TCPdump and Wireshark configuration

This article explains how to troubleshoot TCP packet from Linux (CentOS) and Windows with TCP dump and wireshark. Both are important tools for troubleshooting. If you are troubleshooting a Windows server and have access to it to install Wireshark then there is nothing to worry about. Even if the server to troubleshoot is a Linux one with proper desktop (KDE/GNOME), you may still install the Wireshark UI on it and work from the server. If the server is Linux without any UI, this is where this article is trying to help because you need to run tcpdump on the server and somehow download the capture to your local computer for analysis.

If you work off of a MacOS, and need to capture in real time from a Linux server without a desktop (KDE/GNOME), then the best bet is to run tcpdump remotely from the server and pipe the result into Wireshark. This would require root access to the server. Tcpdump will require libpcap and tcpdump packages. Then from MacBook you can run:

# ssh root@remote-server "tcpdump -w - -s0 -pi eth0 dst port 443 or src port 443"|wireshark -k -i -

This will pipe the tcpdump result into Wireshark session in Mac in real time with a delay.

If you work off a Windows computer where plink.exe is available, you can run the following command if you know the root password:

C:\tools\plink.exe -l root -pw rootpassword 192.168.117.12 -P 22 "tcpdump -w - -s0 -pi eth0 dst port 9042" |"C:\Program Files\Wireshark\Wireshark.exe" -k -i -

Both tricks above assumes that you have direct root log-in to the server, by RSA key or password. It is because running tcpdump requires root access on the server. It is not a good security practice to run tcpdump with a non-root user because it needs to scan the interface.

  • -s: snap length in bytes. Setting to 0 is making it use default 65535
  • -i: specify the interface to listen on. e.g. eth0 or ens192
  • -p: no-promiscuous mode. this option asks tcpdump to not put interface in promiscuous mode
  • -w: write the raw packets to file rather than parsing and printing them out. a hyphen indicates standard output here.
  • -Z: drops the privileges of root and changes ownership to the specified user

If you do not have direct root login access, but you can log in as a different user and su to root, you may run this once you are on root user:

echo "###Capture Begin: $(date '+%Y %b %d %H:%M:%S')" && tcpdump dst port 1524 or src port 1524 -s 0 -i eth0 -w "/tmp/cap.$(date +%Y%m%d_%H%M%S).cap" -Z linuser && echo "###Capture End: $(date '+%Y %b %d %H:%M:%S')" && ls -ltr /tmp/cap*.cap

To stop capture, you can use Ctrl-C but make sure that is passed to the server terminal or you will leave a zombie tcpdump process