Stage 3 · Build
TCP/IP Fundamentals
Packet Capture with tcpdump & Wireshark
Capture, filter, and read network traffic to diagnose production issues.
tcpdump Basics
tcpdump is the universal command-line packet analyzer. It uses libpcap to capture traffic on any network interface. It is installed by default on most Linux and macOS systems and is your first tool for debugging network issues.
# Capture on default interface
sudo tcpdump
# Capture on specific interface
sudo tcpdump -i eth0
# Capture all interfaces
sudo tcpdump -i any
# Write capture to file
sudo tcpdump -i eth0 -w capture.pcap
# Read from file
tcpdump -r capture.pcapAlways use sudo — packet capture requires root privileges. The -w flag writes raw packets to a pcap file you can analyze later in Wireshark.
BPF Filter Syntax
tcpdump uses Berkeley Packet Filter (BPF) syntax to filter traffic. Filters are essential — without them, you capture everything and drown in noise.
# Filter by host
sudo tcpdump -i eth0 host 10.0.0.5
# Filter by port
sudo tcpdump -i eth0 port 443
# Filter by source or destination
sudo tcpdump -i eth0 src host 10.0.0.5
sudo tcpdump -i eth0 dst port 80
# Combine filters with and/or
sudo tcpdump -i eth0 'host 10.0.0.5 and port 443'
# Filter by protocol
sudo tcpdump -i eth0 icmp
sudo tcpdump -i eth0 udp
# Filter by subnet
sudo tcpdump -i eth0 net 10.0.0.0/24Always quote the filter expression when using 'and' or 'or' operators. Without quotes, the shell interprets these as shell commands.
Use -c to limit the number of packets captured. Always filter aggressively — capturing all traffic on a busy production server will consume disk and CPU fast. Capture to a ring buffer with -C and -W to limit disk usage.
Reading Packet Output
tcpdump output shows one line per packet with timestamp, protocol details, source, destination, and flags. Understanding this output is critical for debugging.
14:32:01.123456 IP 10.0.0.5.44832 > 10.0.1.10.443: Flags [S], seq 1234567890, win 65535, options [mss 1460,sackOK,TS val 1234 ecr 0,nop,wscale 7], length 0
14:32:01.123789 IP 10.0.1.10.443 > 10.0.0.5.44832: Flags [S.], seq 987654321, ack 1234567891, win 65535, options [mss 1460,sackOK,TS val 4567 ecr 1234,nop,wscale 7], length 0
14:32:01.124012 IP 10.0.0.5.44832 > 10.0.1.10.443: Flags [.], ack 1, win 512, length 0Flags: [S] = SYN, [S.] = SYN-ACK, [.] = ACK, [P.] = PSH-ACK (data), [F.] = FIN-ACK. This output shows a complete TCP three-way handshake in three packets.
Common Capture Patterns
# Capture DNS queries
sudo tcpdump -i eth0 port 53 -nn
# Capture HTTP traffic (unencrypted)
sudo tcpdump -i eth0 port 80 -A | grep -E '^(GET|POST|HTTP)'
# Capture TLS handshakes (first 300 bytes of data)
sudo tcpdump -i eth0 port 443 -s 300 -X
# Capture connection resets
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-rst) != 0'
# Capture SYN packets only (new connections)
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0'
# Capture with timestamps and packet count
sudo tcpdump -i eth0 -tttt -c 100 port 443The tcp[tcpflags] syntax accesses specific bits in the TCP header. This lets you filter on individual flags regardless of which other flags are set.
Wireshark Analysis
Wireshark is the graphical counterpart to tcpdump. It reads pcap files and provides protocol dissection, flow visualization, conversation tracking, and expert analysis. Use tcpdump on servers, then open captures in Wireshark for deep analysis.
# On the server, capture with tcpdump
sudo tcpdump -i eth0 -w /tmp/debug.pcap port 443
# Download and open in Wireshark
# Or use tshark (Wireshark's CLI) for quick analysis
tshark -r debug.pcap -Y "tcp.analysis.retransmission" -T fields -e frame.number -e ip.src -e ip.dsttshark is Wireshark's command-line tool. It uses the same display filters as Wireshark and is useful when you want to analyze captures on a remote server without transferring the file.
When debugging connection issues, filter for retransmissions (tcp.analysis.retransmission), zero-window probes (tcp.analysis.zero_window), and duplicate ACKs (tcp.analysis.duplicate_ack). These indicate network problems, application slowness, or congestion.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.