tcpdump is an extremely useful tool for validating and troubleshooting packet flows through a system, and through a network. Whether you want to confirm if a process is communicating, review the frequency of network conversations, or explore unexpected flows, tcpdump is one tool that can help.
Sometimes, it’s necessary to have deeper insight and analysis than what tcpdump can display in its output. This is where capturing a flow to a PCAP file for review in Wireshark can extend the tool. Exploring a PCAP file in Wireshark provides all the capabilities of a Wireshare live network capture, but through a static capture file, including items such as:
- Frame headers
- Layer 2 protocols
- TCP, UDP, ICMP details
- Application data
The example below shows how o capture a network flow in a PCAP format using tcpdump:
tcpdump -i <interface> -s 65535 -w <file> [capture options]Where:
-iis the interface to capture from. For exampleens33-sis the number of bytes of data to capture from each packet-wis the output file of the capture. For examplehttp_traffic.pcap