Loading learning content...
Ping tells you if packets reach a destination. Traceroute tells you where they go. But when you need to know exactly what is being transmitted—every byte, every header, every protocol exchange—you turn to packet capture.
Packet capture (sometimes called 'sniffing' or 'packet analysis') records the actual data traversing a network interface. Where other tools provide summaries and statistics, packet capture provides ground truth. When an application claims it sent the right data, when a firewall claims it's allowing traffic, when a server claims it never received a request—packet capture proves or disproves those claims definitively.
The definitive diagnostic:
Packet capture is the ultimate troubleshooting escalation. When simpler tools can't explain a problem, packet analysis reveals exactly what's happening at the wire level. It's how security analysts detect intrusions, how developers debug protocols, and how engineers prove (or disprove) that 'the network is the problem.'
This page covers packet capture fundamentals using Wireshark and tcpdump—when and how to capture, filter syntax (capture vs display), reading packet headers, following streams, and common analysis patterns for TCP, HTTP, DNS, and TLS. You'll develop the ability to diagnose problems that other tools can't touch.
Before diving into tools, understand how packet capture works and its inherent limitations.
How Capture Works:
Normally, a network interface card (NIC) only accepts packets destined for its MAC address (or broadcast/multicast addresses). Packet capture puts the NIC into promiscuous mode, where it accepts all packets seen on the network segment.
On switched networks (most modern networks), this only captures traffic to/from the capturing host plus broadcast/multicast traffic—you won't see traffic between other hosts unless you take additional steps.
Seeing Other Hosts' Traffic:
| Method | How It Works | Use Case |
|---|---|---|
| Port Mirroring (SPAN) | Switch copies traffic from one port to another | Production network monitoring |
| Network TAP | Physical device that copies traffic passively | High-fidelity captures, security monitoring |
| Hub (legacy) | All traffic broadcast to all ports | Lab environments only |
| ARP Spoofing | Redirect traffic through your host | Penetration testing (with authorization only!) |
| Inline Capture | Capture device placed in traffic path | Firewall/IDS deployments |
| Agent on Host | Capture on the source or destination itself | Most common approach—capture where the traffic is |
What Gets Captured:
A packet capture includes:
Limitations and Considerations:
Never capture network traffic without explicit authorization. In many jurisdictions, unauthorized packet capture is illegal (wiretapping laws). In enterprise environments, follow your organization's policies. Even with authorization, handle capture data as sensitive.
tcpdump is the standard command-line packet capture tool on Unix-like systems. It's lightweight, scriptable, and available on virtually every Linux/Unix system. For servers without a GUI, tcpdump is indispensable.
Basic Capture Commands:
12345678910111213141516171819202122232425
# List available interfacestcpdump -D # Capture on specific interface (requires root)sudo tcpdump -i eth0 # Capture with verbose outputsudo tcpdump -i eth0 -v # Verbosesudo tcpdump -i eth0 -vv # More verbosesudo tcpdump -i eth0 -vvv # Maximum verbosity # Don't resolve hostnames or ports (faster, clearer)sudo tcpdump -i eth0 -nn # Limit capture to N packetssudo tcpdump -i eth0 -c 100 # Save to file (for later Wireshark analysis)sudo tcpdump -i eth0 -w capture.pcap # Read from saved filetcpdump -r capture.pcap # Show absolute sequence numberssudo tcpdump -i eth0 -SReading tcpdump Output:
14:32:45.123456 IP 192.168.1.100.54321 > 93.184.216.34.80: Flags [S], seq 123456789, win 65535, options [mss 1460,nop,nop,sackOK], length 0
| Field | Meaning |
|---|---|
14:32:45.123456 | Timestamp (HH:MM:SS.microseconds) |
IP | IPv4 packet |
192.168.1.100.54321 | Source IP.port |
> | Direction (to) |
93.184.216.34.80 | Destination IP.port |
Flags [S] | TCP flags (S=SYN) |
seq 123456789 | TCP sequence number |
win 65535 | TCP window size |
options [...] | TCP options (MSS, SACK, etc.) |
length 0 | Payload bytes (0 for SYN) |
Common TCP Flags:
| Flag | Letter | Meaning |
|---|---|---|
| SYN | S | Connection initiation |
| ACK | . | Acknowledgment |
| FIN | F | Connection termination |
| RST | R | Reset (abort connection) |
| PSH | P | Push (send immediately) |
| SYN-ACK | S. | SYN + ACK (handshake step 2) |
For serious analysis, always capture to a pcap file (-w capture.pcap) then analyze with Wireshark. Real-time tcpdump output scrolls by too fast for complex analysis. Files can also be shared with colleagues or vendors for collaborative troubleshooting.
Wireshark is the world's most popular network protocol analyzer. It provides a graphical interface for capturing and analyzing packets, with deep protocol decoding for hundreds of protocols.
Wireshark Interface Components:
Starting a Capture:
Capture Filters vs Display Filters:
Wireshark has two types of filters with different syntaxes:
| Aspect | Capture Filter | Display Filter |
|---|---|---|
| When applied | During capture | After capture |
| Syntax | BPF (same as tcpdump) | Wireshark-specific |
| Effect | Limits what's captured | Limits what's shown |
| Use case | Reduce capture size | Focus analysis |
| Changeable | No (set before capture) | Yes (interactive) |
When to use each:
1234567891011121314151617181920212223242526272829
# Host filtershost 192.168.1.100src host 192.168.1.100dst host 192.168.1.100 # Port filtersport 80port 443 or port 80src port 443dst port 80 # Protocol filterstcpudpicmp # Network filtersnet 192.168.1.0/24net 10.0.0.0/8 # Combinationshost 192.168.1.100 and port 443tcp port 80 and host 10.0.0.5not port 22port 80 and (host 10.0.0.1 or host 10.0.0.2) # Packet sizegreater 1000less 64Always check Analyze > Expert Information when troubleshooting. Wireshark automatically detects TCP retransmissions, zero window events, RST packets, sequence problems, and other anomalies. It categorizes them by severity (Chat, Note, Warning, Error).
TCP problems are among the most common reasons for packet analysis. Understanding what to look for accelerates diagnosis.
The TCP Three-Way Handshake:
Every TCP connection starts with this exchange:
Client Server
| |
|---- SYN (seq=x) ------------------->|
| |
|<--- SYN-ACK (seq=y, ack=x+1) -------|
| |
|---- ACK (ack=y+1) ----------------->|
| |
Connection Established
In Wireshark:
192.168.1.100:54321 -> 93.184.216.34:80 [SYN] seq=0
93.184.216.34:80 -> 192.168.1.100:54321 [SYN,ACK] seq=0 ack=1
192.168.1.100:54321 -> 93.184.216.34:80 [ACK] ack=1
Handshake Problems:
| Pattern | Meaning | Cause |
|---|---|---|
| SYN sent, no response | Timeout | Host down, firewall drops, routing issue |
| SYN sent, RST received | Port closed | Service not listening, firewall rejects |
| SYN sent, ICMP unreachable | Host/network unreachable | Routing or firewall issue |
| SYN-ACK received, no ACK from client | Client-side issue | Client firewall, NAT problem |
| Multiple SYN retransmissions | Packet loss or filtering | Network congestion, firewall |
Retransmission Analysis:
TCP retransmits lost packets. In Wireshark, filter with tcp.analysis.retransmission.
Types of retransmissions:
| Type | What It Means | Wireshark Filter |
|---|---|---|
| Retransmission | Packet resent after timeout | tcp.analysis.retransmission |
| Fast Retransmission | Resent after duplicate ACKs | tcp.analysis.fast_retransmission |
| Spurious Retransmission | Unnecessary resend (original was received) | tcp.analysis.spurious_retransmission |
| Out-of-Order | Packet arrived out of sequence | tcp.analysis.out_of_order |
| Duplicate ACK | ACK for already-acknowledged data | tcp.analysis.duplicate_ack |
What retransmissions tell you:
Window Size Analysis:
TCP window size controls flow control. Look for:
tcp.analysis.zero_windowtcp.analysis.window_updateRST (Reset) Analysis:
RST packets abruptly terminate connections. Filter: tcp.flags.rst == 1
| RST Scenario | Likely Cause |
|---|---|
| RST after SYN | Port not listening |
| RST mid-connection | Application crashed, timeout, firewall kill |
| RST after FIN | Connection already closing |
| RST from unexpected IP | Firewall or middlebox interference |
Connection Termination:
Normal close = FIN-ACK exchange (graceful):
Client --> FIN --> Server
Client <-- ACK <-- Server
Client <-- FIN <-- Server
Client --> ACK --> Server
Abrupt close = RST:
Right-click any TCP packet > Follow > TCP Stream to see the entire conversation reconstructed as a continuous data stream. This is invaluable for understanding what data was actually exchanged, especially for text protocols like HTTP.
DNS issues are extremely common and often cause 'the network is slow' complaints (DNS timeout adds seconds to every new connection). Packet capture reveals exactly what's happening with name resolution.
Display Filter: dns
DNS Query/Response Pattern:
Query: 192.168.1.100 -> 8.8.8.8: Standard query A www.example.com
Response: 8.8.8.8 -> 192.168.1.100: Standard query response A www.example.com A 93.184.216.34
What to Look For in DNS:
| Pattern | Filter | Meaning |
|---|---|---|
| Many queries, no responses | dns.qry.name | DNS server unreachable or blocking |
| Response with no answer | dns.count.answers == 0 | NXDOMAIN (name doesn't exist) |
| Single query, multiple responses | Compare transaction IDs | Possible DNS spoofing |
| High query time | Check timestamp delta | Slow DNS server |
| Query to unexpected server | Check destination IP | Misconfigured DNS or DNS hijacking |
| PTR queries flooding | dns.qry.type == 12 | Something doing reverse lookups excessively |
DNS Response Codes:
| Code | Name | Meaning |
|---|---|---|
| 0 | NOERROR | Success |
| 1 | FORMERR | Format error |
| 2 | SERVFAIL | Server failed |
| 3 | NXDOMAIN | Name doesn't exist |
| 5 | REFUSED | Server refused query |
Filter by response code: dns.flags.rcode == 3 (NXDOMAIN)
Wireshark DNS Dissection:
Expand the DNS protocol in packet details to see:
Example Analysis Workflow:
dns to see only DNS traffic123456789101112131415161718192021222324252627282930
# All DNS trafficdns # DNS queries onlydns.flags.response == 0 # DNS responses onlydns.flags.response == 1 # Specific domaindns.qry.name == "www.example.com"dns.qry.name contains "example" # NXDOMAIN responsesdns.flags.rcode == 3 # A record queriesdns.qry.type == 1 # AAAA (IPv6) record queriesdns.qry.type == 28 # MX record queriesdns.qry.type == 15 # PTR (reverse) queriesdns.qry.type == 12 # DNS over specific port (non-standard)dns and !udp.port == 53If you see DNS queries with no responses, note that most resolvers wait 1-5 seconds before retrying or failing. Multiple failed queries in a row can cause perceived delays of 15+ seconds before an application sees an error. This often manifests as 'the website is slow to load.'
Web traffic analysis is a core packet capture skill. While HTTPS encrypts the payload, you can still learn a lot from connection patterns.
HTTP (Unencrypted) Analysis:
Display filter: http
HTTP Request Fields:
GET /api/users HTTP/1.1
Host: api.example.com
User-Agent: Mozilla/5.0...
Accept: application/json
Cookie: session=abc123
Useful HTTP Filters:
123456789101112131415161718192021222324252627282930313233
# All HTTP traffichttp # HTTP requests onlyhttp.request # HTTP responses onlyhttp.response # Specific methodshttp.request.method == "GET"http.request.method == "POST"http.request.method == "PUT" # Response codeshttp.response.code == 200http.response.code == 404http.response.code == 500http.response.code >= 400 # All errorshttp.response.code >= 500 # Server errors only # URL filteringhttp.request.uri contains "/api/"http.host == "api.example.com"http.host contains "example" # Content typehttp.content_type contains "json"http.content_type contains "html" # User agenthttp.user_agent contains "Mozilla"http.user_agent contains "curl"Analyzing Request/Response Pairs:
http.request or http.responseCommon HTTP problems in captures:
| Symptom | What You See | Likely Cause |
|---|---|---|
| Slow page load | Large response, multiple requests | Unoptimized page, many resources |
| Page timeout | Request, no response (or delayed) | Server overloaded or crashed |
| 4xx errors | 400/401/403/404 responses | Client error, auth issue, missing resource |
| 5xx errors | 500/502/503/504 responses | Server error, overload, timeout |
| Redirect loops | Multiple 301/302 in sequence | Misconfigured redirects |
HTTPS/TLS Analysis:
HTTPS encrypts the payload, but you can still see:
TLS Filters:
tls # All TLS traffic
tls.handshake # Handshake messages only
tls.handshake.type == 1 # Client Hello
tls.handshake.type == 2 # Server Hello
tls.handshake.extensions_server_name # SNI hostname
ssl.alert_message # TLS alerts (errors)
TLS Troubleshooting:
| Problem | What You See | Cause |
|---|---|---|
| Version mismatch | Client Hello with old version, server RST | Server doesn't support client's TLS version |
| Cipher mismatch | Handshake failure alert | No common cipher suite |
| Certificate error | Certificate alert | Expired, wrong hostname, untrusted CA |
| Slow handshake | Large time gaps between handshake packets | Server overload or network latency |
You can decrypt HTTPS in Wireshark if you have the TLS session keys. Browsers like Chrome/Firefox can export these keys (set SSLKEYLOGFILE environment variable). Then configure Wireshark: Edit > Preferences > Protocols > TLS > (Pre-)Master-Secret log filename. This is essential for debugging HTTPS issues in development environments.
Effective packet capture requires planning. The difference between a useful capture and a useless one is often preparation.
Before Capturing:
Capture Point Selection:
| Capture At | Pros | Cons |
|---|---|---|
| Client | See exactly what client sends/receives | May lack visibility to network issues |
| Server | See what server receives/sends | May miss client-side network issues |
| Switch (SPAN port) | See transit traffic | Adds complexity, may drop packets under load |
| Firewall/Router | See traffic at network boundary | Limited to what passes through that point |
| Both ends | Complete picture | Requires coordination, more data to analyze |
Filter Strategy:
Dealing with Large Captures:
1234567891011121314
# Rotate files after size limit (100MB each, keep 10)sudo tcpdump -i eth0 -w capture.pcap -C 100 -W 10 # Ring buffer: overwrites oldest file when limit reachedsudo tcpdump -i eth0 -w capture.pcap -C 50 -W 5 -Z root # Capture for specific duration (60 seconds)timeout 60 sudo tcpdump -i eth0 -w capture.pcap # Capture with timestamp in filenamesudo tcpdump -i eth0 -w capture_$(date +%Y%m%d_%H%M%S).pcap # Split capture by packet countsudo tcpdump -i eth0 -c 10000 -w capture.pcap-s 68 default)-s 0)When sharing captures for collaborative troubleshooting: (1) Anonymize if needed (Tools > Statistics > Edit Resolved Name), (2) Filter to relevant traffic only, (3) Include a notes file documenting IPs, issue description, and what to look for. A well-documented capture gets faster help.
Packet capture is the definitive diagnostic tool—when other methods fail, packets provide ground truth. Let's consolidate the key skills:
What's Next:
With packet capture mastered, we'll turn to common network issues—the patterns and problems you'll encounter repeatedly in production environments. You'll learn to recognize and resolve issues ranging from slow performance to complete outages using all the techniques we've covered.
You've learned to capture and analyze network traffic at the packet level—the ultimate troubleshooting capability. From tcpdump basics to Wireshark protocol analysis, you can now examine exactly what's happening on the wire. Next, we'll apply all these skills to diagnosing the most common real-world network problems.