tcpdump is a CLI tool for capturing and displaying packets sent and received by network devices.
Questions tagged [tcpdump]
466 questions
0
votes
1 answer
Analyze Packet Loss Bursts
I need to analyze packet loss bursts in TCP streams. Given a number X a packet lost burst is when more then X consecutive packets got lost. So I have a pcap file and need to count how many bursts there were and what was the duration of each.
Tried…

nmnir
- 101
0
votes
1 answer
How to check for firewall drops in WireShark
We have an application setup across two servers. The application is failing because a firewall is blocking communication between the two servers. I need a way to figure out every single port that is being blocked so that I can request for those…

souser
- 197
- 2
- 3
- 10
0
votes
0 answers
Why is tcpdump not capturing TLS packets on port 443?
I am using the following command:
sudo tcpdump -vvv -A -XX -i any -w dump.pcap
I can see several TCP packets coming or and going to the expected IP addresses on port 443. Nevertheless, I am not able to see the TLS packets sent during the SSL…

rreyes1979
- 101
- 1
- 1
0
votes
1 answer
tcpdump: Traffic between localhost:[src-port:dst-port]
I'd like to get http traffic between localhost:8081 and localhost:8080.
I need http headers and body.
I've tried some commands but everything is complicated and I don't quite figure out what I'm doing exactly.
Any ideas?

Jordi
- 261
- 1
- 7
- 15
0
votes
1 answer
tcpdump get requesting IP
We are tracking http usage(mainly for our intranet) and I've been able to track it using the the following on our OPENWRT router:
tcpdump -i wlan1 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' | grep 'GET\|Host' >> /mnt/jlt/wlan1
This…

Jeff
- 685
- 7
- 17
0
votes
1 answer
Linux: get all connect calls for a local port
I have a ssh tunnel through which a client is connecting to a server. Using, wireshark, I could see a periodic connection of SSH besides the keepalive, but I am unable to obtain the process (pid) that's causing this traffic.
I used ss -ntap -o state…

iamauser
- 349
- 2
- 3
- 12
0
votes
1 answer
How do I filter tcpdump results based on a missing header?
My HAProxy adds 'X-Proto: SSL' as a header to requests that are over HTTPS.
I'd like to use tcpdump to see the 'Host:' header of all requests that do not have that 'X-Proto: SSL' header.
Here's what a sample request looks like with it (captured with…

nowthatsamatt
- 921
- 1
- 8
- 11
0
votes
1 answer
How to collect HTTP data in Wireshark from a remote Linux host?
I am trying to collect HTTP requests and responses from a remote host using Wireshark using SSH tunnel. So I have Windows host with Wireshark on it, and Linux host with tcpdump on it and a web server listening on port 5000.
I execute tcpdump on the…

Mohammed Noureldin
- 541
- 1
- 11
- 25
0
votes
1 answer
tcpdump host unreachables for specific host
I'm trying to rule out some issues and needing to capture all ICMP messages except echo/echo reply. However the issue I'm struggling to find a way around is I only want these involving a particular host.
The filter I've been trying is
tcpdump icmp…

Cameron Moody
- 3
- 3
0
votes
1 answer
Why does TCP request packet contain ACK flag?
I am very new at low level of TCP and I am tryingtcpdump with simple socket server and client program.
The server and client follow the two steps.
Server and client make a connection.
Client sends a string message.
The below is the output of…

asleea
- 159
- 1
- 1
- 9
0
votes
1 answer
What data is not available for tcpdump unlike interface statistics tools?
I'm analizing the logs on specific interface and wondering why this command during small load-test:
tcpdump -i enp21s0f0 -s0 -w /tmp/dump2.cap`
catched only 75 MB, when
ethtool -S enp21s0f0 / ifconfig enp21s0f0
showed about 80 MB of data(I…

John
- 31
- 3
0
votes
1 answer
tcpdump not intercepting DHCP ACK
I have a router running lede with tcpdump installed
tcpdump --version
# tcpdump version 4.9.0
# libpcap version 1.8.1
When I run it like so:
tcpdump -vnes0 -i eth0 port 67 or port 68
I can see
00:00:24.122791 00:00:00:00:69:6f >…

Nicu Tofan
- 101
- 4
0
votes
0 answers
Webserver cannot ping external
I want our webserver to be accessible from the outside world. We have a static IP - 176.35.XXX.XXX which is accessible when on the same network as the webserver, however times out externally.
When accessing this IP address externally I can see that…

Lee
- 101
- 1
0
votes
1 answer
Accessing webserver remotely (contains tcpdump)
Total noob here so apologies in advance for missing out any key details.
We have a web server which is accessible locally on 192.168.2.1. It is also accessible locally on 176.XXX.XXX.XXX which is obviously an external IP.
When accessing the external…
0
votes
0 answers
endless SYN_RECV coming in on ipv4 interface w/ tcp6 protocol... syn flood attempt?
I've moved the sites I host to a new machine, and am waiting for all traffic to go away on the old one before I shut it off. The host is fedora 24 running on linode. So I notice, there is only one IP number now hitting the machine, continuously,…

zzzeek
- 101
- 3