Last Updated:

🔍 How to Monitor Network Traffic on Ubuntu Using tshark and Port Mirroring

ꓜꓟеꓝ☠
ꓜꓟеꓝ☠ cyber

Learn how to turn a Linux machine into a real-time network monitoring station using open source tools and a managed switch that supports port mirroring.

🧠 Why Monitor Your Network?
Whether you're into cybersecurity, troubleshooting, digital minimalism, or just plain curiosity — monitoring your network gives you visibility into what your devices are doing when you're not looking.

With just a Linux machine, an open-source tool called tshark, and a switch that supports port mirroring, you can capture and analyze traffic flowing through your network — no enterprise gear needed.

🧰 What You'll Need
        Item                                                                   Purpose
🐧 A Linux machine (Ubuntu preferred)      To run tshark and analyze packets
🧠 A managed switch with port mirroring    To duplicate traffic to your monitoring box
🔌 Ethernet cables                                      For basic connectivity
🌐 Your existing home router                      Internet access and network traffic source

🏗️ Step 1: Set Up Port Mirroring
What is Port Mirroring?
Port mirroring (sometimes called SPAN) lets you copy all traffic from one port to another on your switch. You plug your monitoring box into the mirrored port and see everything flowing through the original.

Typical Setup:
Port    Device
Port A    Router / Gateway (internet uplink)
Port B    General network devices
Port M    Your Linux box running tshark (mirror destination)

In the switch config:

Enable port mirroring

Choose the source port (the one connected to your router)

Choose the mirror destination port (the one connected to your Linux monitor)

Enable mirroring in both directions (ingress & egress)

🐧 Step 2: Install tshark on Ubuntu
tshark is the command-line version of Wireshark — ideal for headless monitoring.

Install it:
sudo apt update
sudo apt install tshark


Allow non-root users to capture packets:
sudo usermod -aG wireshark $USER
newgrp wireshark


📡 Step 3: Start Capturing
Plug your Linux box into the mirrored port and run:
tshark -i eth0


Or save to a file:
tshark -i eth0 -w traffic.pcap


Filter by protocol if needed:
tshark -i eth0 -Y "http || dns || icmp"


🧠 What You Can See
Depending on what traffic flows through your mirrored port, you might observe:

🔍 DNS queries (e.g. devices contacting trackers or cloud APIs)

🌐 HTTP requests (including URLs and headers for cleartext traffic)

🔒 TLS/SNI domains (from HTTPS handshakes)

🛡️ ICMP pings, broadcasts, DHCP requests

🕵️ Suspicious patterns like beaconing or unexpected traffic volume

🛠️ Advanced Use
You can automate logging like this:
tshark -i eth0 -b duration:300 -b files:48 -w /var/log/traffic


That gives you rolling .pcap files, 5 minutes each, for the past 4 hours.

Later, load them into Wireshark, Zeek, or a custom parser.

💡 Final Thoughts
You don’t need to drop big money to get visibility into your home or lab network. A basic switch that supports port mirroring and a Linux box with tshark is enough to start peeling back the layers of what’s really happening on your wire.

It's not just about catching bad guys — it's about learning, tuning, and understanding.

Welcome to the wire. *Written by an LLM 

ꓜꓟеꓝ☠

ꓜꓟеꓝ☠

Zac Fosdyck | Cyber Resilience | Open Source Advocate | Regenerative Systems
Welcome. I’m Zac Fosdyck, an Illinois-based cyber resilience professional, educator, and open source strategist dedicated to advancing resilient, ethical, and sustainable technology.

About Me
I bring a multidisciplinary perspective to the world of cyber resilience—combining business acumen, technical expertise, and a commitment to lifelong learning. My journey bridges food service management, higher education, and the technical complexities of information security, with a focus on Free/Libre Open Source Software (FLOSS) and community-driven solutions.

What I Do
Cyber Resilience Leadership:
Certified in Security+, Cloud+, Linux+, and CompTIA Secure Cloud Professional (CSCP), I specialize in building, hardening, and monitoring Linux-based infrastructures, conducting risk and gap assessments, and mentoring newcomers to the field.

Regenerative Management:
I incorporate holistic and regenerative principles into both technology and organizational systems, advocating for stewardship, sustainability, and the integration of social good with technical progress.

Education & Community:
As a co-founder of Grass Roots Cyber, I develop accessible cyber resilience resources and live educational content, demystifying complex topics and empowering individuals and small businesses to defend themselves effectively.

Research & Innovation:
My work explores the intersection of cyber resilience, decentralized technologies (blockchain, dApps), and the ethical use of AI—seeking practical tools that respect privacy, agency, and community resilience.

Why Work With Me?
Strategic Vision:
I align technical projects with broader organizational and social objectives, ensuring technology serves people—not the other way around.

Commitment to Open Source:
I champion transparent, collaborative, and adaptable solutions that lower barriers to entry and foster true innovation.

Ethical Perspective:
Integrity, responsibility, and a learner’s mindset are at the core of my practice. I help organizations navigate complexity, uncertainty, and change with confidence.

Let’s Connect
If you’re seeking a cyber resilience leader with both technical depth and big-picture perspective—or want to collaborate on projects that blend technology, education, and regenerative impact—I invite you to explore my portfolio, review my open source contributions, and get in touch.

Related posts

Ubuntu’s Rusty Core: Why Is Canonical Rewriting Everything—and Should I Be Panicking?

Authors

Tags