Packet Capture
Chapter 88: Packet Capture and Network Analysis
Section titled “Chapter 88: Packet Capture and Network Analysis”Comprehensive Guide to tcpdump, Wireshark, and Network Analysis
Section titled “Comprehensive Guide to tcpdump, Wireshark, and Network Analysis”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”Packet capture is essential for network troubleshooting:
- Debugging: See actual network traffic, not just logs
- Security: Detect malicious traffic and attacks
- Performance: Identify network bottlenecks
- Compliance: Audit network communications
- Root Cause: Network issues often need packet-level analysis
tcpdump and Wireshark are essential tools for any SRE or DevOps engineer.
88.1 Understanding Packet Capture
Section titled “88.1 Understanding Packet Capture”How Packet Capture Works
Section titled “How Packet Capture Works”Packet capture involves intercepting network packets as they travel across a network interface. This is essential for troubleshooting network issues, security analysis, and protocol debugging.
Packet Capture Architecture+------------------------------------------------------------------+| || Packet Capture Flow || || +-------------------------------------------------------------+|| | Network Interface ||| | +----------------------------------------------------------+ || | | Network Card (NIC) | || | | - Driver receives packets | || | | - Copies to kernel buffer | || | +----------------------------------------------------------+ || | | || | v || | +----------------------------------------------------------+ || | | Kernel (BPF) | || | | - Berkeley Packet Filter | || | | - Applies capture filter | || | | - Copies matching packets to userspace | || | +----------------------------------------------------------+ || | | || | v || | +----------------------------------------------------------+ || | | Capture Tool (tcpdump/Wireshark) | || | | - Receives filtered packets | || | | - Writes to file or displays | || | +----------------------------------------------------------+ || +------------------------------------------------------------+|| || Capture Modes: || +----------------------------------------------------------+ || | Promiscuous | NIC accepts all packets (default) | || | Non-promiscuous | Only packets addressed to NIC | || | Monitor mode | All packets (wireless) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+PCAP Format
Section titled “PCAP Format” PCAP File Format+------------------------------------------------------------------+| || PCAP Global Header (24 bytes): || +----------------------------------------------------------+ || | Magic Number (4 bytes) - 0xa1b2c3d4 or 0xd4c3b2a1 | || | Version Major (2 bytes) | || | Version Minor (2 bytes) | || | Thiszone (4 bytes) - Timezone offset | || | Sigfigs (4 bytes) - Timestamp accuracy | || | Snaplen (4 bytes) - Max packet length | || | Link Type (4 bytes) - Data link type (Ethernet=1) | || +----------------------------------------------------------+ || || Packet Header (16 bytes): || +----------------------------------------------------------+ || | Timestamp Seconds (4 bytes) | || | Timestamp Microseconds (4 bytes) | || | Captured Length (4 bytes) | || | Original Length (4 bytes) | || +----------------------------------------------------------+ || || Packet Data: || +----------------------------------------------------------+ || | Raw packet bytes | || +----------------------------------------------------------+ || || File Extensions: .pcap, .pcapng (PCAP Next Generation) || |+------------------------------------------------------------------+88.2 tcpdump Deep Dive
Section titled “88.2 tcpdump Deep Dive”Basic Usage
Section titled “Basic Usage”# Capture on specific interfacesudo tcpdump -i eth0sudo tcpdump -i any
# Capture with hostname resolution (use -n to disable)sudo tcpdump -i eth0 -n
# Capture specific number of packetssudo tcpdump -i eth0 -c 100
# Capture to filesudo tcpdump -i eth0 -w capture.pcap
# Read from filetcpdump -r capture.pcaptcpdump -r capture.pcap | head -20
# Verbose outputsudo tcpdump -i eth0 -vsudo tcpdump -i eth0 -vvsudo tcpdump -i eth0 -vvv
# Show packet contentssudo tcpdump -i eth0 -X # Hex and ASCIIsudo tcpdump -i eth0 -XX # With link headerBPF Filters
Section titled “BPF Filters” BPF Filter Syntax+------------------------------------------------------------------+| || Primitives (Basic): || +----------------------------------------------------------+ || | host x.x.x.x | Specific host | || | src host x.x.x.x | Source host | || | dst host x.x.x.x | Destination host | || | net x.x.x.x/nn | Network | || | src net x.x.x.x/nn | Source network | || | dst net x.x.x.x/nn | Destination network | || | port xx | Port | || | src port xx | Source port | || | dst port xx | Destination port | || | gateway hostname | Gateway | || +----------------------------------------------------------+ || || Protocols: || +----------------------------------------------------------+ || | tcp, udp, icmp, ip, ip6, arp, rarp, decnet | || +----------------------------------------------------------+ || || Direction: || +----------------------------------------------------------+ || | src, dst | || +----------------------------------------------------------+ || || Logical Operators: || +----------------------------------------------------------+ || | and (&&), or (||), not (!) | || +----------------------------------------------------------+ || || Examples: || +----------------------------------------------------------+ || | tcpdump host 10.0.0.1 | || | tcpdump port 80 | || | tcpdump src 10.0.0.1 and dst port 80 | || | tcpdump net 10.0.0.0/8 | || | tcpdump tcp and port 443 | || | tcpdump not port 22 | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Advanced Filtering
Section titled “Advanced Filtering”# TCP flagstcpdump 'tcp[tcpflags] & tcp-syn != 0' # SYN packetstcpdump 'tcp[tcpflags] & tcp-ack != 0' # ACK packetstcpdump 'tcp[tcpflags] & tcp-syn != 0 and tcp-ack == 0' # SYN onlytcpdump 'tcp[tcpflags] & tcp-rst != 0' # RST packetstcpdump 'tcp[tcpflags] & tcp-fin != 0' # FIN packetstcpdump 'tcp[tcpflags] & tcp-push != 0' # PSH packets
# Port rangestcpdump portrange 80-443
# ICMP typestcpdump icmp[icmptype] == 8 # Echo request (ping)tcpdump icmp[icmptype] == 0 # Echo replytcpdump icmp[icmptype] == 3 # Destination unreachable
# TCP connection establishmenttcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
# HTTP requeststcpdump -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
# Payload sizetcpdump 'tcp[2:2] > 1000' # Packets larger than 1000 bytes
# Combine filterstcpdump -i eth0 'host 10.0.0.1 and (port 80 or port 443)'tcpdump -i eth0 'not arp and not icmp'Output Formatting
Section titled “Output Formatting”# Timestamp formatstcpdump -t # No timestamptcpdump -tt # Unix timestamptcpdump -ttt # Time since previoustcpdump -tttt # Human readable with date
# Line numberstcpdump -n -l | nl
# Quick output (no DNS, less detail)tcpdump -q
# Absolute sequence numberstcpdump -S
# Print packet lengthtcpdump -e
# Complete packet dumptcpdump -v -X88.3 Wireshark
Section titled “88.3 Wireshark”Installation
Section titled “Installation”# Debian/Ubuntusudo apt install wireshark tshark
# RHEL/CentOSsudo dnf install wireshark
# Arch Linuxsudo pacman -S wireshark-qt
# macOSbrew install --cask wiresharkDisplay Filters
Section titled “Display Filters” Common Display Filters+------------------------------------------------------------------+| || Protocol Filters: || +----------------------------------------------------------+ || | tcp, udp, icmp, http, dns, ssh, ftp, smtp | || +----------------------------------------------------------+ || || Address Filters: || +----------------------------------------------------------+ || | ip.addr == 10.0.0.1 | || | ip.src == 10.0.0.1 | || | ip.dst == 10.0.0.1 | || | tcp.port == 80 | || | udp.port == 53 | || +----------------------------------------------------------+ || || HTTP Filters: || +----------------------------------------------------------+ || | http.request.method == "GET" | || | http.response.code == 200 | || | http.host == "example.com" | || | http.request.uri contains "/api/" | || +----------------------------------------------------------+ || || TCP Filters: || +----------------------------------------------------------+ || | tcp.flags.syn == 1 | || | tcp.flags.ack == 1 | || | tcp.flags.reset == 1 | || | tcp.analysis.retransmission | || | tcp.analysis.lost_segment | || +----------------------------------------------------------+ || || DNS Filters: || +----------------------------------------------------------+ || | dns.qry.type == 1 (A record) | || | dns.qry.type == 28 (AAAA record) | || | dns.resp.addr == 8.8.8.8 | || +----------------------------------------------------------+ || || Combined Filters: || +----------------------------------------------------------+ || | ip.addr == 10.0.0.1 and tcp.port == 80 | || | http.request.method == "POST" and ip.src == 10.0.0.5 | || | !(arp or icmp) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+tshark (CLI Wireshark)
Section titled “tshark (CLI Wireshark)”# Capture packetssudo tshark -i eth0 -c 100sudo tshark -i eth0 -w capture.pcap
# Read and filtertshark -r capture.pcaptshark -r capture.pcap -Y "http.request"tshark -r capture.pcap -Y "ip.addr == 10.0.0.1"
# Extract fieldstshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port
# Statisticstshark -r capture.pcap -z io,phstshark -r capture.pcap -z conv,tcptshark -r capture.pcap -z http,stattshark -r capture.pcap -z endpoints,ip
# Live capture with filterssudo tshark -i eth0 -f "tcp port 80"sudo tshark -i eth0 -f "host 10.0.0.1"Common Wireshark Tricks
Section titled “Common Wireshark Tricks”# Follow TCP stream# In GUI: Right click → Follow → TCP Stream
# Export objects# File → Export Objects → HTTP
# Expert information# Analyze → Expert Information
# Decode as# Right click → Decode As
# Time sequences# Statistics → TCP Stream Graph → Time Sequence
# IO graphs# Statistics → I/O Graph88.4 Packet Analysis Examples
Section titled “88.4 Packet Analysis Examples”HTTP Traffic Analysis
Section titled “HTTP Traffic Analysis”# Capture HTTP trafficsudo tcpdump -i eth0 -w http.pcap 'tcp port 80'
# Analyze HTTP requeststcpdump -r http.pcap -n -A | grep "GET "
# Extract HTTP objects# tshark -r http.pcap --export-objects "http,./export"
# HTTP statisticstshark -r http.pcap -z http,statDNS Traffic Analysis
Section titled “DNS Traffic Analysis”# Capture DNSsudo tcpdump -i eth0 -w dns.pcap 'udp port 53'
# Show DNS queriestcpdump -i eth0 -n 'udp port 53'
# DNS response codestcpdump -i eth0 -n -v 'udp port 53' | grep "DNS"
# Specific domain queriestcpdump -i eth0 -n -v 'udp port 53' | grep "example.com"TCP Connection Analysis
Section titled “TCP Connection Analysis”# Capture TCPsudo tcpdump -i eth0 -w tcp.pcap 'tcp'
# Show SYN packets (connection setup)tcpdump -r tcp.pcap -n 'tcp[tcpflags] & tcp-syn != 0 and tcp-ack == 0'
# Show RST packets (connection reset)tcpdump -r tcp.pcap -n 'tcp[tcpflags] & tcp-rst != 0'
# TCP handshaketcpdump -r tcp.pcap -n -c 3 'host 10.0.0.1 and port 80'
# Retransmissionstcpdump -r tcp.pcap -n 'tcp.analysis.retransmission'Security Analysis
Section titled “Security Analysis”# Find potential attacks# SYN flood (many SYNs)tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0 and tcp-ack == 0'
# Port scanningtcpdump -i eth0 'tcp[13] = 2'
# Cleartext passwordstcpdump -i eth0 port http or port ftp or port smtp -A
# Find ARP spoofingtcpdump -i eth0 arp | grep -v reply
# Large ICMP (potential ping flood)tcpdump -i eth0 'icmp and icmp[0] == 8 and icmp[8:4] > 1000'88.5 Performance Analysis
Section titled “88.5 Performance Analysis”Network Throughput
Section titled “Network Throughput”# Calculate bandwidth from pcaptcpdump -r capture.pcap -nn -c 1000 | awk '{print $10}' | cut -d. -f1 | bc
# Using tsharktshark -r capture.pcap -q -z io,phs
# IO graph datatshark -r capture.pcap -q -z "io,phs,ip"
# Packet size distributiontshark -r capture.pcap -z "packetlen,sum,ip"Latency Analysis
Section titled “Latency Analysis”# Calculate RTT from SYN to SYN-ACKtcpdump -r capture.pcap -nn -c 1000 'tcp[13] & 2 != 0' -tt | awk '{print $1}'
# Using tshark for timingtshark -r capture.pcap -T fields -e frame.time_delta -e ip.src -e ip.dst
# TCP timing analysistshark -r capture.pcap -z "tcp,tree,ack"88.6 Interview Questions
Section titled “88.6 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is packet capture?
- Intercepting network packets as they pass through a network interface
-
What is the difference between tcpdump and Wireshark?
- tcpdump is CLI-based; Wireshark has GUI (also tshark CLI)
-
What is a BPF filter?
- Berkeley Packet Filter - efficient kernel-level packet filtering
-
What does promiscuous mode mean?
- NIC accepts all packets, not just those addressed to it
-
What is a PCAP file?
- Packet capture file format for storing network traffic
Intermediate Questions
Section titled “Intermediate Questions”-
How do you capture only SYN packets?
tcpdump 'tcp[tcpflags] & tcp-syn != 0'
-
What is the difference between capture and display filters?
- Capture: BPF at kernel level; Display: Wireshark GUI filtering
-
How do you analyze HTTP traffic?
tcpdump -i eth0 'tcp port 80'
-
What is the TCP three-way handshake?
- SYN → SYN-ACK → ACK
-
How do you find retransmissions in tcpdump?
- Use tcp.analysis.retransmission display filter in Wireshark
Advanced Questions
Section titled “Advanced Questions”-
Explain how packet capture works at the OS level
- NIC driver → kernel buffer → BPF filter → userspace
-
What is the difference between port mirroring and tap?
- Port mirroring: switch copies traffic; TAP: hardware device copies
-
How do you capture encrypted traffic?
- Can’t decrypt, but can see metadata (timing, size, destinations)
-
What are some indicators of compromise in packet capture?
- Unusual ports, beaconing, large transfers to unknown IPs
-
How do you handle high-bandwidth captures?
- Ring buffers, sampling, filtering at capture point
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Capturing Without Filters
Section titled “1. Capturing Without Filters”WRONG:
# Capture everything - massive filestcpdump -i eth0 -w capture.pcap# Disk fills up quicklyCORRECT:
# Use BPF filterstcpdump -i eth0 port 80 -w capture.pcaptcpdump -i eth0 host 192.168.1.1 -w capture.pcaptcpdump -i eth0 tcp and port 443 -w capture.pcapWhy: Unfiltered captures fill disk and are hard to analyze.
2. Not Using Promiscuous Mode
Section titled “2. Not Using Promiscuous Mode”WRONG:
# Notpromisc mode - only sees own traffictcpdump -i eth0CORRECT:
# Enable promiscuous modetcpdump -i eth0 -ptcpdump -i eth0 -p port 80Why: Need promiscuous mode to see all traffic on the network segment.
3. Ignoring Encryption
Section titled “3. Ignoring Encryption”WRONG:
# Trying to see HTTPS contenttcpdump -i eth0 port 443# Only seeing encrypted dataCORRECT:
# For HTTPS, use SSLKEYLOGFILESSLKEYLOGFILE=~/ssl-keys.txt curl https://example.com# Then analyze in Wireshark with keys
# For debugging, use MITM proxy# Or configure server to send plaintextWhy: Encrypted traffic can’t be read without keys.
4. Capturing in Production Without Limits
Section titled “4. Capturing in Production Without Limits”WRONG:
# Production capture without limitstcpdump -i any -w /var/log/capture.pcap# System becomes extremely slowCORRECT:
# Limit capture sizetcpdump -i eth0 -C 100 -W 5 -W /tmp/capture.pcap# 100MB max per file, 5 files max
# Limit by packet counttcpdump -i eth0 -c 1000 -w capture.pcapWhy: Packet capture can overwhelm production systems.
5. Not Using tcpdump vs Wireshark Properly
Section titled “5. Not Using tcpdump vs Wireshark Properly”WRONG:
# Using tcpdump for complex analysistcpdump -r capture.pcap | grep HTTP# Limited capabilitiesCORRECT:
# Use tcpdump for capture, Wireshark for analysistcpdump -i eth0 -w capture.pcap# Transfer to workstation and open in Wiresharkwireshark capture.pcap
# Or use tshark for CLI analysistshark -r capture.pcap -Y "http.request"Why: Each tool has different strengths.
Summary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || tcpdump: || +----------------------------------------------------------+ || | sudo tcpdump -i eth0 | Capture | || | sudo tcpdump -i eth0 -w file.pcap | Save to file | || | tcpdump -r file.pcap | Read file | || | tcpdump -n host x.x.x.x | Filter by host | || | tcpdump port 80 | Filter by port | || | tcpdump -c 100 | Capture count | || +----------------------------------------------------------+ || || tshark: || +----------------------------------------------------------+ || | tshark -i eth0 -c 100 | Capture | || | tshark -r file.pcap | Read file | || | tshark -Y "filter" | Display filter | || | tshark -z io,phs | Protocol stats | || +----------------------------------------------------------+ || || BPF Primitives: || +----------------------------------------------------------+ || | host, src, dst, net, port, tcp, udp, icmp | || | and (&&), or (||), not (!) | || +----------------------------------------------------------+ || || Capture Flags: || +----------------------------------------------------------+ || | tcp-syn, tcp-ack, tcp-fin, tcp-rst, tcp-psh | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+