Select Page

Network traffic analysis – tcpdump and wireshark

Sometimes our network service won’t behave as per our requirement and in most of the cases the log do not help us to trace out the issue. Here comes the role of tcpdump and wireshark utility.

tcpdump is a packet sniffer. It captures the packets that fly in and out of the machine. tcpdump understands protocols and host names. First thing you have to remember is that you have to login to the server as root or be a sudoer. It is better to redirect the output to a file for debugging purpose. You can play on the recorded file to filter the packets that you are not interested to see.

Hire Bobcares Linux Server Administrators
Get super reliable servers and delighted customers

See how we do it!


Figure out the IP address that is having maximum access in the server. You can use netstat for this. If you traceout this, then you can start collecting the packets using tcpdump.

tcpdump -A src -s 500 -w file.cap

-A –> is used to print the output in ASCII format
src –> specify the source IP address here
s –> to specify the number of hops
-c –> can also be used to limit the count to a particular value.

The better option is use the destination IP address(our server address).

Now comes the role of “Wireshark”. Wireshark is one of the best open source packet analyzers available today and is a GUI network protocol analyzer. It allows you to see the packet contents into much detail. It will however not warn you, when someone does strange things on your network but will hep you to figure out what really is going on.

After capturing the packets from tcpdump, copy the file to a workstation in which X11 is running, then load the file using Wireshark.

wireshark dumpfile

As this is a GUI interface, you can inspect the packet deeper, by clicking on the packet. The number of options for tcpdump and Wiresark are large. Wireshark can also be used with other network analyzer tools like iptrace.

Now start analyzing the traffic and find the culprit. 🙂

About the Author :

Anju works as Senior Software Engineer in Bobcares. She joined Bobcares back in July 2008. She is well versed in Control Panels and Operating systems used in the Web Hosting industry today. She is highly passionate about Linux. During her free time, she loves watching movies.

Co-authored by Sankar.H

1 Comment

  1. Hi,,

    tcpdump is so vast a tool when it comes to packet capturing..It uses pcap library..You can infact check the payload of protocols which are unencrypted using it.
    Like check http payload content for a particular string,ftp payload..etc

Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.