Linux Security: Packet Capture and Analysis


It’s crucial for any security or systems administrator to be able to capture and analyze network traffic. This allows for advanced troubleshooting as well as security review.

Use a tshark capture filter to collect TCP traffic on port 80.

  • Use a tshark capture filter to collect TCP traffic on port 80. Store the capture command output in /root/http_out.
 tshark -f "tcp port 80" -V -R http > http_out
curl www.example.com/index.html

Use a tshark display filter to collect HTTP traffic and print only HTTP response codes.

  • Use a tshark display filter to collect HTTP traffic and print only HTTP response codes. Store the capture command output in /root/http_response.
tshark -Y http -Tfields -e http.response.code > http_resopnse
curl www.example.com/index.html
curl www.example.com/error.html

Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.

Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22. Observe any IP addresses printed after several seconds.

tshark -f "tcp src port 22" -Tfields -e ip.dst

Add the IP address(es) to /root/ssh_ip in a newline-delimited format.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

A WordPress.com Website.

Up ↑

%d bloggers like this: