Monitoring network traffic


You want to track all incomming http-Headers on your Webserver?

sudo tcpdump -A -s 10240 'tcp port 80' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'

Show the HTTP Requests only:

sudo tcpdump -A -s 10240 'tcp port 80' | egrep "^........(GET |HTTP\/|POST |HEAD )|^[:alnum:]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'


A quite handy tool for monitoring tcp traffic is tcptrack. Get it with:

sudo apt-get install tcptrack

and start it with

sudo tcptrack -i eth0 port 80

the interface parameter -i eth0 must be according to your needs, you can check your interfaces with ifconfig.

There is also tcpdump, tcpflow and other nice tools


Sometimes one like to figure out what programs listen at a port. Here we can get an overview with:

sudo netstat -tupln

Where t=tcp, u=udp, p=show program name, l=show listening ports, n= numeric (not resolve machine names)
The Output could look something like this:

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0* LISTEN 1338/mysqld 
tcp 0 0* LISTEN 1709/dnsmasq 
tcp 0 0* LISTEN 1303/sshd 
tcp 0 0* LISTEN 1900/xrdp-sesman
tcp 0 0* LISTEN 1356/tor 
tcp 0 0* LISTEN 1887/xrdp 
tcp6 0 0 :::80 :::* LISTEN 2064/apache2 
tcp6 0 0 :::22 :::* LISTEN 1303/sshd 
tcp6 0 0 :::443 :::* LISTEN 2064/apache2 
udp 0 0* 1709/dnsmasq 
udp 0 0* 7335/chrome 
udp 0 0* 1062/avahi-daemon: 
udp 0 0* 1062/avahi-daemon: 
udp 0 0* 1709/dnsmasq 
udp 0 0* 1698/dhclient 
udp 0 0* 4625/cups-browsed
udp6 0 0 :::51764 :::* 1709/dnsmasq 
udp6 0 0 :::45088 :::* 1062/avahi-daemon: 
udp6 0 0 :::5353 :::* 7335/chrome 
udp6 0 0 :::5353 :::* 1062/avahi-daemon:



With lsof you can determine easily which program listens on a port and under which user that program runs:

sudo lsof -i :80



Need Ping  and traceroute combined in a single application? Use mtr (matt’s traceroute)



send internet traffic over a proxy with tsocks

Sometimes it happens that you can’t use your services cause they deal with blocked ports. For exampel you use mysql on the commandline and it is by some reason denied. A proxy can help you. Tsocks helps you to use a proxy. Tsocks is a library for intercepting outgoing network connections and redirecting them through a SOCKS server.

install tsocks with

sudo apt-get install tsocks

Configure the file /etc/tsocks.conf

# the proxys address
server =
# the server type
server_type = 5
# the proxys port
server_port = 3306

and finally call your command like this:

tsocks mysql -h myHost -u myUser -pPassword