Here are a few shortcuts for common monitoring tasks with TCPdump. I will update this post over time as new needs arise.
Monitor traffic to/from a single port:
tcpdump -n -i eth0 'port 53'
Monitor and decode traffic to/from or regarding a particular domain or IP (there may be a better way, this is quick and dirty). You can replace the IP with a domain name if needed:
tcpdump -nvvA | grep 22.214.171.124 -A 2
Monitor POST payload for a particular domain (useful for tracing hack attempts and other abuse):
tshark -V -T text -R 'http.request and http.host == "djlab.com" and http.request.method == "POST"' -x > post_log_djlab.com.txt
Monitor POST payload for all domains on a machine:
tshark -V -T text -R 'http.request and http.request.method == "POST"' -x > post_log_all_domains.txt
Comments are closed.