Using TCPdump and Wireshark to monitor network traffic

Here are a few shortcuts for common monitoring tasks with TCPdump. I will update this post over time as new needs arise.

Monitor traffic to/from a single port:

tcpdump -n -i eth0 'port 53'

Monitor and decode traffic to/from or regarding a particular domain or IP (there may be a better way, this is quick and dirty). You can replace the IP with a domain name if needed:

tcpdump -nvvA | grep 188.92.72.128 -A 2

Monitor POST payload for a particular domain (useful for tracing hack attempts and other abuse):

tshark -V -T text -R 'http.request and http.host == "djlab.com" and http.request.method == "POST"' -x > post_log_djlab.com.txt

Monitor POST payload for all domains on a machine:

tshark -V -T text -R 'http.request and http.request.method == "POST"' -x > post_log_all_domains.txt

Comments are closed.