Sniffing network packages – tcpdump

Sniffing packages is extremely useful when debugging any network related traffic.

Some of you are using a graphical client such as Wireshark, which is very nice when you’re debugging on your own computer. However this is inconvenient (and outright a pain to use) if you’re debugging traffic which are on a server hidden behind two SSH hop servers.

Therefore it is better to get acquainted with tcpdump:

Use cases include:

– You want to see all the outgoing HTTP traffic from your servers.

– You want to see how a webservice talks to memcached

– You want to see the headers the application server returns to the cache server.

For instance, to see all the outgoing traffic to public, :80, websites over the eth1 interface (servers normally have more than one interface, here, eth1 is the one used for external communication):

# tcpdump -i eth1 -l -s0 -w - tcp dst port 80 | strings

Playing around with the interface (-i), you can easily filter on internal communication (-i lo will just list traffic on the loop back interface), and the (source & destination) ports, you can quite easily see the traffic you want.

Lastly, piping the output of tcpdump to ‘strings’, you’ll filter out most of the binary gibberish that the sniffing picks up, giving you a pretty clean view of what’s going on.

Happy sniffing.