Say I make a DNS request:
$ dig +short @220.127.116.11 google.com 18.104.22.168
What went over the network?
We can find out with a program called
tcpdump is a command-line program
which can prints everything that goes over a network interface on a UNIX box.
Let’s see an example, getting all DNS traffic.
DNS requests go over UDP port 53.
tcpdump for this using the expression
udp and port 53:
$ sudo tcpdump -n 'udp and port 53' tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 23:21:50.909488 IP 192.168.1.4.61988 > 192.168.1.254.53: 61163+ [1au] A? google.com. (39) 23:21:50.929583 IP 192.168.1.254.53 > 192.168.1.4.61988: 61163 1/0/1 A 22.214.171.124 (55)
The output shows exactly two UDP packets. One for the DNS request, the next for the response.
You’ll notice that
tcpdump is terribly named!
It does not just dump TCP; it can dump all manner of network activity:
UDP, IP, ICMP, Ethernet, and many others.
I wrote this because I felt like it. This post is not associated with my employer. This site is hosted by Netlify (who are great, but I'm not associated with them either).