tcpdump & tshark Guide
sudo apt install tcpdump tshark brew install tcpdump wireshark # Windows: use Wireshark installer (includes tshark)
tcpdump is the lowest-level network debugging tool. It captures raw packets using libpcap and prints protocol headers. Master `-i any` (all interfaces), `-n` (no DNS resolution, faster), and BPF filter syntax (`host`, `port`, `tcp`, `icmp`) to avoid data overload.
tshark (Wireshark's CLI) is tcpdump on steroids — it understands hundreds of protocols at the application layer (HTTP, DNS, TLS, gRPC). Use `-Y` for display filters (same syntax as Wireshark) and `-T json` for machine-readable output.
The power combo: capture with tcpdump to a file (`-w capture.pcap`), then analyze with tshark or open in Wireshark GUI. GUI: Wireshark has the best protocol dissection UI — use it for deep analysis of TLS handshakes, HTTP/2 frames, or DNS resolution issues.
Capture Basics
sudo tcpdump -i any -n # All interfaces, no DNS sudo tcpdump -i eth0 -c 1000 # Stop after 1000 packets sudo tcpdump -i any -w capture.pcap # Write to file sudo tcpdump -r capture.pcap # Read from file
Filters
sudo tcpdump -i any -A port 80 # -A: ASCII payload sudo tcpdump -i any -X port 80 # -X: hex + ASCII sudo tcpdump -i any -s 0 port 80 # Full packet (no truncation) # tshark: nicer HTTP view tshark -i any -Y "http.request || http.response" -T fields -e http.host -e http.request.uri
sudo tcpdump -i any host 192.168.1.1 sudo tcpdump -i any src host 10.0.0.5 sudo tcpdump -i any dst host 8.8.8.8 sudo tcpdump -i any net 192.168.0.0/16
sudo tcpdump port 443 # HTTPS only sudo tcpdump portrange 8000-9000 sudo tcpdump "tcp port (22 or 443 or 80)" sudo tcpdump "not port 22 and not port 53" # Exclude SSH and DNS
sudo tcpdump "tcp[tcpflags] & (tcp-syn) != 0" # SYN packets sudo tcpdump "tcp[tcpflags] & (tcp-rst) != 0" # RST (connection reset) sudo tcpdump "tcp[tcpflags] & (tcp-fin) != 0" # FIN (connection close) # Find TCP RST from server: sudo tcpdump "tcp[tcpflags] & (tcp-rst) != 0 and src host 10.0.0.1"
Analysis
# tshark: HTTP response time tshark -r capture.pcap -Y "http.response" -T fields \ -e frame.time_relative -e http.response.code -e http.request.uri # Calculate TCP handshake RTT: tshark -r capture.pcap -Y "tcp.flags.syn==1" -T fields \ -e frame.time_relative -e tcp.stream | head -20
# tshark TLS details tshark -r capture.pcap -Y "tls.handshake.type == 11" -T fields \ -e tls.handshake.certificate # Show TLS versions offered tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields \ -e tls.handshake.version # Detect weak ciphers tshark -r capture.pcap -Y "tls.handshake.ciphersuite == 0x00,0x9c" # TLS_RSA_WITH_AES_128_GCM
Performance
sudo tcpdump -i any -C 100 -W 10 -w rotate.pcap # -C: rotate every 100 MB, -W: keep 10 files # Ring buffer: never fills disk # Monitoring mode (no writing): sudo tcpdump -i any -n -c 1000 -Z root # Drop privileges after opening
Tricks
sudo tcpdump -i any -n port 53 sudo tcpdump -i any -n "udp port 53" # tshark: DNS query names and response IPs tshark -i any -Y "dns.flags.response == 0" -T fields -e dns.qry.name # Find slow DNS (>100ms): tshark -r capture.pcap -Y "dns.time > 0.1" -T fields -e dns.qry.name -e dns.time
sudo tcpdump -i any -w prod-traffic.pcap -c 100000 # Capture 100k packets # Replay with tcpreplay (separate install): sudo tcpreplay -i eth0 prod-traffic.pcap # Replay to test server # Extract HTTP objects with tshark: tshark -r capture.pcap --export-objects "http,/tmp/http-extract"