Packet analyzers like Wireshark and tcpdump capture network traffic for offline analysis and real-time monitoring. Wireshark provides a graphical interface with protocol dissection, flow statistics, and stream reconstruction. tcpdump is a command-line capture tool with filter expressions for selective capture. Both are essential for network troubleshooting and protocol analysis.
Capture HTTP, DNS, and TCP handshake traffic using Wireshark. Write tcpdump filters to capture specific traffic. Reconstruct TCP streams and examine payloads. Analyze packet timing and retransmissions. Use statistics features to identify performance bottlenecks.
Packet capture requires promiscuous mode on shared media (hubs); switches require mirror ports or span. tcpdump filters use pcap syntax, not regex. Captured traffic may contain sensitive data; proper handling and encryption are required.
You already understand how the TCP/IP and OSI models organize network communication into layers, each with its own headers and responsibilities. Packet analysis lets you see these layers in action — you capture real traffic off the wire and inspect exactly what each layer contributed. When a web page loads slowly, packet analysis can reveal whether the problem is DNS resolution taking too long, TCP retransmissions indicating packet loss, TLS negotiation delays, or the server simply responding with a large payload. Instead of guessing, you examine the evidence directly.
tcpdump is the foundational command-line tool for packet capture. It uses the pcap library to put a network interface into promiscuous mode (capturing all frames, not just those addressed to your machine) and applies Berkeley Packet Filter (BPF) expressions to select traffic of interest. A filter like `tcp port 443 and host 10.0.0.5` captures only HTTPS traffic to or from a specific host. tcpdump's strength is its lightweight footprint — it runs on any Unix-like system without a GUI, making it ideal for capturing traffic on remote servers. The typical workflow is to capture packets to a file (`-w capture.pcap`) on the server, then transfer the file to a workstation for deeper analysis.
Wireshark provides that deeper analysis through a graphical interface with full protocol dissection. Where tcpdump shows you raw bytes and basic header decoding, Wireshark understands hundreds of protocols and can decode nested layers automatically — showing you, for instance, that a particular Ethernet frame contains an IP packet containing a TCP segment containing an HTTP request with specific headers and a JSON payload. Its follow stream feature reconstructs entire TCP conversations, letting you read the back-and-forth between client and server as a continuous dialogue. The statistics menu provides flow graphs, round-trip time analysis, and throughput measurements that turn raw captures into actionable performance data.
The most important practical skill in packet analysis is knowing what to filter for. A busy network generates thousands of packets per second, and capturing everything creates an overwhelming haystack. Effective troubleshooting starts with a hypothesis — "I think DNS resolution is slow" — and applies a targeted capture filter (`udp port 53`) to collect only relevant traffic. After capture, Wireshark's display filters (distinct from capture filters) let you further narrow what you examine. Learning to read TCP flags, identify retransmissions, spot RST packets indicating refused connections, and measure time deltas between request and response transforms packet analysis from a data collection exercise into a diagnostic discipline.
No topics depend on this one yet.