Networking Intermediate By Samson Tanimawo, PhD Published Oct 14, 2026 9 min read

Packet Capture with tcpdump: When and How

tcpdump still beats every other tool when you need to see the actual bytes. The discipline is using it safely.

Why tcpdump

Network behavior at the wire level. When metrics + traces miss it; tcpdump shows what actually happened.

One command; massive insight.

Four use cases

1. TLS handshake debugging.
2. Connection drop investigation.
3. Slow first-byte diagnosis.
4. Protocol-spec validation.

Safe-in-production patterns

Always use BPF filter to limit volume.

Never capture user data without explicit purpose.

Rotate output files; cap disk.

Documented runbook for tcpdump in prod.

Analysis with Wireshark

Open .pcap in Wireshark; visual analysis; filter by stream; follow individual sessions.

TLS decryption requires server keys; document the process.

Antipatterns

tcpdump without filter on busy host. Disk fills.
Capturing user data without authorization. Compliance risk.
Reading raw output without Wireshark. Misses patterns.

What to do this week

Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.