Packet Capture with Wireshark and tcpdump

If you can capture and read packets, you can solve any network problem. Wireshark and tcpdump are the two tools every network engineer uses. tcpdump for the command line and remote captures. Wireshark for the deep visual analysis that follows.

tcpdump — capture from the command line

# Basic capture (defaults to first available interface)
sudo tcpdump

# Specific interface
sudo tcpdump -i eth0

# Don't resolve names (faster, cleaner)
sudo tcpdump -nn -i eth0

# Capture N packets and exit
sudo tcpdump -c 100 -i eth0

# Save to a pcap file for later analysis in Wireshark
sudo tcpdump -i eth0 -w capture.pcap

Capture filters (BPF syntax)

Limit WHAT gets captured. Reduces volume and storage.

# Specific host
sudo tcpdump -i eth0 host 192.168.1.50

# Specific port
sudo tcpdump -i eth0 port 443

# Specific port and protocol
sudo tcpdump -i eth0 tcp port 443

# Specific IP range
sudo tcpdump -i eth0 net 192.168.1.0/24

# Specific direction
sudo tcpdump -i eth0 src host 10.0.0.1
sudo tcpdump -i eth0 dst host 10.0.0.1

# Combine
sudo tcpdump -i eth0 'tcp port 443 and host 192.168.1.50'
sudo tcpdump -i eth0 'host 1.1.1.1 and not port 53'

Reading tcpdump output

14:32:05.123 IP 192.168.1.42.54321 > 1.1.1.1.443: Flags [S], seq 0, win 65535
14:32:05.456 IP 1.1.1.1.443 > 192.168.1.42.54321: Flags [S.], seq 0, ack 1, win 65535
14:32:05.457 IP 192.168.1.42.54321 > 1.1.1.1.443: Flags [.], ack 1, win 65535

That’s a TCP 3-way handshake captured live.

Wireshark — visual analysis

Wireshark opens pcap files (or captures live) and gives you a GUI to filter, dissect, and follow streams.

Display filters (different from capture filters)

Capture filters limit what gets captured. Display filters limit what you SEE. Different syntax — display filters are richer.

# Show only HTTP
http

# Show only DNS queries
dns

# Show only traffic involving 192.168.1.50
ip.addr == 192.168.1.50

# Show only packets where TCP port is 443
tcp.port == 443

# HTTP requests for /api/*
http.request.uri contains "/api/"

# TCP retransmissions (signs of packet loss)
tcp.analysis.retransmission

# Combine
ip.addr == 10.0.0.1 and tcp.port == 443

# DNS responses with errors
dns.flags.rcode != 0

Follow stream

Right-click any packet → “Follow” → “TCP Stream” (or HTTP, TLS). Wireshark reconstructs the entire conversation from individual packets. Read it like a transcript.

Statistics

• Statistics → Conversations — see who talked to whom and how much
• Statistics → IO Graph — visualize packet rates over time
• Statistics → Endpoints — list every host that appeared
• Expert Information — automatic summary of warnings (retransmissions, duplicate ACKs, malformed packets)

Common debugging recipes

“Connection times out”

sudo tcpdump -nn -i eth0 host target_host

# Look for: SYN sent, no SYN-ACK back → firewall blocking, or host unreachable
# Look for: SYN sent, RST back → host alive but port closed

“Packets are slow”

# In Wireshark, look for tcp.analysis.retransmission
# Lots of retransmissions = packet loss in the path

# Or check round-trip times
# Statistics → TCP Stream Graphs → Round Trip Time

“Request never reaches the server”

# Capture on both ends simultaneously
# On client: sudo tcpdump -i eth0 -w client.pcap host server
# On server: sudo tcpdump -i eth0 -w server.pcap host client
# Compare timestamps to see where it dropped

“DNS resolution fails”

sudo tcpdump -nn -i eth0 udp port 53

# Look for: query sent, no response → resolver unreachable
# Look for: query sent, NXDOMAIN response → name doesn't exist

Decrypting TLS in Wireshark

If you have the server’s private key (or the client logs session keys), Wireshark can decrypt TLS:

1. Set SSLKEYLOGFILE env var pointing to a file before launching browser
2. Browser writes session keys to that file
3. In Wireshark: Edit → Preferences → Protocols → TLS → “(Pre)-Master-Secret log filename”
4. Reload pcap; HTTPS now shows as plaintext HTTP

Capture only the headers (smaller files)

# Capture only first 96 bytes of each packet (enough for headers)
sudo tcpdump -s 96 -w small.pcap

# Default snaplen is full packet (max ~65535 bytes), this dramatically shrinks files

Common mistakes

• Capturing in promiscuous mode without permission (may be illegal on shared networks)
• Filling the disk with multi-gigabyte pcaps from busy interfaces
• Capturing on the wrong interface (wlan0 vs eth0)
• Forgetting to be root (need CAP_NET_RAW)

What to learn next

The network hardening checklist — pulling all the security topics together. Up next.