Packet Capture with tcpdump: When and How

tcpdump still beats every other tool when you need to see the actual bytes. The discipline is using it safely.

Why tcpdump

tcpdump still beats every other tool when the question is 'what bytes actually went on the wire'. Metrics and traces describe the application's view; tcpdump shows the network's view.

• Wire-level truth. When metrics and traces miss it, tcpdump shows what actually happened on the wire.
• One command. A single invocation captures the bytes; the analysis happens later, offline.
• BPF filtering. Filters in-kernel before user-space capture; the volume stays manageable.
• Universal. Available on every Linux box; no agent to install; no service to provision.

Four use cases

• 1. TLS handshake debugging.
• 2. Connection drop investigation.
• 3. Slow first-byte diagnosis.
• 4. Protocol-spec validation.

Safe-in-production patterns

tcpdump in production is risky if used carelessly. Four discipline rules keep the capture useful without becoming an outage cause.

• BPF filter always. Never capture without a filter on a busy host; the volume fills disks fast.
• No user data. Never capture user payloads without explicit authorisation; compliance risk is real.
• Rotate outputs. -W and -C rotate output files; cap total disk usage explicitly.
• Documented runbook. Production tcpdump procedure in the runbook; ad-hoc captures are how mistakes happen.

Analysis with Wireshark

Reading raw tcpdump output line by line misses patterns. Wireshark provides the visual analysis layer that turns bytes into insight.

• Open .pcap. Wireshark loads the capture; sortable, filterable, drill-down per packet.
• Follow stream. Reconstructs full TCP or HTTP conversations from individual packets; the killer feature.
• Display filters. tcp.stream eq 5 isolates one connection; http.response.code != 200 hunts errors.
• TLS decryption. Requires server private keys or pre-master secrets; document the process before you need it.

Antipatterns

• tcpdump without filter on busy host. Disk fills.
• Capturing user data without authorization. Compliance risk.
• Reading raw output without Wireshark. Misses patterns.

What to do this week

Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.