tcpdump for Network Debugging

tcpdump for incident response.

Capture

The capture commands are the daily entry point for tcpdump. Pick the right interface, narrow the filter, and write to a file so the analysis happens off the box.

• tcpdump -i any -w /tmp/cap.pcap. All-interface write-to-file. Standard starting point when the failing flow is unknown.
• tcpdump -i any host 1.2.3.4. Filter to traffic involving a specific peer. Drops the noise from every other connection.
• tcpdump -i eth0 port 443. Target a specific port on a specific interface. Surgical capture for service-level investigations.
• Size cap with -C and -W. File-size and rotation flags prevent runaway-disk-usage incidents during long captures.

Read

Reading captures pairs tcpdump for quick eyeballing with Wireshark for visual stream reconstruction. Both read the same .pcap; pick the tool that matches the depth of analysis.

• tcpdump -r /tmp/cap.pcap. Read back the captured file. Fast eyeball pass before opening Wireshark.
• Wireshark for visual analysis. GUI display with protocol decoding, stream reconstruction, and follow-stream views.
• Filter on read. Read-time filters (port 443, src host x, tcp.flags) cut noise and focus the read.
• Saved Wireshark profiles. Per-investigation profile reproduces the same colour rules and column layout next time.

Careful in prod

Production captures contain sensitive data. Treat them like database dumps: time-bound, retention-bound, access-controlled.

• Sensitive data. Captures pull PII, tokens, and request bodies into a file. Compliance scope expands accordingly.
• Time-bound captures. Use -G or a scripted stop. A capture left running indefinitely is the worst-of-both: leak risk plus disk pressure.
• Cleanup retention. Document how long pcaps live and where. Old pcap files lying around are a slow-motion data-leak.
• Access control. Restricted-permission directory for capture output. Not every operator needs read access to every flow.