Quick Tip: Sniffing packets for fun and profit
When it comes to analyzing network problems, debugging client / server communication or just monitoring network traffic, a protocol analyzer (packet sniffer) is king.
There are a number of packet sniffers out there, two of the most popular are Wireshark (formerly Ethereal) and tcpdump. Tshark is the console (command line) version of Wireshark.
Running a packet sniffer on even a moderately busy network will produce a ton of output so use of filters is a must. Since both Wireshark (tshark) and tcpdump use the pcap library (libpcap on UNIX and winpcap on Windows), they both use the same filter syntax.
There are lots of filter options. Filters can be combined with logical operators "and", "not" and "or".
Basic example below will capture DNS (port 53) traffic going to and from host 192.168.1.5:
tshark -i eth1 port 53 and host 192.168.1.5
When using multiple logical operators, filter syntax can get confusing. Parenthesis can be used to group multiple filter statements to make them easier on the eye.
A more complex filter example below will capture all traffic to/from hosts 192.168.1.4 and 192.168.1.5 except HTTP (port 80) and SMTP (port 25):
tshark -i eth1 '(host 192.168.1.4 or host 192.168.1.5) and not (port 80 or port 25)'
Please note that if I didn't enclose the filter statement above in quotes, the shell would have tried to evaluate the parenthesis, returning an error similar to:
-sh: syntax error near unexpected token `('
Enclosing the filter statement in quotes tells the shell to just pass the arguments along without evaluating.
Leave a comment