9.16. Observing Network Traffic
You want to watch network traffic flowing by (or through) your machine.
Use a packet sniffer such as tcpdump.
To sniff packets and save them in a file:
# tcpdump -w
To read and display the saved network trace data:
$ tcpdump -r
To select packets related to particular TCP services to or from a host:
# tcpdump tcp port
service] and host server.example.com
For a convenient and powerful GUI, use Ethereal. [Recipe 9.17]
To enable an unconfigured interface, for a “stealth” packet sniffer:
To print information about all of your network interfaces with loaded drivers: [Recipe 3.1]
$ ifconfig -a
Is your system under attack? Your firewall is logging unusual activities, you see lots of half-open connections, and the performance of your web server is degrading. How can you learn what is happening so you can take defensive action? Use a packet sniffer to watch traffic on the network!
In normal operation, network interfaces are programmed to receive only the following:
Unicast packets , addressed to a specific machine
Multicast packets , targeted to systems that choose to subscribe to services like streaming video or sound
Broadcast packets , for when an appropriate destination is not known, or for important information that is probably of interest to all machines on the network
The term “unicast” is not an oxymoron: ...