tcpdump for Network Debugging
tcpdump for incident response.
Capture
The capture commands are the daily entry point for tcpdump. Pick the right interface, narrow the filter, and write to a file so the analysis happens off the box.
- tcpdump -i any -w /tmp/cap.pcap. All-interface write-to-file. Standard starting point when the failing flow is unknown.
- tcpdump -i any host 1.2.3.4. Filter to traffic involving a specific peer. Drops the noise from every other connection.
- tcpdump -i eth0 port 443. Target a specific port on a specific interface. Surgical capture for service-level investigations.
- Size cap with -C and -W. File-size and rotation flags prevent runaway-disk-usage incidents during long captures.
Read
Reading captures pairs tcpdump for quick eyeballing with Wireshark for visual stream reconstruction. Both read the same .pcap; pick the tool that matches the depth of analysis.
- tcpdump -r /tmp/cap.pcap. Read back the captured file. Fast eyeball pass before opening Wireshark.
- Wireshark for visual analysis. GUI display with protocol decoding, stream reconstruction, and follow-stream views.
- Filter on read. Read-time filters (
port 443,src host x,tcp.flags) cut noise and focus the read. - Saved Wireshark profiles. Per-investigation profile reproduces the same colour rules and column layout next time.
Careful in prod
Production captures contain sensitive data. Treat them like database dumps: time-bound, retention-bound, access-controlled.
- Sensitive data. Captures pull PII, tokens, and request bodies into a file. Compliance scope expands accordingly.
- Time-bound captures. Use
-Gor a scripted stop. A capture left running indefinitely is the worst-of-both: leak risk plus disk pressure. - Cleanup retention. Document how long pcaps live and where. Old pcap files lying around are a slow-motion data-leak.
- Access control. Restricted-permission directory for capture output. Not every operator needs read access to every flow.