In the world of network administration and troubleshooting, there are countless moments when you need to verify connectivity. Is a specific client successfully reaching a server on a designated port? Is the server responding? Or is something silently dropping the packets? For these scenarios, the command-line tool tcpdump
is an invaluable asset – powerful, versatile, and readily available on most Unix-like systems.
Let’s break down how to use tcpdump
to monitor if a particular client (e.g., 192.168.6.1
) is connecting or attempting to connect to a specific server port (e.g., 7210
).
The Core Command:
sudo tcpdump -i any -vv -nn tcp port 7210 and host 192.168.6.1
Let’s dissect this command to understand each component:
- sudo
tcpdump
captures network packets at a low level, which typically requires superuser privileges. -i any
: This option tellstcpdump
to listen on any available network interface. This is convenient if you’re unsure which interface the traffic will use (e.g.,eth0
,ens192
,wlan0
) or if the server has multiple interfaces. For more targeted sniffing on busy servers, you might replaceany
with a specific interface name (e.g.,-i eth0
).-vv
: This controls the verbosity of the output.-v
: Verbose output (e.g., includes details like TTL, IP ID, total length).-vv
: More verbose output (e.g., includes additional fields from NFS reply packets).-vvv
: Even more verbose output (maximum verbosity). For connection monitoring,-v
or-vv
is usually sufficient.
-nn
: This option tellstcpdump
to avoid resolving IP addresses to hostnames (-n
) and port numbers to service names (-n
).- The first
-n
prevents DNS lookups for IP addresses, which can be slow and generate extra network traffic you don’t want to capture. - The second
-n
ensures ports are shown as numbers (e.g.,7210
instead of a potential, but perhaps unlisted, service name). This is generally preferred for clarity and speed when you know the port number you’re looking for.
- The first
tcp
: This is a crucial filter. It specifies that we are only interested in packets using the TCP protocol. This filters out UDP, ICMP, and other types of traffic.port 7210
: This filter instructstcpdump
to capture traffic where either the source or destination port is7210
.and
: This is a logical operator used to combine filter expressions. Both conditions around it must be true for a packet to be captured.host 192.168.6.1
: This filter narrows the capture to traffic where either the source or destination IP address is192.168.6.1
.
What to Look For in the Output:
When the client attempts to connect, you’re primarily looking for the TCP three-way handshake:
- SYN: The client (
192.168.6.1
) sends a packet with the SYN (synchronize) flag set to the server’s IP on port7210
.- Example:
IP 192.168.6.1.54321 > your_server_ip.7210: Flags [S], ...
- Example:
- SYN-ACK: If the server is listening on port
7210
and accepts the connection, it responds with a packet having both SYN and ACK (acknowledgment) flags set.- Example:
IP your_server_ip.7210 > 192.168.6.1.54321: Flags [S.], ...
- Example:
- ACK: The client acknowledges the server’s response by sending a packet with the ACK flag set.
- Example:
IP 192.168.6.1.54321 > your_server_ip.7210: Flags [.], ...
- Example:
After this, you’ll see packets with data (Flags [P.]
for PSH-ACK) or just acknowledgments (Flags [.]
).
Further tcpdump
Tips:
Save the output in Wireshark format
sudo tcpdump -i any -vv -nn -w capture.pcap tcp port 7210 and host 192.168.6.1