Чтобы посмотреть в реальном времени какой траффик идет через конкретный интерфейс, можно воспользоваться командой:

$ tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

23:37:15.775540 IP arn06s01-in-f21.1e100.net.https > pangolinux.workgroup.50008: Flags [P.], seq 2510079406:2510079459, ack 4211914561, win 1002, options [nop,nop,TS val 2414138577 ecr 2689914], length 53

23:37:15.775555 IP pangolinux.workgroup.50008 > arn06s01-in-f21.1e100.net.https: Flags [.], ack 53, win 1002, options [nop,nop,TS val 2696514 ecr 2414138577], length 0

23:37:15.775954 IP pangolinux.workgroup.52480 > resolver1.opendns.com.domain: 37527+ PTR? 21.32.194.173.in-addr.arpa. (44)

23:37:15.883902 IP resolver1.opendns.com.domain > pangolinux.workgroup.52480: 37527 1/0/0 PTR arn06s01-in-f21.1e100.net. (83)

23:37:15.884034 IP pangolinux.workgroup.51311 > resolver1.opendns.com.domain: 18925+ PTR? 222.222.67.208.in-addr.arpa. (45)

23:37:15.986124 IP resolver1.opendns.com.domain > pangolinux.workgroup.51311: 18925 1/0/0 PTR resolver1.opendns.com. (80)

23:37:16.625961 IP6 fe80::92e6:baff:fe17:51c8.mdns > ff02::fb.mdns: 0 SRV (QM)? pangolinux [90:e6:ba:17:51:c8]._workstation._tcp.local. (72)

23:37:16.626023 IP6 fe80::92e6:baff:fe17:51c8.mdns > ff02::fb.mdns: 0*- [0q] 2/0/0 (Cache flush) SRV pangolinux.local.:9 0 0, (Cache flush) AAAA fe80::92e6:baff:fe17:51c8 (125)

23:37:16.626044 IP pangolinux.workgroup.45852 > resolver1.opendns.com.domain: 59299+ PTR? b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (90)