Home / server / Questions / 335077
Accepted
Poni
Asked: 2011-11-27 15:04:59 +0800 CST

CentOS listen to everything on the wire

  • 772

I know there's a native command on linux that will output (to stdout) every "event" related to a certain network interface (be it eth0 etc').
Like there's tail -f <file> to listen on file changes..
I just can't find it.

I want to see all events, incoming packets, even dropped ones. At lowest level possible. In every protocol (TCP, UDP etc').
I think WireShark is a bit too big for this as I need something very simple just to see the events, it's for testing.

What's the command?

networking

3 Answers

  1. Best Answer

    You're talking about tcpdump, as other people have mentioned.

    There's also ngrep:

    $ yum info ngrep
Loaded plugins: fastestmirror, priorities
Available Packages
Name       : ngrep
Arch       : i386
Version    : 1.45
Release    : 2.el5.rf
Size       : 33 k
Repo       : dag
Summary    : Realtime network grep tool
URL        : http://ngrep.sourceforge.net/
License    : GPL
Description: ngrep is grep command that works on realtime network data.
           : 
           : ngrep strives to provide most of GNU grep's common features, applying
           : them to the network layer. ngrep is a pcap-aware tool that will allow
           : you to specify extended regular or hexadecimal expressions to match
           : against data payloads of packets. It currently recognizes TCP, UDP
           : and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null
           : interfaces, and understands bpf filter logic in the same fashion as
           : more common packet sniffing tools, such as tcpdump and snoop.

    which is sort of like grep on a network stream. It's not a standard package, but it can help you find the network traffic you're looking for.

    • 5

  2. TCPDUMP?

    [root@kerberos users]# tcpdump -i virbr0 port 22 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
18:15:00.629145 IP kerberos.example.com.ssh > 10.5.50.220.60680: Flags [P.], seq 723634149:723634341, ack 2691792940, win 145, options [nop,nop,TS val 2845703615 ecr 994376021], length 192
18:15:00.646606 IP 10.5.50.220.60680 > kerberos.example.com.ssh: Flags [.], ack 0, win 65535, options [nop,nop,TS val 994376068 ecr 2845703587], length 0
18:15:00.653646 IP 10.5.50.220.65416 > kerberos.example.com.ssh: Flags [.], ack 4059311404, win 33108, options [nop,nop,TS val 994376075 ecr 2845703594], length 0
18:15:00.659078 IP 10.5.50.220.65416 > kerberos.example.com.ssh: Flags [P.], seq 0:96, ack 1, win 33156, options [nop,nop,TS val 994376075 ecr 2845703594], length 96
18:15:00.660041 IP kerberos.example.com.ssh > 10.5.50.220.65416: Flags [P.], seq 1:129, ack 96, win 244, options [nop,nop,TS val 2845703645 ecr 994376075], length 128
18:15:00.676094 IP 10.5.50.220.60680 > kerberos.example.com.ssh: Flags [.], ack 192, win 65535, options [nop,nop,TS val 994376096 ecr 2845703615], length 0
18:15:00.706762 IP 10.5.50.220.65416 > kerberos.example.com.ssh: Flags [.], ack 129, win 33092, options [nop,nop,TS val 994376126 ecr 2845703645], length 0
18:15:00.712138 IP 10.5.50.220.65416 > kerberos.example.com.ssh: Flags [P.], seq 96:192, ack 129, win 33156, options [nop,nop,TS val 994376126 ecr 2845703645], length 96
18:15:00.713242 IP kerberos.example.com.ssh > 10.5.50.220.65416: Flags [P.], seq 129:257, ack 192, win 244, options [nop,nop,TS val 2845703699 ecr 994376126], length 128
18:15:00.760791 IP 10.5.50.220.65416 > kerberos.example.com.ssh: Flags [.], ack 257, win 33092, options [nop,nop,TS val 994376179 ecr 2845703699], length 0
    • 4

  3. I think you might be looking for tcpdump.

    • 2