KB Article #151341

How-to take "tcpdump" on a Unix-based server

Problem

How-to take "tcpdump" on a Unix-based server


Resolution


Following is the command that can be used to trace the network packets that flow between the host server and remote server.
You could use a combination of the parameters that best suits your needs.



tcpdump -i <network interface> host <remote server name/IP address> and port <port number> -w capture.pcap



Please note that the file will be saved in the current working directory, unless otherwise specified.



Examples:
- Capture on network interface "eth0", for remote host "10.11.12.13", port "443" and write to "capture.pcap"
tcpdump -i eth0 host 10.11.12.13 and port 443 -w capture.pcap



- Capture on network interface "eth0", for remote host "10.11.12.13" and write to "capture.pcap"
tcpdump -i eth0 host 10.11.12.13 -w capture.pcap



- Capture on network interface "eth0" and write to "capture.pcap"
tcpdump -i eth0 -w capture.pcap



- Capture all network traffic and write to "capture.pcap"
tcpdump -w capture.pcap



- Capture all network traffic and write to absolute path "/tmp/tcpdump/capture.pcap"
tcpdump -w "/tmp/tcpdump/capture.pcap



You could use the following command to capture all the incoming packets to your EDGE server:



tcpdump -i eth0 -s0 -w capture.pcap dst <IP address of local server>




To read the resulting "capture.pcap" file (from the directory it is saved), you could use:



tcpdump -nnr capture.pcap

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.