1. Overview

Invariably, identifying and resolving network issues is a routine task for network administrators. There are several command-line utilities to assuage these issues of which tcpdump that best serves the purpose.

In this tutorial, we’ll expand on the usage of tcpdump by capturing the network packets through the logical and physical interface.

2. What Is the Localhost and Loopback Interface?

To better understand, let’s visualize the concept of localhost as a virtual hostname and domain name of our computer system. Whenever we call the localhost, it always points to our own computer system. In a nutshell, the computer talks to itself. Therefore, it greatly assists us to check the machine’s network services, even during hardware card failures.

Typically, localhost accesses the machine through a network loopback interface which is invariably present in all operating systems. By default, the loopback interface gets a 127.0.0.1 IP address. Subsequently, the localhost also resolves to the same IP for name resolution:

$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       sandbox1
::1     ip6-localhost ip6-loopback

Generally, the packets transmitted through this logical interface will be returned (looped back) to the same interface without involving any physical interface of the machine. Hence, the interface gets its name as a loopback.

The IETF assigns the entire 127.0.0.0/8 for network loopback purposes. After every server installation, the system gets the loopback interface.

Let’s take a look at the below snippet for loopback interface configuration:

$ ip a s lo 
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
    inet 127.0.0.1/8 scope host lo 
       valid_lft forever preferred_lft forever 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

3. tcpdump

tcpdump is a powerful command-line tool for analyzing the network interface traffic on Linux Systems. We need privileged access to run this tool on the Linux systems, either with root or sudo. We can easily search and filter the network packets using the hostname, IP, protocols, network names, etc.

Now, let’s have a look at the tcpdump usage. Here, the output relates to the SSH session:

$ sudo tcpdump
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
04:47:21.629831 IP 27.57.7.242.32917 > sandbox1.ssh: Flags [P.], seq 639116254:639116462, ack 1982486691, win 501, length 208
04:47:21.757924 ARP, Request who-has 10.87.34.12 tell _gateway, length 46
06:47:21.880039 IP sandbox1 > 104.26.11.14: ICMP echo request, id 20418, seq 1, length 64
06:47:21.914808 IP 104.26.11.14 > sandbox1: ICMP echo reply, id 20418, seq 1, length 64

Now, let’s the first line of the output:

  • 04:47:21.629831 – IP Packet’s timestamp in microseconds
  • IP – protocol type such as IP {Internet Protocol}, ARP {Address Resolution Protocol}, ICMP {Internet Control Message Protocol}
  • 27.57.7.242.32917 – source IP address and port. Usually, the source port is taken randomly from the registered unknown port ranges
  • sandbox1.ssh – destination IP address and port. {well-known port number 22 gets converted as ssh}
  • Flags[P.] – Any TCP flags {P – PUSH}; a period indicates an ACK
  • seq 639116254:639116462 – sequence ranges with starting and ending sequence numbers. The difference is the amount carried in Bytes which is the field length
  • ack 1982486691 – TCP packet’s acknowledgment number
  • win 501 – source machine TCP window size
  • length 208 – TCP data length or payload size. Here, it’s 639116462 – 639116254 = 208

4. Monitoring the Interface using tcpdump

tcpdump has many options to parse, search and filter the network interface traffic. If we want to monitor the packets from the specific interface, we can use option -i.

For the sake of demonstration, let’s open two PuTTY sessions. In the first session, we initiate the packet capture on the loopback interface, then we will execute a simple ping to localhost:

$ ping -c 1 localhost
..
..

$ sudo tcpdump -i lo
06:24:36.453843 IP localhost > localhost: ICMP echo request, id 19865, seq 1, length 64
06:24:36.453854 IP localhost > localhost: ICMP echo reply, id 19865, seq 1, length 64

In similar lines, let’s try to generate and capture the SSH packets from the loopback interface:

$ ssh localhost
tools@localhost's password:

$ sudo tcpdump -i lo 
06:30:52.419160 IP localhost.43398 > localhost.ssh:
  Flags [S], seq 4234592172, win 65495, options [mss 65495,sackOK,TS val 796452486 ecr 0,nop,wscale 7], length 0

tcpdump has some other useful options.

To get low-level information, we need to enable the verbose:

tcpdump -vv -i ens160

To read any pcap file, we can use -r option:

tcpdump -r prod_inf_mtr.pcap

If we want to filter using hostname/source IP and capture only ten packets from any interfaces:

tcpdump host baeldung.com -i any -c10
tcpdump host 104.26.12.74 -i any -c10

Next, we can filter using host and ports information:

tcpdump -i any "host baeldung.com and (port 22 or port 443)"

Moreover, we can use it to filter using source and destination networks information:

tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 10.0.0.0/8" -c4

And finally, we can also decipher the IPv6 information as shown below:

tcpdump -i any ip6 host google.com -c4

5. Conclusion

In this article, we saw why the localhost is the default name of our system and how it helps test applications through the loopback network interface. Furthermore, we also saw the various user-friendly options available in tcpdump for advanced packet analysis.

Comments are closed on this article!