Network troubleshooting is an essential skill for system administrators, DevOps engineers, and security professionals. When applications fail or perform poorly, packet-level analysis often reveals the root cause. This comprehensive guide explores tcpdump and Wireshark, the industry-standard tools for capturing and analyzing network traffic.
Understanding Packet Capture
Packet capture operates at the network interface level, intercepting all traffic passing through. Both tcpdump and Wireshark use libpcap (or WinPcap/Npcap on Windows), which provides a portable framework for low-level network monitoring[1].
Capture Mechanisms
Promiscuous Mode: Captures all packets on the network segment, not just those addressed to your interface Monitor Mode: For wireless adapters, captures 802.11 frames including management and control frames Buffering: Kernel buffers packets to prevent loss during high-traffic scenarios
Understanding these mechanisms is crucial because misconfiguration can lead to missed packets or system performance degradation.
tcpdump Fundamentals
tcpdump is the command-line packet analyzer, perfect for remote servers, automated monitoring, and quick diagnostics.
Basic Syntax and Filters
# Capture packets on eth0
tcpdump -i eth0
## Capture specific number of packets
tcpdump -c 100 -i eth0
## Capture from all interfaces
tcpdump -i any
## Write to file (pcap format)
tcpdump -i eth0 -w capture.pcap
## Read from file
tcpdump -r capture.pcap
## Show more detail (-v, -vv, -vvv for increasing verbosity)
tcpdump -vv -i eth0
## Don't convert addresses to names (-n)
tcpdump -n -i eth0
## Show packet contents in hex and ASCII
tcpdump -X -i eth0
Berkeley Packet Filter (BPF) Syntax
BPF provides powerful filtering capabilities to capture only relevant traffic:
## Filter by host
tcpdump host 192.168.1.100
## Filter by network
tcpdump net 192.168.1.0/24
## Filter by port
tcpdump port 80
tcpdump portrange 8000-9000
## Filter by protocol
tcpdump icmp
tcpdump tcp
tcpdump udp
## Combining filters with logical operators
tcpdump 'host 192.168.1.100 and port 443'
tcpdump 'tcp port 80 or tcp port 443'
tcpdump 'not port 22'
## Filter by TCP flags
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0' # SYN or FIN
tcpdump 'tcp[tcpflags] == tcp-syn' # Only SYN packets
## Filter by packet size
tcpdump 'greater 1000' # Packets larger than 1000 bytes
tcpdump 'less 64' # Packets smaller than 64 bytes
Advanced tcpdump Techniques
Capture HTTP requests:
## Capture HTTP GET requests
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
## More readable: capture TCP packets with data on port 80
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'GET\|POST\|HTTP'
## Simpler approach: capture packets with payload on port 80
tcpdump -A -s 0 'tcp dst port 80 and tcp[32:4] = 0x47455420' # "GET " in hex
Capture DNS queries:
## All DNS queries
tcpdump -i any -n port 53
## DNS queries for specific domain
tcpdump -i any -n port 53 | grep 'example.com'
## Detailed DNS query/response
tcpdump -i any -n -vv port 53
Monitor TCP handshakes:
## Capture three-way handshake
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'
## Monitor connection establishment to specific port
tcpdump 'tcp port 443 and tcp[tcpflags] & tcp-syn != 0'
Wireshark Deep Dive
Wireshark provides a graphical interface for packet analysis with powerful filtering, protocol dissection, and visualization capabilities[2].
Capture Filters vs Display Filters
Capture filters (BPF syntax) determine what’s captured:
host 192.168.1.100
tcp port 443
not broadcast and not multicast
Display filters (Wireshark syntax) determine what’s shown:
ip.addr == 192.168.1.100
tcp.port == 443
http.request.method == "POST"
dns.qry.name contains "example.com"
tcp.analysis.retransmission
| Capture Filter | Display Filter | Purpose |
|---|---|---|
host 10.0.0.1 | ip.addr == 10.0.0.1 | Filter by IP address |
port 80 | tcp.port == 80 | Filter by port |
tcp | tcp | Protocol filter |
net 192.168.0.0/24 | ip.addr == 192.168.0.0/24 | Network range |
not broadcast | !(eth.dst == ff:ff:ff:ff:ff:ff) | Exclude broadcasts |
Essential Display Filters
## HTTP analysis
http
http.request
http.response.code == 404
http.request.method == "GET"
http.host == "example.com"
## TCP analysis
tcp.analysis.flags # Shows TCP problems (retransmission, out-of-order, etc.)
tcp.analysis.retransmission
tcp.analysis.zero_window
tcp.analysis.duplicate_ack
## TLS/SSL analysis
tls.handshake.type == 1 # Client Hello
tls.handshake.type == 2 # Server Hello
ssl.record.version == 0x0303 # TLS 1.2
## DNS analysis
dns.qry.type == 1 # A record queries
dns.qry.type == 28 # AAAA record queries
dns.flags.response == 1 # DNS responses
dns.flags.rcode != 0 # DNS errors
## Filter conversations
ip.addr == 192.168.1.100 && ip.addr == 10.0.0.1
## Time-based filtering
frame.time >= "2025-11-11 10:00:00" && frame.time <= "2025-11-11 11:00:00"
## Packet size filtering
frame.len > 1000
## String matching in payload
tcp contains "password"
http.request.uri contains "admin"
Common Troubleshooting Scenarios
Scenario 1: Connection Timeout
Symptoms: Application unable to connect to remote service
## Capture connection attempts
tcpdump -i any 'tcp port 3306 and tcp[tcpflags] & tcp-syn != 0' -n
## What to look for:
## - SYN packets sent but no SYN-ACK response: Firewall blocking or service not listening
## - SYN-ACK received but no final ACK: Client-side issue
## - RST packets: Connection actively refused
Wireshark analysis:
- Filter:
tcp.port == 3306 - Look at TCP stream: Right-click packet → Follow → TCP Stream
- Check TCP flags column for handshake completion
- Examine “Expert Info” for warnings
Scenario 2: Slow Application Performance
Symptoms: High latency, timeouts, poor throughput
## Capture traffic and analyze timing
tcpdump -i eth0 'host 192.168.1.100' -w slow-app.pcap
## Wireshark analysis:
## 1. Statistics → Conversations → TCP tab
## Look for: High packet loss, retransmissions
## 2. Statistics → TCP Stream Graphs → Time Sequence (tcptrace)
## Look for: Flat lines indicating no data transfer
## 3. Statistics → IO Graphs
## Look for: Traffic patterns, spikes
Key metrics to examine:
- TCP retransmissions:
tcp.analysis.retransmission - Duplicate ACKs:
tcp.analysis.duplicate_ack - Zero windows:
tcp.analysis.zero_window(receiver buffer full) - RTT: Statistics → TCP Stream Graphs → Round Trip Time
Scenario 3: HTTP/API Issues
## Capture HTTP traffic
tcpdump -i any 'tcp port 80 or tcp port 443' -w http-debug.pcap -s 0
## In Wireshark:
## File → Export Objects → HTTP
## This extracts all HTTP objects for inspection
Display filters for HTTP debugging:
## Show only error responses
http.response.code >= 400
## Show slow responses
http.time > 1.0
## Show large POST requests
http.request.method == "POST" && http.content_length > 1000000
## Follow specific HTTP stream
http.host == "api.example.com"
Scenario 4: DNS Problems
## Capture DNS traffic
tcpdump -i any 'port 53' -w dns-debug.pcap
## Analyze DNS queries and responses
tcpdump -r dns-debug.pcap -n | grep 'A?' # Queries
tcpdump -r dns-debug.pcap -n | grep 'A:' # Answers
Common DNS issues visible in captures:
- High query latency: Time between query and response > 100ms
- NXDOMAIN responses: Domain doesn’t exist
- SERVFAIL: DNS server error
- No response: Query sent but no answer (firewall issue)
Scenario 5: SSL/TLS Handshake Failures
## Capture SSL/TLS handshake
tcpdump -i any 'tcp port 443' -w tls-handshake.pcap
## In Wireshark, filter:
tls.handshake.type
TLS handshake sequence:
- Client Hello (type 1)
- Server Hello (type 2)
- Certificate (type 11)
- Server Hello Done (type 14)
- Client Key Exchange (type 16)
- Change Cipher Spec
- Finished
Common TLS problems:
- Missing Server Hello: Server not responding
- Certificate verification failure: Check Certificate messages
- Cipher suite mismatch: Compare Client Hello and Server Hello cipher suites
- Alert messages: Look for TLS alert packets (type 21)
Advanced Analysis Techniques
Statistical Analysis
## Wireshark: Statistics menu provides powerful analysis
## 1. Protocol Hierarchy
## Statistics → Protocol Hierarchy
## Shows: Distribution of protocols, bandwidth usage
## 2. Conversations
## Statistics → Conversations
## Shows: Top talkers, bandwidth per conversation
## 3. Endpoints
## Statistics → Endpoints → IPv4 tab
## Shows: Traffic per IP address
## 4. IO Graphs
## Statistics → IO Graphs
## Shows: Traffic over time, customizable filters
Coloring Rules for Quick Identification
Wireshark’s default coloring rules highlight common issues:
- Black on pink: TCP retransmissions
- Red on black: Errors
- Black on yellow: HTTP errors
- Black on light blue: TCP connection establishment
Custom coloring rule for slow HTTP responses:
Name: Slow HTTP
Filter: http.time > 1.0
Foreground: Black
Background: Orange
Exporting and Reporting
## Export packet dissections to text
tshark -r capture.pcap > dissections.txt
## Export specific fields to CSV
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port -E header=y -E separator=, > connections.csv
## Generate statistics report
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z io,phs # Protocol hierarchy
## Extract HTTP objects
tshark -r capture.pcap --export-objects http,/tmp/http-objects/
Security Analysis with Packet Capture
Detecting Port Scans
## Detect SYN scans
tcpdump 'tcp[tcpflags] == tcp-syn' -n | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -nr
## In Wireshark:
## Look for: Many SYN packets to different ports from same source
tcp.flags.syn == 1 && tcp.flags.ack == 0
Identifying Malicious Traffic
Wireshark display filters for security analysis:
## Detect large DNS responses (possible DNS amplification)
dns && frame.len > 512
## Detect TLS certificates for known malicious domains
tls.handshake.certificate
## Detect potential data exfiltration (large outbound transfers)
tcp.dstport == 443 && tcp.len > 1000
## Detect potential DDoS (SYN flood)
tcp.flags.syn == 1 && tcp.flags.ack == 0
## Detect suspicious user agents
http.user_agent contains "sqlmap" || http.user_agent contains "nikto"
Performance Optimization
Reducing Capture Overhead
## Use snaplen to capture only packet headers (faster)
tcpdump -i eth0 -s 96 # Capture first 96 bytes
## Use ring buffer to limit disk usage
tcpdump -i eth0 -w capture.pcap -C 100 -W 5
## -C 100: Files max 100MB
## -W 5: Keep only 5 files (rotates)
## Capture to ramdisk for better performance
tcpdump -i eth0 -w /dev/shm/capture.pcap
Analyzing Large Capture Files
## Split large pcap files
tcpdump -r large.pcap -w split.pcap -C 100
## Use editcap (part of Wireshark suite)
editcap -c 10000 large.pcap split.pcap # Split every 10k packets
## Extract specific time range
editcap -A "2025-11-11 10:00:00" -B "2025-11-11 11:00:00" large.pcap filtered.pcap
## Remove duplicate packets
editcap -d large.pcap dedup.pcap
Best Practices
Capture Planning
- Define objectives: What are you looking for?
- Choose appropriate filters: Reduce noise, capture relevant traffic
- Consider privacy: Avoid capturing sensitive data
- Storage planning: Estimate capture size (1 Gbps ≈ 450 GB/hour uncompressed)
- Time limits: Set appropriate capture duration
Legal and Ethical Considerations
- Authorization: Only capture traffic you’re authorized to monitor
- PII protection: Packet captures may contain passwords, personal data
- Retention policies: Don’t keep captures longer than necessary
- Encryption: Encrypt stored capture files
- Documentation: Document when, where, and why captures were taken
Related Articles
- How to Deploy a React App to AWS S3 and CloudFront
- Load Balancing Algorithms and Strategies
- Cloudflare Workers: Serverless Web Application
- Cloudflare DDoS Protection. How is it so good AND free?
Conclusion
tcpdump and Wireshark are indispensable tools for network troubleshooting and analysis. Mastering these tools enables rapid diagnosis of network issues, security incident investigation, and performance optimization.
Key recommendations:
- Learn BPF syntax for efficient tcpdump filtering
- Master Wireshark display filters for quick problem identification
- Use statistical analysis features to identify patterns
- Practice with real-world scenarios to build intuition
- Always consider privacy and legal implications
- Automate repetitive analysis tasks with tshark scripts
- Maintain a library of useful filters for common scenarios
With practice, packet-level analysis becomes second nature, dramatically reducing mean time to resolution (MTTR) for network issues from hours to minutes.
References
[1] Van Jacobson, et al. (1989). The tcpdump Manual Page. Lawrence Berkeley Laboratory. Available at: https://www.tcpdump.org/manpages/tcpdump.1.html (Accessed: November 2025)
[2] Wireshark Foundation. (2024). Wireshark User’s Guide. Available at: https://www.wireshark.org/docs/wsug_html_chunked/ (Accessed: November 2025)
[3] Sanders, C. (2017). Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems. No Starch Press. Available at: https://nostarch.com/packetanalysis3 (Accessed: November 2025)
[4] Orebaugh, A. et al. (2006). Wireshark & Ethereal Network Protocol Analyzer Toolkit. Syngress. Available at: https://www.elsevier.com/books/wireshark-and-ethereal-network-protocol-analyzer-toolkit/orebaugh/978-1-59749-073-6 (Accessed: November 2025)