L17. Network Diagnostics: ss, tcpdump and Wireshark Basics
Video generating
Check back soon for the video lesson on Network Diagnostics: ss, tcpdump and Wireshark Basics
Learn how to investigate open ports with ss, capture live traffic with tcpdump, save packet captures for offline analysis, and open them in Wireshark. These are the same tools security analysts use daily for troubleshooting and threat investigation.
Why Network Diagnostics Matter for Security
Every service running on your Linux system listens on a network port. Every connection to or from your server tells a story. Knowing how to inspect open ports and capture traffic is one of the most practical security skills you can build. If an attacker compromises a system, the evidence almost always shows up in network behavior: unexpected listening ports, connections to unfamiliar IP addresses, or unusual traffic patterns at odd hours.
This lesson covers three essential tools: ss for inspecting sockets and connections, tcpdump for capturing raw traffic, and Wireshark for visual packet analysis.
Checking Open Ports and Connections with ss
The ss command (socket statistics) replaced the older netstat utility on modern Linux systems. It is faster, more detailed, and installed by default on virtually every distribution.
Listing All Listening Ports
# Show all listening TCP sockets with process info
sudo ss -tlnp# Show all listening UDP sockets with process info
sudo ss -ulnp
The flags break down as follows:
| Flag | Meaning |
|---|---|
-t | TCP sockets only |
-u | UDP sockets only |
-l | Listening sockets only |
-n | Show port numbers instead of service names |
-p | Show the process using each socket |
Viewing Established Connections
# Show all established TCP connections
sudo ss -tnp# Filter connections to a specific port
sudo ss -tnp dst :443
# Show connections from a specific IP
sudo ss -tnp src 10.0.0.5
Security Investigation Example
Suppose you suspect a server is communicating with an unauthorized host. Start by listing all established connections:
sudo ss -tnp | grep ESTABIf you see a connection to an unexpected IP address on an unusual port, note the process ID from the output and investigate further with ps:
ps -fp <PID>
ls -la /proc/<PID>/exeCapturing Traffic with tcpdump
While ss shows you the current state of connections, tcpdump lets you watch traffic in real time and save it for later analysis. It captures raw packets at the network interface level.
Basic Capture Commands
# Capture all traffic on interface eth0 (Ctrl+C to stop)
sudo tcpdump -i eth0# Capture only traffic on port 22 (SSH)
sudo tcpdump -i eth0 port 22
# Capture traffic to or from a specific host
sudo tcpdump -i eth0 host 192.168.1.100
# Combine filters: SSH traffic from a specific host
sudo tcpdump -i eth0 host 192.168.1.100 and port 22
Saving Captures to a pcap File
Raw terminal output scrolls by quickly and is hard to analyze. For any real investigation, save the capture to a file:
# Save 1000 packets to a file
sudo tcpdump -i eth0 -c 1000 -w /tmp/capture.pcap# Capture with a time limit (60 seconds)
sudo timeout 60 tcpdump -i eth0 -w /tmp/capture.pcap
The -w flag writes the output in pcap format, which can be opened by Wireshark or parsed by other analysis tools.
Reading a pcap File
# Read and display packets from a saved capture
tcpdump -r /tmp/capture.pcap# Read with filters applied
tcpdump -r /tmp/capture.pcap port 443
Useful Filter Patterns for Security Work
# Capture DNS queries (often used in data exfiltration)
sudo tcpdump -i eth0 port 53# Capture only SYN packets (connection attempts)
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
# Capture traffic on non-standard ports (potential C2 channels)
sudo tcpdump -i eth0 'not port 22 and not port 80 and not port 443'
Opening Captures in Wireshark
Wireshark is a graphical packet analyzer that makes sense of pcap files. While it is typically run on a workstation rather than a server, the workflow is straightforward:
- Capture traffic on the server using tcpdump and save it to a pcap file
- Transfer the pcap file to your workstation using
scpor another secure method - Open the file in Wireshark for visual analysis
# Transfer capture file to your local machine
scp user@server:/tmp/capture.pcap ~/Downloads/Key Wireshark Features for Beginners
Once you open a pcap in Wireshark, use these features to narrow your investigation:
- Display filters: Type filters like
http,dns, orip.addr == 10.0.0.5in the filter bar - Follow TCP stream: Right-click a packet and select "Follow > TCP Stream" to see the full conversation
- Protocol hierarchy: Under Statistics > Protocol Hierarchy, see which protocols are present in the capture
- Conversations: Under Statistics > Conversations, see which hosts are talking and how much data they exchanged
Practical Workflow: Investigating a Suspicious Connection
Here is a start-to-finish example of using these tools together:
# Step 1: Check for unexpected listening ports
sudo ss -tlnp | grep -v -E ':(22|80|443) '# Step 2: Check for unexpected outbound connections
sudo ss -tnp | grep ESTAB
# Step 3: If something looks wrong, capture traffic for analysis
sudo tcpdump -i eth0 host <suspicious-ip> -c 500 -w /tmp/investigation.pcap
# Step 4: Transfer the capture and open in Wireshark
scp user@server:/tmp/investigation.pcap ~/Downloads/
This workflow is something you will use repeatedly in security roles, whether you are doing routine checks, responding to alerts, or investigating a potential breach.
- ✓ss replaces netstat: use ss -tlnp to list listening TCP ports with process info
- ✓tcpdump captures live traffic: use -w to save pcap files for offline analysis
- ✓Wireshark provides visual analysis of pcap files with display filters and stream following
- ✓Filter tcpdump by host, port, or protocol to isolate relevant traffic during investigations
- ✓A standard investigation workflow is: check ports with ss, capture with tcpdump, analyze in Wireshark
1. Which ss command shows all listening TCP ports along with the process using each port?
2. What does the tcpdump -w flag do?
3. During a security investigation, you discover an unexpected ESTABLISHED connection to an unknown IP. What is the best next step?