This trusty troubleshooting tool can track processes along with network traffic

Detective Work

© Lead Image © rudall30, 123RF.com

© Lead Image © rudall30, 123RF.com

Article from Issue 296/2025
Author(s):

The legacy Tcpdump is a tool no admin would want to do without, but it is a bit long in the tooth. The eBPF-based Ptcpdump aims to counter this worry. The rewrite offers extensive CLI compatibility and can even display process information.

Tcpdump [1] is a popular tool for capturing network traffic. Most admins are aware that they can use Tcpdump to save a record of network traffic in the Pcap format [2], then analyze and visualize the traffic using a protocol analysis tool such as Wireshark. In-depth troubleshooting with Tcpdump is often the last resort when you have exhausted all other options and you still can't open a network connection (Figure 1).

Figure 1: Tcpdump can capture network traffic, but it cannot display the source and target processes associated with that traffic.

On the downside, many users are annoyed by the fact that Tcpdump can't map network traffic to specific processes. In other words, Tcpdump cannot tell you which program the logged packets belong to. As a workaround, programs can sometimes be identified on the basis of IP addresses and their in- and outbound ports.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Core Technologies

    Learn what's going on in your network, using Linux and its arsenal of packet capture tools.

  • Capture File Filtering with Wireshark

    Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.

  • eBPF and Cilium

    eBPF offers a powerful remedy for the complexity of Kubernetes, but it can be difficult to configure and manage. Cilium provides easy access to eBPF's revolutionary capabilities.

  • Network Analysis

    The nightmare of any admin is a user who can't resisting clicking on an unknown attachment labeled Application.exe. This article draws on a real-world example to show how you can use built-in Linux resources to detect unauthorized traffic that might have been invited in by a trigger-happy user.

  • Security Visualization Tools

    Spot intruders with these easy security visualization tools.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News