Use this command to capture packets with the tcpdump command. This will output to STDOUT, but you may use redirection to divert it to a text file.
[root@deusexmachina homer]# tcpdump -i wlp2s0 |
This is the output that you get when you are capturing packets. This is on my home network, so there are not many other computers on the same network. At a more populated location, this would capture a LOT of data.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlp2s0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:31:08.889345 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:31:09.427050 IP deusexmachina.localdomain.60287 > 192.168.1.1.domain: 64077+ PTR? 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (90) 06:31:09.497527 IP 192.168.1.1.domain > deusexmachina.localdomain.60287: 64077 NXDomain 0/1/0 (160) 06:31:09.499456 IP deusexmachina.localdomain.37873 > 192.168.1.1.domain: 34380+ PTR? 5.2.1.e.d.5.e.f.f.f.e.6.f.0.e.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 06:31:09.573778 IP 192.168.1.1.domain > deusexmachina.localdomain.37873: 34380 NXDomain* 0/1/0 (125) 06:31:10.575373 IP deusexmachina.localdomain.58963 > 192.168.1.1.domain: 23729+ PTR? 1.1.168.192.in-addr.arpa. (42) 06:31:10.658433 IP 192.168.1.1.domain > deusexmachina.localdomain.58963: 23729 NXDomain* 0/1/0 (92) 06:31:10.658732 IP deusexmachina.localdomain.52069 > 192.168.1.1.domain: 43760+ PTR? 5.1.168.192.in-addr.arpa. (42) 06:31:10.736590 IP 192.168.1.1.domain > deusexmachina.localdomain.52069: 43760 NXDomain* 0/1/0 (92) 06:31:14.496885 ARP, Request who-has deusexmachina.localdomain tell 192.168.1.1, length 28 06:31:14.496913 ARP, Reply deusexmachina.localdomain is-at 4c:0f:6e:5d:e1:25 (oui Unknown), length 28 06:31:18.892497 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:31:28.891639 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:31:38.889904 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:31:39.190064 IP deusexmachina.localdomain.ntp > ns2.unico.com.au.ntp: NTPv3, Client, length 48 06:31:39.265043 IP ns2.unico.com.au.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:31:39.332124 IP deusexmachina.localdomain.ntp > ns30.alltraders.com.ntp: NTPv3, Client, length 48 06:31:39.414742 IP ns30.alltraders.com.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:31:39.524972 IP deusexmachina.localdomain.54937 > 192.168.1.1.domain: 60515+ PTR? 37.210.127.202.in-addr.arpa. (45) 06:31:39.532514 IP deusexmachina.localdomain.ntp > y.ns.gin.ntt.net.ntp: NTPv3, Client, length 48 06:31:39.651244 IP 192.168.1.1.domain > deusexmachina.localdomain.54937: 60515 1/2/2 PTR ns2.unico.com.au. (139) 06:31:39.651509 IP deusexmachina.localdomain.35904 > 192.168.1.1.domain: 23254+ PTR? 240.128.16.103.in-addr.arpa. (45) 06:31:39.734574 IP deusexmachina.localdomain.ntp > node01.au.verbnetworks.net.ntp: NTPv3, Client, length 48 06:31:39.739958 IP y.ns.gin.ntt.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:31:39.784433 IP 192.168.1.1.domain > deusexmachina.localdomain.35904: 23254 1/3/2 PTR ns30.alltraders.com. (194) 06:31:39.794888 IP node01.au.verbnetworks.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:31:40.785931 IP deusexmachina.localdomain.40890 > 192.168.1.1.domain: 9817+ PTR? 251.35.250.129.in-addr.arpa. (45) 06:31:41.027748 IP 192.168.1.1.domain > deusexmachina.localdomain.40890: 9817 1/5/0 PTR y.ns.gin.ntt.net. (180) 06:31:41.028003 IP deusexmachina.localdomain.45882 > 192.168.1.1.domain: 10491+ PTR? 186.129.252.54.in-addr.arpa. (45) 06:31:41.100866 IP 192.168.1.1.domain > deusexmachina.localdomain.45882: 10491 1/6/11 PTR node01.au.verbnetworks.net. (489) 06:31:44.199907 ARP, Request who-has 192.168.1.1 tell deusexmachina.localdomain, length 28 06:31:44.200980 ARP, Reply 192.168.1.1 is-at 84:c9:b2:bd:c2:e7 (oui Unknown), length 28 06:31:48.893605 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:31:58.891079 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:32:08.889305 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:32:18.893922 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:32:26.847033 IP 192.168.1.1 > all-systems.mcast.net: igmp query v3 06:32:27.848514 IP deusexmachina.localdomain.56886 > 192.168.1.1.domain: 20559+ PTR? 1.0.0.224.in-addr.arpa. (40) 06:32:27.948456 IP 192.168.1.1.domain > deusexmachina.localdomain.56886: 20559 1/4/3 PTR all-systems.mcast.net. (210) 06:32:28.891123 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:32:29.501413 IP 192.168.1.2 > igmp.mcast.net: igmp v3 report, 1 group record(s) 06:32:29.892569 IP deusexmachina.localdomain.51849 > 192.168.1.1.domain: 26273+ PTR? 22.0.0.224.in-addr.arpa. (41) 06:32:29.970603 IP 192.168.1.1.domain > deusexmachina.localdomain.51849: 26273 1/4/4 PTR igmp.mcast.net. (220) 06:32:29.970954 IP deusexmachina.localdomain.39871 > 192.168.1.1.domain: 37618+ PTR? 2.1.168.192.in-addr.arpa. (42) 06:32:30.049533 IP 192.168.1.1.domain > deusexmachina.localdomain.39871: 37618 NXDomain* 0/1/0 (92) 06:32:32.855903 ARP, Request who-has 192.168.1.1 tell deusexmachina.localdomain, length 28 06:32:32.868403 ARP, Reply 192.168.1.1 is-at 84:c9:b2:bd:c2:e7 (oui Unknown), length 28 06:32:33.500459 IP 192.168.1.2 > igmp.mcast.net: igmp v3 report, 1 group record(s) 06:32:38.889236 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:32:44.354538 IP deusexmachina.localdomain.ntp > ns2.unico.com.au.ntp: NTPv3, Client, length 48 06:32:44.423527 IP ns2.unico.com.au.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:32:44.492615 IP deusexmachina.localdomain.ntp > ns30.alltraders.com.ntp: NTPv3, Client, length 48 06:32:44.566973 IP ns30.alltraders.com.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:32:44.694187 IP deusexmachina.localdomain.ntp > node01.au.verbnetworks.net.ntp: NTPv3, Client, length 48 06:32:44.765280 IP node01.au.verbnetworks.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:32:44.896585 IP deusexmachina.localdomain.ntp > y.ns.gin.ntt.net.ntp: NTPv3, Client, length 48 06:32:45.106108 IP y.ns.gin.ntt.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48 06:32:48.893175 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 06:32:49.423055 ARP, Request who-has deusexmachina.localdomain tell 192.168.1.1, length 28 06:32:49.423075 ARP, Reply deusexmachina.localdomain is-at 4c:0f:6e:5d:e1:25 (oui Unknown), length 28 06:32:58.891247 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8 ^C 61 packets captured 62 packets received by filter 0 packets dropped by kernel |
You may also listen on the Ethernet device, this is another good way to monitor web traffic.
homer@deusexmachina ~ $ sudo tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:26:14.991992 IP 192.168.1.2.netbios-dgm > 192.168.1.255.netbios-dgm: NBT UDP PACKET(138) 12:26:14.992043 IP 192.168.1.2.netbios-dgm > 192.168.1.255.netbios-dgm: NBT UDP PACKET(138) 12:26:14.993119 IP 192.168.1.2.30729 > 192.168.1.1.domain: 6476+ PTR? 255.1.168.192.in-addr.arpa. (44) 12:26:15.038836 IP 192.168.1.1.domain > 192.168.1.2.30729: 6476 NXDomain* 0/1/0 (94) 12:26:15.054252 IP 192.168.1.2.54819 > 192.168.1.1.domain: 45679+ PTR? 2.1.168.192.in-addr.arpa. (42) 12:26:15.095084 IP 192.168.1.1.domain > 192.168.1.2.54819: 45679 NXDomain* 0/1/0 (92) 12:26:15.095771 IP 192.168.1.2.63376 > 192.168.1.1.domain: 55165+ PTR? 1.1.168.192.in-addr.arpa. (42) 12:26:15.138827 IP 192.168.1.1.domain > 192.168.1.2.63376: 55165 NXDomain* 0/1/0 (92) 12:26:20.038689 ARP, Request who-has 192.168.1.2 tell 192.168.1.1, length 46 12:26:20.038719 ARP, Reply 192.168.1.2 is-at 00:13:46:3a:02:83 (oui Unknown), length 28 12:26:24.270335 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [S], seq 2202183540, win 29200, options [mss 1460,sackOK,TS val 353142 ecr 0,nop,wscale 7], length 0 12:26:24.270699 IP 192.168.1.2.40975 > 192.168.1.1.domain: 45075+ PTR? 26.244.93.190.in-addr.arpa. (44) 12:26:24.300344 IP 190.93.244.26.http > 192.168.1.2.39333: Flags [S.], seq 3377563395, ack 2202183541, win 14480, options [mss 1452,sackOK,TS val 46025457 ecr 353142,nop,wscale 10], length 0 12:26:24.300472 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 353150 ecr 46025457], length 0 12:26:24.647092 IP 192.168.1.1.domain > 192.168.1.2.40975: 45075 NXDomain 0/1/0 (104) 12:26:29.300623 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 354400 ecr 46025457], length 0 12:26:29.330133 IP 190.93.244.26.http > 192.168.1.2.39333: Flags [F.], seq 1, ack 2, win 15, options [nop,nop,TS val 46025960 ecr 354400], length 0 12:26:29.330204 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [.], ack 2, win 229, options [nop,nop,TS val 354407 ecr 46025960], length 0 12:26:34.606031 IP 192.168.1.2.50950 > 162.159.250.151.http: Flags [S], seq 3057776350, win 29200, options [mss 1460,sackOK,TS val 355726 ecr 0,nop,wscale 7], length 0 12:26:34.606304 IP 192.168.1.2.16494 > 192.168.1.1.domain: 40835+ PTR? 151.250.159.162.in-addr.arpa. (46) 12:26:34.636348 IP 162.159.250.151.http > 192.168.1.2.50950: Flags [S.], seq 3222561782, ack 3057776351, win 14480, options [mss 1452,sackOK,TS val 46045306 ecr 355726,nop,wscale 10], length 0 12:26:34.636412 IP 192.168.1.2.50950 > 162.159.250.151.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 355734 ecr 46045306], length 0 12:26:34.664086 IP 192.168.1.1.domain > 192.168.1.2.16494: 40835 NXDomain 0/1/0 (100) ^C 23 packets captured 23 packets received by filter 0 packets dropped by kernel |
So try this command out for yourself, this is a good way to learn about the traffic that is sent over your network.