Bash one liners: Keeping an Eye on Connections: Using tcpdump to Monitor Client-Server Port Activity

In the world of network administration and troubleshooting, there are countless moments when you need to verify connectivity. Is a specific client successfully reaching a server on a designated port? Is the server responding? Or is something silently dropping the packets? For these scenarios, the command-line tool tcpdump is an invaluable asset – powerful, versatile, and readily available on most Unix-like systems.

Let’s break down how to use tcpdump to monitor if a particular client (e.g., 192.168.6.1) is connecting or attempting to connect to a specific server port (e.g., 7210).

The Core Command:

sudo tcpdump -i any -vv -nn tcp port 7210 and host 192.168.6.1

Let’s dissect this command to understand each component:

• sudo tcpdump captures network packets at a low level, which typically requires superuser privileges.
• -i any: This option tells tcpdump to listen on any available network interface. This is convenient if you’re unsure which interface the traffic will use (e.g., eth0, ens192, wlan0) or if the server has multiple interfaces. For more targeted sniffing on busy servers, you might replace any with a specific interface name (e.g., -i eth0).
• -vv: This controls the verbosity of the output.
  • -v: Verbose output (e.g., includes details like TTL, IP ID, total length).
  • -vv: More verbose output (e.g., includes additional fields from NFS reply packets).
  • -vvv: Even more verbose output (maximum verbosity). For connection monitoring, -v or -vv is usually sufficient.
• -nn: This option tells tcpdump to avoid resolving IP addresses to hostnames (-n) and port numbers to service names (-n).
  • The first -n prevents DNS lookups for IP addresses, which can be slow and generate extra network traffic you don’t want to capture.
  • The second -n ensures ports are shown as numbers (e.g., 7210 instead of a potential, but perhaps unlisted, service name). This is generally preferred for clarity and speed when you know the port number you’re looking for.
• tcp: This is a crucial filter. It specifies that we are only interested in packets using the TCP protocol. This filters out UDP, ICMP, and other types of traffic.
• port 7210: This filter instructs tcpdump to capture traffic where either the source or destination port is 7210.
• and: This is a logical operator used to combine filter expressions. Both conditions around it must be true for a packet to be captured.
• host 192.168.6.1: This filter narrows the capture to traffic where either the source or destination IP address is 192.168.6.1.

What to Look For in the Output:

When the client attempts to connect, you’re primarily looking for the TCP three-way handshake:

1. SYN: The client (192.168.6.1) sends a packet with the SYN (synchronize) flag set to the server’s IP on port 7210.
   • Example: IP 192.168.6.1.54321 > your_server_ip.7210: Flags [S], ...
2. SYN-ACK: If the server is listening on port 7210 and accepts the connection, it responds with a packet having both SYN and ACK (acknowledgment) flags set.
   • Example: IP your_server_ip.7210 > 192.168.6.1.54321: Flags [S.], ...
3. ACK: The client acknowledges the server’s response by sending a packet with the ACK flag set.
   • Example: IP 192.168.6.1.54321 > your_server_ip.7210: Flags [.], ...

After this, you’ll see packets with data (Flags [P.] for PSH-ACK) or just acknowledgments (Flags [.]).

Further tcpdump Tips:

Save the output in Wireshark format

sudo tcpdump -i any -vv -nn -w capture.pcap tcp port 7210 and host 192.168.6.1