In this post we will show the steps to capture and view network traffic on a local ubuntu machine. This is useful when we need to check a specific application ingress and egress traffic.
For this post we will use the "application" curl.
Capturing
We start by capturing the traffic using the tcpdump. The tcpdump creates a dump of all the network packets on a specific interface or for a specific host. For this example we will capture all traffic on a specific interface. To get the list of interfaces on the machine use the command:
ip a
and then run the tcpdump, for example:
sudo tcpdump -i enp0s31f6 -w dump.pcap
Notice that the tcpdump gets two arguments here: the interface name, and the pcap output file which includes the captured packets. The tcpdump will keep capturing traffic until we stop it using Ctrl+C.
We keep the tcpdump running, and in another terminal we run our application:
curl http://ynet.co.il
Now we can stop the capturing using Ctrl+C, and we have a pcap file with the captured network packets.
Viewing
To view the pcap file, the most common application is wireshark. To install wireshark, use the following command:
sudo apt install wireshark
And then run it:
sudo wireshark
In the wireshark application, select file and open the dump.pcap file.
This now displays all the network packets, but in most cases, we just want to see http packets, so in the wireshark display filter, type http, and click enter.
No comments:
Post a Comment