tcpdump

TCPdump is an linux application which will allow you to capture packets as they are received by the server. The windows equivalent is Wireshark.

At the most basic level you can simply run tcpdump on the command line however it will spray a lot of output in a few short seconds. To filter the packets, we can look to specify an particular type such as ICMP.

The first part is to make a request to be captured by the tcpdump, we can use an simple ICMP ping against the IP address.

64 bytes from [IP address of source]: icmp_seq=0 ttl=53 time=17.563 ms


This is the capture for the tcpdump on screen, we can see the PING request has been received by the server IP. 15:16:42.424103 IP [IP address of source] > [Server IP]: ICMP echo request, id 17412, seq 0, length 64 15:16:42.424137 IP [Server IP] > [IP address of source]: ICMP echo reply, id 17412, seq 0, length 64

This by default captures everything from a single default interface of eth0, we may wish to capture the traffic from other interfaces such as eth1, we can do this by specifying the interface directly.

tcpdump icmp -i eth1

The above line will still capture the packets of ICMP to the server but only on the 2nd interface called eth1. 


We can also take it further by saving the packets directly to a file rather than seeing it from the command prompt with: tcpdump icmp -i eth1 -w capture
The last part is to read the files we have created, this is using the same command but with a flag of: tcpdump -r capture