Master tcpdump & Wireshark: Capture and Analyze HTTP/TCP Traffic in Docker

1. Basic Environment Preparation

To make the tutorial easy to follow, a Docker container is used as the test environment.

1.1 Pull Docker Image

<code>$ sudo docker pull alpine:3.8</code>

1.2 Run Container

<code>$ sudo docker run -d --name ctn-1 alpine:3.8 sleep 3600d
$ sudo docker ps
CONTAINER ID    IMAGE        COMMAND         CREATED        STATUS          PORTS  NAMES
233bc36bde4b    alpine:3.8   "sleep 3600d"   1 minutes ago  Up 14 minutes           ctn-1</code>

Enter the container:

<code>$ sudo docker exec -it ctn-1 sh</code>

View network configuration inside the container:

<code>/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:09
          inet addr:172.17.0.9  Bcast:0.0.0.0  Mask:255.255.0.0</code>

1.3 Install tcpdump

<code>/ # apk update
/ # apk add tcpdump</code>

2. HTTP/TCP Capture

We use

wget

to download the homepage of a test site (example.com) while tcpdump records the traffic.

2.1 HTTP Request – Download Test Page

Example.com is a public test domain;

wget

is a Linux command‑line tool for downloading files.

<code>$ wget http://example.com
Connecting to example.com (93.184.216.34:80)
index.html           100% |*****************************|  1270   0:00:00 ETA</code>

The simple request actually involves many steps, such as DNS lookup, TCP three‑way handshake, HTTP GET, server response, possible fragmentation, and TCP four‑way termination.

2.2 Capture to Standard Output

Run tcpdump in another terminal while the

wget

command is executed:

<code># tcpdump -n -S -i eth0 host example.com
1  02:52:44.513700 IP 172.17.0.9.41038 > 93.184.216.34.80: Flags [S] , seq 3310420140, length 0
2  02:52:44.692890 IP 93.184.216.34.80 > 172.17.0.9.41038: Flags [S.], seq 1353235534, ack 3310420141, length 0
3  02:52:44.692953 IP 172.17.0.9.41038 > 93.184.216.34.80: Flags [.] , ack 1353235535, length 0
4  02:52:44.693009 IP 172.17.0.9.41038 > 93.184.216.34.80: Flags [P.], seq 3310420141:3310420215, ack 1353235535, length 74: HTTP: GET / HTTP/1.1
5  02:52:44.872266 IP 93.184.216.34.80 > 172.17.0.9.41038: Flags [.] , ack 3310420215, length 0
6  02:52:44.873342 IP 93.184.216.34.80 > 172.17.0.9.41038: Flags [.] , seq 1353235535:1353236983, ack 3310420215, length 1448: HTTP: HTTP/1.1 200 OK
7  02:52:44.873405 IP 172.17.0.9.41038 > 93.184.216.34.80: Flags [.] , ack 1353236983, length 0
8  02:52:44.874533 IP 93.184.216.34.80 > 172.17.0.9.41038: Flags [P.], seq 1353236983:1353237162, ack 3310420215, length 179: HTTP
9  02:52:44.874560 IP 172.17.0.9.41038 > 93.184.216.34.80: Flags [.] , ack 1353237162, length 0
10 02:52:44.874705 IP 172.17.0.9.41038 > 93.184.216.34.80: Flags [F.], seq 3310420215, ack 1353237162, length 0
11 02:52:45.053732 IP 93.184.216.34.80 > 172.17.0.9.41038: Flags [.] , ack 3310420216, length 0
12 02:52:45.607825 IP 93.184.216.34.80 > 172.17.0.9.41038: Flags [F.], seq 1353237162, ack 3310420216, length 0
13 02:52:45.607869 IP 172.17.0.9.41038 > 93.184.216.34.80: Flags [.] , ack 1353237163, length 0</code>

Explanation of the most useful options:

-n

: print numeric IP addresses and ports.

-S

: print absolute timestamps.

-i eth0

: capture on interface eth0.

host example.com

: capture both directions of traffic to/from example.com.

2.3 Save Capture to File

Use the

-w

flag to write raw packets to a pcap file (different from redirecting stdout).

<code># tcpdump -i eth0 host example.com -w example.pcap
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel</code>

The resulting

.pcap

file can be opened with tcpdump, Wireshark, or other analysis tools.

3. Traffic Analysis with tcpdump

When no output format is specified, tcpdump prints packet details to the console, as shown above.

3.1 Column Explanation

Timestamp (e.g., 02:52:44.513700).

Protocol (IP).

Source IP:port and Destination IP:port.

TCP flags (S = SYN, . = ACK, F = FIN, P = PUSH).

Sequence number (seq).

Acknowledgment number (ack).

Payload length.

ASCII snippet of the payload (if any).

3.2 Three‑Way Handshake (Packets 1‑3)

Packet 1: SYN from client to server (port 41038 → 80), initial sequence 3310420140.

Packet 2: SYN‑ACK from server, sequence 1353235534, acknowledgment 3310420141.

Packet 3: ACK from client, acknowledgment 1353235535.

3.3 Normal Data Transfer (Packets 4‑9)

Packet 4: HTTP GET request (74 bytes).

Packet 5: ACK of the GET.

Packet 6: Server sends 1448 bytes of HTTP response.

Packet 7: ACK of the response.

Packet 8: Server sends an additional 179 bytes.

Packet 9: ACK of the additional data.

3.4 Four‑Way Termination (Packets 10‑13)

Client → Server: FIN+ACK (packet 10).

Server → Client: ACK (packet 11).

Server → Client: FIN+ACK (packet 12).

Client → Server: ACK (packet 13).

4. Traffic Analysis with Wireshark

Wireshark can read the pcap file with

-r

or via its GUI. For simple captures tcpdump output may be enough, but for large pcap files Wireshark’s filtering and visual tools are invaluable.

4.1 Follow TCP Stream

Right‑click a packet, choose Follow → TCP Stream to isolate the conversation. The UI shows only the packets belonging to that stream.

4.2 Filtering Traffic

Wireshark uses display filters similar to tcpdump. Examples:

ip.addr == 192.168.1.1

– packets with source or destination IP 192.168.1.1.

ip.src_host == 192.168.1.1 and ip.dst_host == 192.168.1.2

– specific source and destination.

tcp.port == 80

– any packet on port 80.

tcp.flags.reset == 1

– TCP RST packets.

tcp.analysis.retransmission

– all retransmitted packets.

4.3 Exporting Filtered Packets

If a pcap is too large, apply a filter, then use File → Export Specified Packets… to save the displayed packets (or a selected range) to a new, smaller pcap for faster analysis.

5. Summary

tcpdump and Wireshark together form a powerful toolkit for network troubleshooting. This article covered container setup, packet capture, detailed packet inspection, handshake analysis, data flow, termination, and practical Wireshark filtering/export techniques. For more complex scenarios, combine these tools with further research and documentation.