How to capture port traffic on a Linux server

Every network administrator needs to know how to listen to port traffic on a server. Here's one way to do it on Linux.
So you have a Linux server up and running, but you either suspect there might be some nefarious traffic coming in, or you just want to know what's going on at all times with this new machine. What do you do?
There are plenty of tools to get the job done--some of which have been around for a very long time. However, some of those commands can either be incredibly complex or they don't really work the way you want.
So what's an admin to do when they just want to get the job done easily, quickly, and reliably?
There's one particular tool I prefer to use for this job. Said tool is TShark, which is a command line take on the always-popular Wireshark. When you're working with a headless server, a GUI isn't going to cut it. That's where TShark comes into play. 
With the tshark command you can listen to incoming traffic, so as to monitor your ports on a Linux server. It's actually easy to install and easy to use. Let's make that happen.

What you'll need

  • A Linux server or desktop
  • A user with sudo privileges
I'll be demonstrating on Ubuntu Server 18.40, but the tool can be installed from your distribution's standard repositories.

How to install TShark

The installation of TShark is simple. Open a terminal window on your server and issue the command:
sudo apt-get install tshark -y
That's all there is to the installation.

How to find your network interface

With TShark, your network interface is associated with a number. If you only have one interface installed, you shouldn't have to worry about this. However, if you have multiple interfaces or you use this server for containers, you'll need to know which interface to have TShark listen to. 
To do this, issue the command:
sudo tshark -D

All interfaces, including containers, listed.

How to listen with TShark

Now that we have our interface listing, we can now watch the traffic in real time. Say you want to listen only on ens5, which is the primary interface on my server. For this, you'd issue the command:
sudo tshark -i 6
A never-ending stream of output will begin, listing every port to detect any type of traffic
The tshark command is listening to incoming traffic on all ports.
If that's too much to take in, you can always instruct TShark to listen for specific ports. Say, for instance, you suspect something fishy is going on with SSH (maybe someone is trying to hack your server via port 22). To haves TShark listen to only that port, issue the command:
sudo tshark -i 6 -f "tcp port 22"
The above command will only output information associated with port 22
Using TShark to only listen for SSH traffic.
Although there is much more to TShark, that is all you need to know to get you going on listening to port traffic on your Linux server. To find out more about TShark, issue the command man tshark.

Post a Comment

0 Comments

';