Operations 11 min read

Master Linux Network Troubleshooting with tcpdump and Wireshark

This guide walks you through installing and using tcpdump and Wireshark on Linux, showing how to capture packets, filter traffic, analyze protocols, and combine command‑line and GUI tools for effective network performance debugging.

Tech Stroll Journey
Tech Stroll Journey
Tech Stroll Journey
Master Linux Network Troubleshooting with tcpdump and Wireshark

Why packet capture matters

When a production service suddenly fails and logs provide no clues, the first question should be "Did you capture the traffic?" Using tcpdump on the server and Wireshark locally turns network data into an X‑ray view of the problem.

1. Start with tcpdump

tcpdump is a command‑line packet sniffer that comes pre‑installed on most Linux distributions.

Installation

# Ubuntu/Debian
sudo apt install tcpdump

# CentOS/RHEL
sudo yum install tcpdump

# macOS (built‑in)

Basic test command: sudo tcpdump -i any -c 5 This listens on all interfaces ( -i any) and stops after capturing five packets ( -c 5). Sample output shows timestamps, IP addresses, ports, flags and sequence numbers.

Common options: -i any: listen on all interfaces -n: do not resolve hostnames, show raw IPs -c N: capture N packets then exit -s 0: capture full packet (default captures only header) -w file.pcap: write capture to a file -A: display packet contents as ASCII -X: display both HEX and ASCII

Example 1 – Observe an SSH handshake sudo tcpdump -i any port 22 -nn Running an SSH client against the server produces three packets:

→ Flags [S]    # client sends SYN
← Flags [S.]   # server replies SYN‑ACK
→ Flags [.]    # client sends ACK

This demonstrates a complete TCP connection establishment.

Example 2 – Capture plain HTTP requests sudo tcpdump -i any port 80 -A After accessing an HTTP site with curl or a browser, the request appears:

GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.68.0

Seeing the exact request explains why most sites now require HTTPS.

Limitation : Direct terminal output becomes unreadable when traffic volume is high, because of dense hex dumps.

2. Wireshark – visualizing packets

Wireshark is the graphical counterpart of tcpdump, using the same libpcap capture format.

Installation

# Ubuntu
sudo apt install wireshark

# macOS
brew install --cask wireshark

Typical workflow

Run tcpdump remotely and save to a .pcap file:

ssh user@your-server "sudo tcpdump -i any -w /tmp/dump.pcap -c 10000"

Copy the file locally: scp user@your-server:/tmp/dump.pcap . Open it in Wireshark: wireshark dump.pcap The UI shows a packet list, protocol details, and raw hex data.

Three especially useful Wireshark features :

Display Filter

Enter expressions such as http to see only HTTP traffic, or ip.addr == 192.168.1.1 && tcp.port == 80 for specific IP‑port traffic, or tcp.analysis.retransmission to locate retransmissions. The filter language follows a dot‑notation hierarchy, e.g., ip.ttl < 64 or tcp.window_size < 1024.

Follow TCP Stream

Right‑click a packet → Follow → TCP Stream to reconstruct the full conversation, making it easy to verify request/response payloads during front‑end/back‑end integration.

Protocol Hierarchy Statistics

Menu → Statistics → Protocol Hierarchy shows the proportion of each protocol in the capture. High ARP percentages may indicate LAN issues; many TCP retransmissions suggest poor network quality.

3. Combine both tools for maximum power

Use tcpdump on the server for lightweight, on‑the‑fly capture, then analyze the saved .pcap with Wireshark locally.

Advanced: Remote real‑time capture

ssh user@server "sudo tcpdump -i any -l -w -" | wireshark -k -i -

This pipes live packets from the remote host directly into Wireshark, avoiding file transfers. Press Ctrl+C to stop; useful for intermittent faults.

Filtering tips for production

Never run an unrestricted capture in production; it can fill disks quickly. Always add limits such as -c (packet count) or -C (file‑size rotation). Example:

# Capture 10,000 packets then exit
tcpdump -i any -c 10000 -w dump.pcap

# Rotate 10 files of 100 MB each
tcpdump -i any -C 100 -W 10 -w dump.pcap

Be aware that unrestricted captures may exhaust disk space.

When you master packet capture, the first instinct during a production incident becomes "capture the traffic" rather than digging through logs.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

network troubleshootinglinuxpacket captureWiresharkprotocol analysistcpdump
Tech Stroll Journey
Written by

Tech Stroll Journey

The philosophy behind "Stroll": continuous learning, curiosity‑driven, and practice‑focused.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.