How to monitor tcp traffic between my localhost and IP adress

networking monitoring network-interface bandwidth

11,127

Solution 1

As @blametheadmin mentioned in a comment, you can use tshark. Another option is tcpdump:

$ tcpdump -w trace.out host <hostname-or-ip>

Then later, you can examine that trace with:

$ tcpdump -r trace.out

Solution 2

You could use iftop to do bandwidth usage reports as explained in this serverfault answer, by using the -t and -s switches:

-t          use text interface without ncurses
-s num      print one single text output afer num seconds, then quit
-L num      number of lines to print

It requires version iftop-1.0pre3 (2014-01-01) of iftop. In your case, the following example should do the trick to capture 5 hours of traffic of an specific source host:

iftop -i eth2 -f "src host x.y.w.z" -t -s 18000 > log.txt &

If you want the filter to get x.y.w.z as destination you could use dest instead, or use only host without prefixes if you want to filter both ways.

11,127

dubis

Updated on September 18, 2022

Comments

dubis almost 2 years
I would like to know how to monitor tcp traffic between my localhost and IP address keeping activities in a file. I tried iftop and tcptrack but I can not keep activities in a file. These tools don't target a specify IP address, they're monitoring the interface only :
```
iftop -i eth2 -f "dst port 22"
```
I tried to put the IP address in place of dst but it doesn't work. The idea is for detecting any suspect traffic

Thanks for help
- dhag over 7 years
  
  @blametheadmin: You culd make this comment into an answer. There must be a way to store truncated packets, if the payload is not important to the asker.
dubis over 7 years

Thanks to answer I would like to do statistic like the -z option with tshark but this tool doesn't accept host or ip with this option
Andy Dalton over 7 years

I'm pretty sure that tshark will take the output file produced by tcpdump as input. You may be able to collect the trace using tcpdump and then analyze it using tshark.
dubis over 7 years

I used this command tcpdump -i eth2 -n host xxx.xxx.xxx.xxx or dst xxx.xxx.xxx.xxx and greater 500 -w trace.out during 24 hours. I got a file of 355Mb and the tcpdum -r trace.out is pretty hard to understand the meaning of Flags, seq 143:143, ack, win and length term to do an idea what's happening.
dubis over 7 years

Thank nwilder, that's a good answer, less that's scanning all the traffic on the Ethernet device. I would like just monitor a IP address in out traffic.
Admin over 7 years

Is this host source or destination? You could change the filter to better fit your needs. I'll edit my answer to you..