There are various nice tools around, that enable you listening to whatever IP connection you like. This is called "sniffing". You should be careful about what you're doing and respect other peoples privacy.
A problem often experienced is, that packages won't appear though you're know they're on the wire. This may be caused by an unreachable nameserver, whichs awaiting queries hold the Package back from being printed. Avoid this using:
tcpdump -n
Sometimes you might just be interested on the traffic on one interface, you just need to tell tcpdump so:
tcpdump -n -i eth0
(you see, we can combine the -i with the -n from the last sample)
tcpdump -s0 -w /tmp/out.pcap
Move out.pcap to the box you've equipped with Wireshark, and Mouse it! This is also the suggested way to post to the support mailing list. Please remember that you might post usernames and passwords here, so try to demonstrate your behavior with a dummy user and password.Reducing Packages later
tcpdump can read, filter, and reoutput packages from above .pcap files.
tcpdump -r infile.pcap -w outfile.pcap
You can filter the output of tcpdump using a versatile filter language. For example you just want to see 192.168.1.1 HTTP traffic:
tcpdump host 192.168.1.1 and port 80
Here is a list of Ports and which kind of traffic they carry. if you want to filter for mac-addresses you can do that by using 'host ether 00:....' explore more of this filter language on man tcpdump
ngrep is a unix command line tool that mayshow you running traffic better than wireshark or tcpdump, because of its focus on printing the payload of the traffic. It allso uses the tcpdump backend library, and thus takes the same expressions as tcpdump:
ngrep port 80 and not host 172.16.29.226 -W byline
-W byline stops it from stripping linebreaks from the traffic. this will make it show you requests and stuff in a better readable manner. The output of ngrep is somewhat comparable to a tail -f.
Wireshark was formerly known as ethereal. It "understands" most of the protocols around in the internet today, and will display you structures in a tree view, or enable you just to view the tcp payload of a text oriented protocol as HTTP or SMTP. It runs under allmost any OS with a GUI arround these days. If you want to analyze traffic spoken by a remote box see the above tcpdump how to capture streams for later analysis.
You might also have a look at this Wikipedia article on Wireshark.
EtherApe just displays your load graphs. But it's informative to analyze which connections eat up most bandwith.
NTop can give you interesting statistics about whats on the line. Searching for who has been using the most bandwith in the last 24 hours? This is your tool. Be warned, it consumes a lot of memory.