Sniff packets using tcpdump

Question

I have a completely noob question. I want to see all packets that come to my computer from particular site (google.com). So I start tcpdump

sudo tcpdump -i eth0 host google.com

and enter google.com in a browser and hit enter - nothing gets captured. I can't figure out why it happen. What do I do wrong?

Edit

It appeared that I was listening to the wrong interface. I had changed eth0 to any and it worked. It was ppp1 that needed listening. Thanks for your answers!

Your command above works ok for me on Ubuntu. Are you sure that eth0 is the port you want to capture ? — user9517, Jan 02 '11 at 17:19

score 3 · Accepted Answer · answered Jan 02 '11 at 17:17

3

There are several possibilities.

1- You are listening on the wrong the interface eth0, eth1, etc.

2- You did not wait enough for the packets to show up. Packets are not shown immediately unless you specify -n to disable name resolution.

3- You are filtering based on the wrong IP address as suggested by "Nathan Adams".

answered Jan 02 '11 at 17:17

Khaled

36,533
8
72
99

You might want to also try adding "port 80" instead of a host, at least until you can figure out what the correct IP address is. – jftuga Jan 02 '11 at 17:30
You're right - I changed `eth0` to `any` and it worked. I figured out that it was ppp1, not eth0 that needed to be listened – Denys Kniazhev-Support Ukraine Jan 02 '11 at 17:43

score 0 · Answer 2 · answered Jan 02 '11 at 17:12

It's probably filtering the wrong address because google.com has multiple addresses.

Try something simpler like:

tcpdump -i eth0 host 8.8.8.8
dig google.com @8.8.8.8


11:11:01.488442 IP 192.168.128.203.45665 > google-public-dns-a.google.com.domain: 32923+ A? google.com. (28)
11:11:01.512304 IP google-public-dns-a.google.com.domain > 192.168.128.203.45665: 32923 6/0/0 A iy-in-f105.1e100.net,[|domain]

Sniff packets using tcpdump

Edit

2 Answers2