Master Linux Network Troubleshooting with tcpdump and Wireshark
This guide walks you through installing and using tcpdump and Wireshark on Linux, showing how to capture packets, filter traffic, analyze protocols, and combine command‑line and GUI tools for effective network performance debugging.
Why packet capture matters
When a production service suddenly fails and logs provide no clues, the first question should be "Did you capture the traffic?" Using tcpdump on the server and Wireshark locally turns network data into an X‑ray view of the problem.
1. Start with tcpdump
tcpdump is a command‑line packet sniffer that comes pre‑installed on most Linux distributions.
Installation
# Ubuntu/Debian
sudo apt install tcpdump
# CentOS/RHEL
sudo yum install tcpdump
# macOS (built‑in)Basic test command: sudo tcpdump -i any -c 5 This listens on all interfaces ( -i any) and stops after capturing five packets ( -c 5). Sample output shows timestamps, IP addresses, ports, flags and sequence numbers.
Common options: -i any: listen on all interfaces -n: do not resolve hostnames, show raw IPs -c N: capture N packets then exit -s 0: capture full packet (default captures only header) -w file.pcap: write capture to a file -A: display packet contents as ASCII -X: display both HEX and ASCII
Example 1 – Observe an SSH handshake sudo tcpdump -i any port 22 -nn Running an SSH client against the server produces three packets:
→ Flags [S] # client sends SYN
← Flags [S.] # server replies SYN‑ACK
→ Flags [.] # client sends ACKThis demonstrates a complete TCP connection establishment.
Example 2 – Capture plain HTTP requests sudo tcpdump -i any port 80 -A After accessing an HTTP site with curl or a browser, the request appears:
GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.68.0Seeing the exact request explains why most sites now require HTTPS.
Limitation : Direct terminal output becomes unreadable when traffic volume is high, because of dense hex dumps.
2. Wireshark – visualizing packets
Wireshark is the graphical counterpart of tcpdump, using the same libpcap capture format.
Installation
# Ubuntu
sudo apt install wireshark
# macOS
brew install --cask wiresharkTypical workflow
Run tcpdump remotely and save to a .pcap file:
ssh user@your-server "sudo tcpdump -i any -w /tmp/dump.pcap -c 10000"Copy the file locally: scp user@your-server:/tmp/dump.pcap . Open it in Wireshark: wireshark dump.pcap The UI shows a packet list, protocol details, and raw hex data.
Three especially useful Wireshark features :
Display Filter
Enter expressions such as http to see only HTTP traffic, or ip.addr == 192.168.1.1 && tcp.port == 80 for specific IP‑port traffic, or tcp.analysis.retransmission to locate retransmissions. The filter language follows a dot‑notation hierarchy, e.g., ip.ttl < 64 or tcp.window_size < 1024.
Follow TCP Stream
Right‑click a packet → Follow → TCP Stream to reconstruct the full conversation, making it easy to verify request/response payloads during front‑end/back‑end integration.
Protocol Hierarchy Statistics
Menu → Statistics → Protocol Hierarchy shows the proportion of each protocol in the capture. High ARP percentages may indicate LAN issues; many TCP retransmissions suggest poor network quality.
3. Combine both tools for maximum power
Use tcpdump on the server for lightweight, on‑the‑fly capture, then analyze the saved .pcap with Wireshark locally.
Advanced: Remote real‑time capture
ssh user@server "sudo tcpdump -i any -l -w -" | wireshark -k -i -This pipes live packets from the remote host directly into Wireshark, avoiding file transfers. Press Ctrl+C to stop; useful for intermittent faults.
Filtering tips for production
Never run an unrestricted capture in production; it can fill disks quickly. Always add limits such as -c (packet count) or -C (file‑size rotation). Example:
# Capture 10,000 packets then exit
tcpdump -i any -c 10000 -w dump.pcap
# Rotate 10 files of 100 MB each
tcpdump -i any -C 100 -W 10 -w dump.pcapBe aware that unrestricted captures may exhaust disk space.
When you master packet capture, the first instinct during a production incident becomes "capture the traffic" rather than digging through logs.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Tech Stroll Journey
The philosophy behind "Stroll": continuous learning, curiosity‑driven, and practice‑focused.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
