Packet Capture 2026

tcpdump, Wireshark.

Overview

Packet capture in 2026 navigates three new realities: most traffic is TLS-encrypted, eBPF replaces some tcpdump use cases, and cloud-native flow logs answer broad metadata questions without packets. tcpdump and Wireshark still matter; the discipline is matching the tool to the question.

• tcpdump. Standard packet capture for host-level investigation. Still the right starting point for many wire-level questions.
• Wireshark. Visual analysis of pcap files. Stream reconstruction and protocol decoding live here.
• eBPF capture. Kernel-level capture without copying packets to user space. Lower overhead on busy hosts.
• VPC flow logs plus encrypted traffic limits. Cloud-level metadata answers most flow-level questions; TLS encrypts the payload, so packet content is rarely useful without keys.

The approach

Three habits keep modern packet investigation fast: metadata first, packet-level second, decrypt only when authorised.

• VPC flow logs first. Most questions are flow-shaped (who talked to whom, how much). Flow logs answer them in seconds without capture.
• tcpdump for host-level. When packet-level detail genuinely matters. The right layer for protocol-level investigation.
• Wireshark for deep analysis. Visual pcap exploration when the question needs stream reconstruction.
• eBPF and SSL keylog. eBPF captures with lower overhead on busy hosts; SSL keylog decrypts TLS only when needed and authorised.

Why this compounds

Packet-capture fluency compounds across every TCP/IP investigation the team runs. New tools (eBPF) extend the toolkit without replacing the fundamentals.

• Faster wire-level investigation. Right tool produces fast root cause. MTTR drops on protocol-flavoured incidents.
• Network mental model. Wire-level evidence reveals what is actually happening. Hypotheses get validated rather than guessed.
• Compliance support. Captures support audit and incident response. Forensic timelines depend on packet data when other evidence is thin.
• Year-one investment, year-two habit. The first year establishes fluency. Subsequent years extend it as new tools land.