by Ciro Santilli (@cirosantilli, 32)
To test it, let's get two computers on the same local area network, e.g. connected to Wi-Fi on the same home modem router.
On computer B:
On computer A, run on terminal 1: 
sudo tcpdump ip src 192.168.1.102 or dst 192.168.1.102
Then on terminal 2 make a test request: 
curl 192.168.1.102:8000
Output on terminal 1: 
17:14:22.017001 IP ciro-p14s.55798 > 192.168.1.102.8000: Flags [S], seq 2563867413, win 64240, options [mss 1460,sackOK,TS val 303966323 ecr 0,nop,wscale 7], length 0
17:14:22.073957 IP 192.168.1.102.8000 > ciro-p14s.55798: Flags [S.], seq 1371418143, ack 2563867414, win 65160, options [mss 1460,sackOK,TS val 171832817 ecr 303966323,nop,wscale 7], length 0
17:14:22.074002 IP ciro-p14s.55798 > 192.168.1.102.8000: Flags [.], ack 1, win 502, options [nop,nop,TS val 303966380 ecr 171832817], length 0
17:14:22.074195 IP ciro-p14s.55798 > 192.168.1.102.8000: Flags [P.], seq 1:82, ack 1, win 502, options [nop,nop,TS val 303966380 ecr 171832817], length 81
17:14:22.076710 IP 192.168.1.102.8000 > ciro-p14s.55798: Flags [P.], seq 1:80, ack 1, win 510, options [nop,nop,TS val 171832821 ecr 303966380], length 79
17:14:22.076710 IP 192.168.1.102.8000 > ciro-p14s.55798: Flags [.], ack 82, win 510, options [nop,nop,TS val 171832821 ecr 303966380], length 0
17:14:22.076727 IP ciro-p14s.55798 > 192.168.1.102.8000: Flags [.], ack 80, win 502, options [nop,nop,TS val 303966383 ecr 171832821], length 0
17:14:22.077006 IP ciro-p14s.55798 > 192.168.1.102.8000: Flags [F.], seq 82, ack 80, win 502, options [nop,nop,TS val 303966383 ecr 171832821], length 0
17:14:22.077564 IP 192.168.1.102.8000 > ciro-p14s.55798: Flags [F.], seq 80, ack 82, win 510, options [nop,nop,TS val 171832821 ecr 303966380], length 0
17:14:22.077578 IP ciro-p14s.55798 > 192.168.1.102.8000: Flags [.], ack 81, win 502, options [nop,nop,TS val 303966384 ecr 171832821], length 0
17:14:22.079429 IP 192.168.1.102.8000 > ciro-p14s.55798: Flags [.], ack 83, win 510, options [nop,nop,TS val 171832824 ecr 303966383], length 0
TODO understand them all! Possibly correlate with Wireshark, or use -A option to dump content.
Amazing tool that captures packets and disassembles them. Allows you to click an interactive tree that represents Ethernet, TCP/IP and application layer like HTTP.
Start capture immediately from CLI, capture packets to/from 192.168.1.102: 
sudo wireshark -f 'host 192.168.1.102' -k
Capture by instead: 
sudo wireshark -f http -k
sudo wireshark -f icmp -k
Filter by both protocol and host: 
sudo wireshark -f 'host 192.168.1.102 and icmp' -k
For application layer capture filtering, the best you can do is by port: 
sudo wireshark -f 'tcp port 80'
There is an http filter but only for as a wireshark display filter
Sample usage: 
sudo tshark -f 'host 192.168.1.102
This produces simple one liners for each request.
What you likely want is the -V option which fully disassembles each frame much as you can do in the GUI Wireshark: 
sudo tshark -V -f 'host 192.168.1.102

Tagged

Ancestors

  1. Computer network
  2. Computer
  3. Information technology
  4. Area of technology
  5. Technology
  6. Index

Discussion (0)

Sign up or sign in create discussions.

There are no discussions about this article yet.

View article source