Capture Network Traffic on Two Different Ports Simultaneously

capture network traffic on two different ports simultaneously

Problem solved it was actually very simple I should have tried it before ..

but thanks I got my idea just by looking at your answers.

I think it is the beauty of stackoverflow if we could find an exact answer , we can invent it through the discussion. ..

 $ tcpdump -X -s0 protochain 50 or 51

Monitoring multiple ports in tcpdump

tcpdump port 80 or port 3128

or, alternatively,

tcpdump port '(80 or 443)'

How to capture packages via both eth0 and lo at the same time?

Assuming your kernel supports it, you can run tcpdump -i any, but that will capture on all interfaces, and not just on the lo and eth0 interfaces. Also, according to the tcpdump man page, "... captures on the ''any'' device will not be done in promiscuous mode.", so if you need to place the NIC in promiscuous mode in order to capture your traffic of interest, this solution may not work for you. In that case, you could:

• Start 2 separate instances of tcpdump, one capturing on lo and the other capturing on eth0. If you write the packets to separate files, you can use a tool such as mergecap to merge them together afterward.
• Use dumpcap or tshark instead, either of which can capture on multiple interfaces.

Can we have two simultaneous udp streams between 2 specific pairs of IPs and Ports?

You are just looking at the UDP traffic from either direction. UDP stream 2 is from 192.168.1.162 to 192.168.1.159 and UDP stream 3 is from 192.168.1.159 to 192.168.1.162.

While there are two UDP streams, there is only one RTP session. This is because the RFC protocol states that you cannot multiplex on the same port. From RTP RFC Section 5.2.

In RTP, multiplexing is provided by the destination transport address
(network address and port number) which is different for each RTP session.

So, yes there are two simultaneous UDP streams, but it is just both hosts talking to each other during a RTP session.

Usage of different ports by one email app

That is not one question, but let me see if I can shed some light about the things that confuse you.

I know that e.g. port 80 is used for HTTP traffic, and port 25 for
email, and port 22 for login

Correct, to the most part. For example 443 is the HTTPS port. In any way, there is nothing stopping you on running your web server on port 8000 or if you really want to be nasty at 22 either. These are the recommended ports for each app and they are generally what is used. The reason for that is that when a client needs to make a connection to an app, they need both the IP and the port number of the app they want to connect. So it is common for web browsers to try and connect on 80 or 443. But you can always connect to a different port as well. I.e., if you go to http://some_url:8080 you will be making a connection to port 8080, instead of 80. Information such as port numbers is managed by the Internet Assigned Numbers Authority (IANA). Take a look here for more information on port numbers and their uses.

Will the mobile app use port 22 every time the user logs in in the app

Port 22 is (again generally) used by the secure shell application (SSH). This is NOT the same as when you enter your credentials in a website for example. All that happens using HTTP(S).

If an email has a picture, will this picture be loaded via port 80 as
HTTP traffic?

If an email is sent, it will go to the email server (likely running on port 25). All of the email transfer will happen using the Simple Mail Transfer Protocol (SMTP), which will handle everything in the email payload and the encryption (if any) around the mail. I suggest looking at the wikipedia article and following the links from there if you are interested in SMTP.

For the actual email data, will the app use port 25?

I believe this is covered by my previous answer.

Regarding your final question. You are correct a single app can only listen to one port. But the "app" in this case would be the server. So to give you an example, let's say that an email server is hosted on machine with IP 1.2.3.4 and runs on port 25.

Now, if you have multiple email clients, they will all connect to that IP:port server tuple. However, the clients will open connections from your mobile phone's IP (let's say 5.6.7.8) to that server. But each connection will be using a different local port, and this is how multiple connections can be established at the same time to the same destination. The same scenario happens when you open two tabs and access the same website. You connect to the same IP:port tuple of the server, but do it from different ports on your machine.

To understand this, you need to understand that applications over the Internet use IP:port 4-tuples to identify a connection. The 4-tuple contains (Server_IP, Server_Port, Client_IP, Client_Port). If any one things in this 4-tuple is different the connection that it identifies is also different.

---

Related Topics