Wireshark is a powerful tool, but it has its limitations. Unless you have professional networking equipment, it’s hard to analyze traffic that doesn’t involve your computer. Sometimes the easiest solution is to use tcpdump to capture traffic on the remote server, and then run Wireshark to take a look at it.
- 1 What are Wireshark and tcpdump?
- 2 SolarWinds takes Wireshark to the next level
- 3 Before you begin
- 4 Capturing packets with tcpdump
- 5 Copying a tcpdump session for analysis
- 6 Analyzing a captured tcpdump session with Wireshark
- 7 Using command line options for tcpdump
- 8 Using capture filters for tcpdump
- 9 Using filter files for tcpdump
- 10 Wireshark and tcpdump
What are Wireshark and tcpdump?
Wireshark is a protocol analyzer, a piece of software that captures and presents the data flowing across your network in a readable way. Using Wireshark, you can analyze input and output from network services and web applications.
While Wireshark does a great job of capturing every packet that flows past it, in some cases you’ll need to analyze a session from a remote server. Unless you have special networking equipment, this can be difficult. Sometimes it’s easier to capture traffic on the remote server, then analyze it on your desktop.
tcpdump is a command line packet analyzer. It’s not as easy to use as Wireshark, but it’s just as capable of capturing traffic. Since tcpdump runs in a terminal mode, it’s possible to launch it through an SSH session. With the proper command line options, you can export a tcpdump session that’s compatible with Wireshark.
SolarWinds takes Wireshark to the next level
Wireshark and tcpdump are powerful utilities, but they have some weak spots. In particular, it’s very tough to pinpoint problems with latency across your network using Wireshark out of the box. For instance, you might be suffering from high ping times on your LAN, and there’s not much Wireshark can do to help.
In that case, I recommend SolarWinds Response Time Viewer for Wireshark. This plugin extends Wireshark, enabling you to diagnose the cause of ping spikes and overall slow network speed.
SolarWinds also makes an excellent all-in-one solution for your network. It’s called the Network Performance Monitor (NPM), and it makes administering a network much easier. For example, using SolarWinds Network Performance Monitor, you can monitor and manage your wireless LAN, generate a performance baseline, and get real-time security alerts.
SolarWinds Network Performance Monitor is available to try risk-free for 30 days. Sign up here for free.
Before you begin
In order to follow the directions in this guide, you’ll need the following:
- A remote computer with an SSH server and tcpdump installed
- Root access
- Services that generate network traffic, like Apache or node.js, running on the remote computer
- A local computer with an SSH client and Wireshark installed
The goal is to use tcpdump on the remote computer, through SSH, to capture network traffic. Then the captured traffic can be copied to the local computer for analysis with Wireshark.
This is useful when you don’t have physical access to the remote computer or are running it ‘headless,’ i.e. without a keyboard and monitor.
Capturing packets with tcpdump
In order to capture traffic with tcpdump, you’ll need to connect to the remote computer through SSH. You will also need root access, otherwise the tcpdump won’t be able to capture traffic and you’ll see an error stating You don’t have permission to capture on that device.
Once you’ve connected, run the following command to start capturing traffic with tcpdump:
sudo tcpdump -s 0 -i eth0 -w tcpdump.pcap
The command line options I’ve used to capture this session will be explained below. In short, the above command will capture all traffic on the Ethernet device and write it to a file named tcpdump.pcap in a format compatible with Wireshark.
Once you’ve finished capturing traffic, end the tcpdump session with Ctrl+C. You’ll see a short readout displaying some information about the capture session.
Before you can copy the traffic from your remote computer to the local one for analysis with Wireshark, you’ll have to change the permissions. By default, tcpdump sessions captured by the root used can’t be copied. Use this command:
sudo chmod 644 tcpdump.pcap
That will allow you to copy the file to your local computer using scp, as outlined in the next step.
Copying a tcpdump session for analysis
Once you’ve finished a capture session with tcpdump, you’re left with a problem. How do you copy it to the machine running Wireshark for analysis? There are a lot of ways, but I think the easiest is with scp. Since you’ve already captured packets on a headless machine using SSH, everything you need to use scp is already installed and running.
Windows users will have to download pscp, then copy the file to C:\Windows\System32. Most Mac and Linux users already have everything they need.
In Mac or Linux, open a terminal window and run the following command to copy the session capture file:
scp username@IP.address:/path/to/file ./
Or in Windows, open PowerShell and run this command:
pscp.exe username@IP.address:/path/to/file .\
Substitute with your information where appropriate. You’ll be prompted to enter your password. The commands I used are in the screenshot above for reference.
Check to see that the file copied as expected, and you’re ready to analyze the tcpdump session with Wireshark.
Analyzing a captured tcpdump session with Wireshark
Analysis works the same as it does with any traditional Wireshark capture; the only thing you need to know is how to import the file.
Start Wireshark, then import the captured tcpdump session using File -> Open and browse for your file. You can also double-click the capture file to open it in Wireshark, as long as it has the *.pcap file extension. If you used the -w option when you ran tcpdump, the file will load normally and display the traffic.
In my case, I’m running an Apache server on the remote host, and I’m interested in looking at HTTP data. I set the appropriate Wireshark view filter, and I can browse the captured frames as usual.
As a test, I’ve embedded an element in the HTML code that’s not displayed on the page. I should be able to locate it in the data stream and view it with Wireshark.
As you can see, Wireshark is able analyze each frame and display the data just fine. The element I’ve hidden shows up in the example above. The capture process is a bit more involved when you use tcpdump, but everything in Wireshark works as usual.
Using command line options for tcpdump
Most of the time, when you launch tcpdump you’ll want some control over how you capture the packets and where you store the session. You can control things like that using command line options. These are some of the most useful command line options for tcpdump.
The -w command line option enables Wireshark compatible output. It takes a single variable, which is the output filename. Capture logs saved using this option won’t be human-readable outside of Wireshark, since they’re stored in binary rather than ASCII.
The -C command line option enables you to set a maximum file size in bytes. This option only works alongside -w. For example, the command tcpdump -C 1048576 -w capture.pcap specifies a maximum capture size of 1MB (1,048,576 bytes) output to the file capture.pcap.
If the session generates a larger amount of output, it will create new files to store it in. So a 3MB capture would generate capture.pcap, capture1.pcap, and capture2.pcap each with a file size of 1MB.
The -s command line option sets a maximum length for each packet in bytes, and truncates the packet when the maximum is reached. The command tcpdump -s 0 sets an unlimited length to ensure that the entire packet is captured.
The -i command line option specifies which network device you’d like tcpdump to monitor. If no interface is specified, it defaults to the lowest-numbered interface that is currently running.
The command line option tcpdump -list-interfaces will print a list of all interfaces that are available for tcpdump to attach to. Note that this doesn’t start a capture session, but it will give you a list of interfaces to use with the -i option above.
The -c command line option tells tcpdump to exit the session after capturing a specified number of packets.
The -n command line option instructs tcpdump not to resolve IP addresses to hostnames. This is useful when troubleshooting websites behind a load-balancing server, and in a handful of other cases when using a hostname would give ambiguous results.
tcpdump -v | -vv | -vvv
The three command line options, -v, -vv, and -vvv allow you to increase the verbosity of your capture session. -v will save TTL values for each packet, along with ToS information. -vv will output TTL and ToS along with additional information in NFS packets. And -vvv will log everything the first two options do, along with additional information from telnet sessions.
The -F command line option instructs tcpdump to use capture filters from the specified file. More information about writing a capture file can be found in the next section.
Using capture filters for tcpdump
Capture filters let you narrow down the data that tcpdump stores in a session. They’re a helpful way to make analysis a little easier and keep capture files small. Here are some of the most useful capture filters for tcpdump.
This filter specifies that only traffic to and from the target host should be captured. It takes an IP address or hostname as an argument.
The net filter will tell your computer to only capture traffic on a given subnet, and takes an IP address as an argument. For example, 192.168.1.0/24 specifies that traffic to or from all hosts on the subnet will be captured. Note that a subnet mask in slash notation is required.
Similar to host, this capture filter specifies that only traffic with a destination of the given host will be captured. It can also be used with net.
Like above, but this filter only captures traffic originating from the specified host or IP address. It can also be used with net.
This filter tells tcpdump to capture traffic to and from a given port number. For instance, port 443 will capture TLS traffic.
Similar to the port filter, portrange establishes a range of ports on which traffic is captured. To use the portrange filter, specify the starting port and ending port separated by a dash. For example, portrange 21-23.
The gateway filter specifies that your computer should only capture traffic that used a given hostname as a gateway. The hostname must be found in /etc/hosts.
The broadcast filter specifies that tcpdump should only capture traffic that is being broadcast to all hosts on a subnet.
This filter tells tcpdump to capture only multicast traffic on the host machine’s subnet.
Filters can be chained together using the and, or, or not operators. For instance, to capture all web traffic on a given host you could use the filter port 80 or port 443. Or you could capture all traffic on a given subnet except broadcast packets by using the filter net 192.168.1.0/24 and not broadcast.
It’s very common to use filter operators in practice since they provide an additional layer of granularity to your captures. You can capture exactly the traffic you need, without a lot of extra network chatter.
Complex expressions with multiple operators
Even more complex expressions can be built by surrounding multiple operations in single apostrophes and parentheses. For example, you can monitor all mail traffic, including SMTP, IMAP, IMAP over TLS, POP3, and POP3 over TLS, across multiple hosts and subnets, using a command like this:
tcpdump '(host 10.0.0.1 and net 192.168.1.0/24) and ((port 25 or port 143 or port 443 or port 993 or port 995))'
Complex expressions with multiple operators can be very useful, but they are typically saved to a filter file for reuse since a single typo will cause the capture to fail. Frequently, they’ll need to be prepared ahead of time and debugged.
Using filter files for tcpdump
The filters above can be run on the command line when tcpdump is launched, but often it’s useful to build a filter file. A filter file makes it easier to reproduce filter settings between captures since it is reusable. Here are the steps to writing and using a filter file.
Write the filter file
Filter files use exactly the same notation as the command line. They don’t require any special characters or magic numbers at the top of the file.
For instance, here’s a filter file I’ve written that will capture all web traffic outbound from my Apache server to a given host. In this case, the Chromebook I’m writing on.
As long as the file is readable by the user running tcpdump, the program will attempt to parse everything in the filter file and use it as a valid filter. When a filter file is used along with command line filtering, all command line filtering will be ignored.
Instruct tcpdump to use any given filter file using the -F command line option, followed by the path to the file. In the example above, the filter file is located in the same directory that I’m executing tcpdump in.
Here’s the raw output from the filtered session. You can see that the only packets being logged originate on port 80 or 443, and are outbound to the host at 192.168.1.181.
Once you see your filter is working as intended, capture a session to be analyzed with Wireshark using a command similar to this:
sudo tcpdump -i eth0 -s 0 -w wireshark.pcap -F filter-file
Wireshark and tcpdump
Unless you’re running a managed switch with an administration port, sooner or later you’ll need to capture traffic on a remote server. When Wireshark alone won’t do the job, Wireshark with tcpdump is a popular choice. The two work really well together and, with a few simple command line options, tcpdump will export capture sessions that can easily be analyzed in Wireshark.