network Monitoring: tcpdump, wireshark & tshark

Monitoring network activity is crucial for troubleshooting, security analysis, and performance optimization. In this guide, we will explore three essential tools for network monitoring in Linux: tcpdump, wireshark/tshark, and netstat. We will explain what each tool does, provide command examples, and discuss their key features and use cases.

tcpdump

tcpdump is a command-line packet analyzer that allows you to capture and analyze network traffic. It is a powerful tool for network troubleshooting, monitoring, and analysis. This guide provides an overview of commonly used options and examples for the tcpdump command.

Basic Usage

tcpdump [options] [filter_expression]
  • options: Various command-line options that modify the behavior of tcpdump.
  • filter_expression: An optional filter expression to capture specific packets based on criteria such as source/destination IP, port, protocol, etc.

Examples

  1. Capture packets on a specific network interface:

    tcpdump -i eth0
    

    This command captures packets on the eth0 network interface.

  2. Capture packets on a specific port:

    tcpdump port 80
    

    This command captures packets on port 80, which is commonly used for HTTP traffic.

  3. Capture packets based on IP address:

    tcpdump host 192.168.0.10
    

    This command captures packets involving the IP address 192.168.0.10, both as the source or destination.

  4. Capture packets with a specific protocol:

    tcpdump icmp
    

    This command captures ICMP (Internet Control Message Protocol) packets.

  5. Capture packets using a complex filter expression:

    tcpdump 'tcp port 22 and host 192.168.0.10'
    

    This command captures TCP packets on port 22 (SSH) involving the IP address 192.168.0.10.

  6. Write captured packets to a file for later analysis:

    tcpdump -w capture.pcap
    

    This command captures packets and writes them to a file named capture.pcap.

Additional Options

  • -c <count>: Specifies the number of packets to capture before exiting.
  • -n: Disables hostname resolution, showing IP addresses instead of names.
  • -s <snaplen>: Sets the snapshot length, limiting the amount of packet data captured.
  • -v: Enables verbose output, providing detailed packet information.
  • -r <input file>: Reads packets from a previously captured file.

wireshark/tshark

Wireshark and tshark are powerful command-line and graphical tools for network protocol analysis. They allow you to capture, analyze, and dissect network traffic. This guide provides an overview of commonly used options and examples for the wireshark and tshark commands.

Basic Usage

Wireshark (GUI)

wireshark [options] [capture_file]
  • options: Various command-line options that modify the behavior of wireshark.
  • capture_file: Optional path to a capture file to open in Wireshark.

Tshark (CLI)

tshark [options] [filter_expression]
  • options: Various command-line options that modify the behavior of tshark.
  • filter_expression: An optional filter expression to capture specific packets based on criteria such as source/destination IP, port, protocol, etc.

Examples

Wireshark (GUI)

  1. Open a capture file:

    wireshark capture.pcap
    

    This command opens the capture.pcap file in Wireshark for analysis.

  2. Apply a display filter:

    wireshark -Y "http.request.method == GET"
    

    This command opens Wireshark and applies a display filter to show only HTTP GET requests.

Tshark (CLI)

  1. Capture packets on a specific network interface:

    tshark -i eth0
    

    This command captures packets on the eth0 network interface.

  2. Capture packets on a specific port:

    tshark port 80
    

    This command captures packets on port 80, commonly used for HTTP traffic.

  3. Capture packets based on IP address:

    tshark host 192.168.0.10
    

    This command captures packets involving the IP address 192.168.0.10, both as the source or destination.

  4. Capture packets with a specific protocol:

    tshark icmp
    

    This command captures ICMP (Internet Control Message Protocol) packets.

  5. Capture packets using a complex filter expression:

    tshark 'tcp port 22 and host 192.168.0.10'
    

    This command captures TCP packets on port 22 (SSH) involving the IP address 192.168.0.10.

For more detailed information and a complete list of options, refer to the wireshark and tshark manual pages (man wireshark and man tshark).

netstat

netstat is a command-line tool that displays network statistics and information. It provides various options to monitor network connections, routing tables, interface statistics, and more. This guide provides an overview of commonly used options and examples for the netstat command.

Basic Usage

netstat [options]
  • options: Various command-line options that modify the behavior of netstat.

Examples

  1. Display all active network connections:

    netstat -a
    

This command displays all active network connections, both listening and established.

  1. Display listening ports only:

    netstat -l
    

    This command displays listening ports and associated services.

  2. Display routing table:

    netstat -r
    

    This command displays the kernel routing table, including destination IP addresses, gateway addresses, and interface information.

  3. Display statistics for network interfaces:

    netstat -i
    

    This command displays statistics for network interfaces, including received and transmitted packets, errors, and more.

  4. Display programs associated with network connections:

    netstat -p
    

    This command displays the programs associated with network connections, including process IDs (PIDs) and program names.

  5. Display network connections using numerical addresses:

    netstat -n
    

    This command displays network connections using numerical IP addresses and port numbers instead of resolving them to host and service names.

  6. Display extended information for network connections:

    netstat -e
    

    This command displays extended information for network connections, including TCP and UDP statistics.

Additional Options

  • -t: Display TCP connections only.
  • -u: Display UDP connections only.
  • -s: Display summary statistics for each protocol.
  • -c: Continuously display network statistics.
  • -p: Show the PID and program name for network connections.
  • -h: Display the help message with a summary of available options.

For more detailed information and a complete list of options, refer to the netstat manual page (man netstat).

Conclusion

In this guide, we explored essential tools for network monitoring in Linux. The tcpdump command allows for capturing and analyzing network packets at the packet level. wireshark and tshark provide comprehensive packet analysis capabilities with graphical and text-based interfaces, respectively. Finally, the netstat command offers insights into active network connections and routing information.