Skip to content
>_devvkit
$devvkit learn --librarie tcpdump-&-tshark-guide

tcpdump & tshark Guide

[networking][packet][analysis][troubleshooting]
Network Diagnostics
Install
sudo apt install tcpdump tshark
brew install tcpdump wireshark
# Windows: use Wireshark installer (includes tshark)

tcpdump is the lowest-level network debugging tool. It captures raw packets using libpcap and prints protocol headers. Master `-i any` (all interfaces), `-n` (no DNS resolution, faster), and BPF filter syntax (`host`, `port`, `tcp`, `icmp`) to avoid data overload.

tshark (Wireshark's CLI) is tcpdump on steroids — it understands hundreds of protocols at the application layer (HTTP, DNS, TLS, gRPC). Use `-Y` for display filters (same syntax as Wireshark) and `-T json` for machine-readable output.

The power combo: capture with tcpdump to a file (`-w capture.pcap`), then analyze with tshark or open in Wireshark GUI. GUI: Wireshark has the best protocol dissection UI — use it for deep analysis of TLS handshakes, HTTP/2 frames, or DNS resolution issues.

Capture Basics

Capture all trafficFull packet capture.
sudo tcpdump -i any -n          # All interfaces, no DNS
sudo tcpdump -i eth0 -c 1000    # Stop after 1000 packets
sudo tcpdump -i any -w capture.pcap   # Write to file
sudo tcpdump -r capture.pcap          # Read from file

Filters

HTTP trafficCapture HTTP requests/responses.
sudo tcpdump -i any -A port 80          # -A: ASCII payload
sudo tcpdump -i any -X port 80          # -X: hex + ASCII
sudo tcpdump -i any -s 0 port 80        # Full packet (no truncation)

# tshark: nicer HTTP view
tshark -i any -Y "http.request || http.response" -T fields -e http.host -e http.request.uri
Filter by hostSpecific IP or host.
sudo tcpdump -i any host 192.168.1.1
sudo tcpdump -i any src host 10.0.0.5
sudo tcpdump -i any dst host 8.8.8.8
sudo tcpdump -i any net 192.168.0.0/16
Filter by portSpecific port range.
sudo tcpdump port 443                                     # HTTPS only
sudo tcpdump portrange 8000-9000
sudo tcpdump "tcp port (22 or 443 or 80)"
sudo tcpdump "not port 22 and not port 53"               # Exclude SSH and DNS
TCP flagsSyn, RST, FIN packets.
sudo tcpdump "tcp[tcpflags] & (tcp-syn) != 0"            # SYN packets
sudo tcpdump "tcp[tcpflags] & (tcp-rst) != 0"            # RST (connection reset)
sudo tcpdump "tcp[tcpflags] & (tcp-fin) != 0"            # FIN (connection close)
# Find TCP RST from server:
sudo tcpdump "tcp[tcpflags] & (tcp-rst) != 0 and src host 10.0.0.1"

Analysis

Latency between packetsTiming analysis.
# tshark: HTTP response time
tshark -r capture.pcap -Y "http.response" -T fields \
  -e frame.time_relative -e http.response.code -e http.request.uri

# Calculate TCP handshake RTT:
tshark -r capture.pcap -Y "tcp.flags.syn==1" -T fields \
  -e frame.time_relative -e tcp.stream | head -20
TLS handshakeInspect TLS certificates.
# tshark TLS details
tshark -r capture.pcap -Y "tls.handshake.type == 11" -T fields \
  -e tls.handshake.certificate

# Show TLS versions offered
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields \
  -e tls.handshake.version

# Detect weak ciphers
tshark -r capture.pcap -Y "tls.handshake.ciphersuite == 0x00,0x9c"  # TLS_RSA_WITH_AES_128_GCM

Performance

Performance: ring bufferContinuous capture without disk blowup.
sudo tcpdump -i any -C 100 -W 10 -w rotate.pcap
# -C: rotate every 100 MB, -W: keep 10 files
# Ring buffer: never fills disk

# Monitoring mode (no writing):
sudo tcpdump -i any -n -c 1000 -Z root  # Drop privileges after opening

Tricks

DNS queriesSee DNS resolution.
sudo tcpdump -i any -n port 53
sudo tcpdump -i any -n "udp port 53"

# tshark: DNS query names and response IPs
tshark -i any -Y "dns.flags.response == 0" -T fields -e dns.qry.name

# Find slow DNS (>100ms):
tshark -r capture.pcap -Y "dns.time > 0.1" -T fields -e dns.qry.name -e dns.time
Save and replayRe-inject captured packets.
sudo tcpdump -i any -w prod-traffic.pcap -c 100000   # Capture 100k packets
# Replay with tcpreplay (separate install):
sudo tcpreplay -i eth0 prod-traffic.pcap              # Replay to test server

# Extract HTTP objects with tshark:
tshark -r capture.pcap --export-objects "http,/tmp/http-extract"