Master tcpdump: Capture, Filter, and Analyze Network Traffic Like a Pro
Learn how to effectively use tcpdump for network packet capture, understand its syntax and expression filters, explore common parameters, and see practical examples of analyzing MySQL traffic and packet details, empowering you to troubleshoot network issues and perform deep packet analysis.
Introduction
tcpdump is a powerful network packet capture tool that can dump traffic on a network, allowing you to intercept and analyze data packets. Mastering tcpdump helps you troubleshoot packet loss, retransmissions, and database link calls.
Using tcpdump
Syntax
<code>Usage: tcpdump [-aAdDefhIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]</code>The most important part is the expression , which filters traffic by type, direction, or protocol.
Three expression types are supported:
Type : host, net, port (default is host)
Direction : src, dst and their combinations
Proto : tcp, udp, icmp, arp, etc.
Common expressions can be combined with parentheses (escaped when needed).
Parameters
Example command:
tcpdump tcp -i bond0 -tttt -s 0 -c 100 and dst port ! 22 and src net 10.10.1.0/24 -w 20190131.tcpdump
Explanation:
<code>(1) tcp: protocol filter
(2) -i bond0: capture on interface bond0
(3) -tttt: timestamp format "YYYY-MM-DD HH:MM:SS.ssssss"
(4) -s 0: capture full packet length
(5) -c 100: stop after 100 packets
(6) dst port ! 22: exclude destination port 22
(7) src net 10.10.1.0/24: source network filter
(8) -w 20190131.tcpdump: write output to file for later analysis</code>Other useful parameters:
<code>-D: list all interfaces
-n: disable name resolution (show IPs only)
-X: display packet contents in hex and ASCII
-A: display packet contents as ASCII
-v, -vv, -vvv: increase verbosity
</code>Packet Analysis
Capture command example:
tcpdump -i bond0 -n -s 0 port 3312 -c 10 -tttt
Key fields in the output:
Timestamp (e.g., 2019-02-02 10:46:13.447563)
Protocol name (IP, TCP, etc.)
Source and destination IP/port (e.g., 10.215.20.13.appman-server > 10.9.51.13.25569)
Flags: S=SYN, P=PUSH, F=FIN, .=no flag, etc.
Sequence and acknowledgment numbers
Window size (controls flow control)
Length (payload size)
Case Study: Analyzing MySQL Interaction
Collect packets with:
<code># tcpdump -i bond0 -n -s 0 port 3320 -tttt -A -w /tmp/20190202.tcpdump
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
32 packets captured
36 packets received by filter
0 packets dropped by kernel</code>Open the resulting file in Wireshark, filter by the MySQL protocol, and inspect SQL statements such as SELECT and SHOW TABLES . By comparing timestamps of relevant packets (e.g., packets 26 and 27), you can calculate query execution time for performance analysis.
Recommended Reading
Official tcpdump website
tcpdump tutorial on Zhihu
Tcpdump in database practice
Learning tcpdump on Linux
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.