Introduction
Network traffic analysis lets you see exactly what is happening on the wire — every connection, every packet, every retransmission. When an application is slow, a security alert fires, or a connection drops, packet captures provide the ground truth that logs and metrics cannot.
This guide covers tcpdump and Wireshark with real capture output and explained annotations, a Wireshark display filter reference organized by use case, performance analysis for identifying latency and packet loss, security analysis patterns for threat hunting, and cloud packet capture techniques for AWS and Azure environments.
tcpdump: Capture and Analysis
tcpdump is the standard CLI packet analyzer on Linux. Each command below includes an explanation of what it does and what the output means.
Basic Capture
# Capture all packets on interface eth0 (verbose output with names)
sudo tcpdump -i eth0 -nn
# -i eth0: capture on eth0 interface
# -nn: don't resolve hostnames or port names (faster, cleaner output)
# Output (annotated):
# 14:23:01.123456 IP 10.0.0.5.54321 > 93.184.216.34.80: Flags [S], seq 1234567890
# ^^^^^^^^^^^^ ^^ ^^^^^^^^ ^^^^^^^^ ^^^^^^^^^^^^^^^^ ^^^^^^^^^ ^^^^^^^^^^^^
# timestamp protocol source IP:port destination IP:port TCP flags sequence num
Filtering by Host, Port, and Protocol
# Capture traffic to/from a specific host
sudo tcpdump -i eth0 -nn host 93.184.216.34
# Capture traffic on a specific port (HTTP)
sudo tcpdump -i eth0 -nn port 80
# Capture only TCP traffic
sudo tcpdump -i eth0 -nn tcp
# Capture DNS queries (UDP port 53)
sudo tcpdump -i eth0 -nn udp port 53
# Combine filters: HTTP traffic from one host
sudo tcpdump -i eth0 -nn 'host 93.184.216.34 and tcp port 80'
Saving and Reading Capture Files
# Write to a file (binary pcap format)
sudo tcpdump -i eth0 -nn -w capture.pcap
# Read and analyze later
tcpdump -r capture.pcap -nn
# Read with detailed packet content (-X shows hex + ASCII)
tcpdump -r capture.pcap -nn -X | head -50
# Read with relative timestamps (-tttt for human-readable)
tcpdump -r capture.pcap -tttt
Advanced Filter Expressions
# TCP SYN packets only (connection attempts)
sudo tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0'
# TCP RST packets (connection resets — often indicate errors)
sudo tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-rst != 0'
# Packets with data payload (exclude pure ACKs)
sudo tcpdump -i eth0 -nn 'tcp len > 0'
# HTTP GET requests (looking for "GET" in TCP payload)
sudo tcpdump -i eth0 -nn -A 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'
# 0x47455420 = "GET " in hex
Wireshark Display Filters
Wireshark provides a GUI for interactive analysis. Below are the most useful display filters organized by scenario.
Connectivity and Performance
# Show TCP handshake packets (SYN, SYN-ACK)
tcp.flags.syn == 1 and tcp.flags.ack == 0
# Show TCP retransmissions (indicates packet loss)
tcp.analysis.retransmission
# Show duplicate ACKs (also indicates loss)
tcp.analysis.duplicate_ack
# Show zero window probes (receiver is overwhelmed)
tcp.analysis.zero_window
# Show packets with high latency (>500ms)
tcp.time_delta > 0.5
# Show TCP connections with slow setup (>1s handshake)
tcp.completeness < 2 and tcp.time_relative > 1.0
Security Analysis
# Show all HTTP requests
http.request
# Show HTTP POSTs with form data
http.request.method == "POST"
# Show TLS handshake versions
tls.handshake.version
# Show TLS certificates
tls.handshake.certificate
# Show DNS queries
dns.flags.response == 0
# Show ARP requests (possible ARP scanning)
arp.opcode == 1
# Show ICMP destination unreachable
icmp.type == 3
# Show SYN scans (many SYN packets without replies)
tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.time_relative < 1
Protocol Deep Dives
# Show all HTTP traffic
http
# Show DNS traffic
dns
# Show TLS 1.3 traffic
tls.handshake.type == 1 and tls.handshake.version == 0x0304
# Show DHCP traffic
dhcp
# Show ICMP (ping and errors)
icmp or icmpv6
Performance Analysis
Identifying the root cause of poor application performance via packet capture:
Latency Breakdown
# Measure TCP handshake time (SYN → SYN-ACK)
sudo tcpdump -i eth0 -nn 'tcp port 443' -t | head -20
# Look at the time delta between SYN and SYN-ACK
# Normal local: < 1ms
# Normal internet: 10-100ms
# Problematic: > 500ms or packet loss
# Check for retransmissions (indicates packet loss or congestion)
sudo tcpdump -i eth0 -nn -v 'tcp port 443' | grep -c retransmission
Throughput Estimation
# Calculate throughput from a capture
# Total bytes / time = throughput in bps
CAPTURE_FILE="transfer.pcap"
BYTES=$(tcpdump -r $CAPTURE_FILE -nn -q | wc -l)
DURATION=$(tcpdump -r $CAPTURE_FILE -tttt | tail -1 | awk '{print $1, $2}')
echo "Approximate packet count: $BYTES"
Security Threat Hunting
Detecting Port Scans
# Detect SYN scan: many SYN packets to different ports from one IP
sudo tcpdump -i eth0 -nn 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0' |
awk '{print $3}' | sort | uniq -c | sort -rn | head -10
# A single source connecting to many ports in < 1s = scan
Detecting Data Exfiltration
# Look for large outbound data transfers on unusual ports
sudo tcpdump -i eth0 -nn 'tcp len > 1400 and not port 443 and not port 80' |
awk '{print $3, $5}' | sort | uniq -c | sort -rn | head -10
# Large packets leaving on non-standard ports = potential exfiltration
DNS Tunneling Detection
# Look for DNS queries with unusually long hostnames
sudo tcpdump -i eth0 -nn 'udp port 53' -vv |
grep -E "[a-zA-Z0-9]{50,}\." | head -10
# Normal DNS hostnames are under 50 chars
# Long random subdomains = possible DNS tunneling
Cloud Packet Capture
AWS VPC Traffic Mirroring
# Step 1: Create a traffic mirror target (the destination for captured traffic)
aws ec2 create-traffic-mirror-target \
--network-interface-id eni-12345678 \
--description "Packet capture target"
# Step 2: Create a traffic mirror filter
aws ec2 create-traffic-mirror-filter \
--description "Capture all TCP traffic"
# Step 3: Add filter rules
aws ec2 create-traffic-mirror-filter-rule \
--traffic-mirror-filter-id tmf-12345678 \
--traffic-direction ingress \
--rule-number 1 \
--rule-action accept \
--protocol 6 # TCP
# Step 4: Create the mirror session
aws ec2 create-traffic-mirror-session \
--network-interface-id eni-abcdef01 \
--traffic-mirror-target-id tmt-12345678 \
--traffic-mirror-filter-id tmf-12345678 \
--session-number 1
Azure Network Watcher
# Start a packet capture on an Azure VM
az network watcher packet-capture create \
--resource-group my-rg \
--vm vm-web-server \
--name capture-web traffic \
--file-path /tmp/capture.cap \
--filters '[{"protocol":"TCP", "remoteIPAddress":"0.0.0.0/0", "remotePort":"80,443"}]'
# Stop and download
az network watcher packet-capture stop \
--resource-group my-rg \
--name capture-web-traffic
az network watcher packet-capture show-status \
--resource-group my-rg \
--name capture-web-traffic
TShark (CLI Wireshark)
# Analyze a pcap from the command line
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
# Top talkers by packet count
tshark -r capture.pcap -z conv,tcp
# Protocol hierarchy statistics
tshark -r capture.pcap -z io,phs
# HTTP request breakdown
tshark -r capture.pcap -Y "http.response" -z http,tree
Forensics Workflow
- Capture preservation: Always hash capture files immediately. Use write-protected media for incident response.
sha256sum capture.pcap > capture.pcap.sha256
-
Quick triage: Use
tshark -z io,phsto see protocol breakdown. Look for unexpected protocols or volumes. -
Deep dive: Isolate suspicious sessions. Extract payloads with
tshark --export-objects. -
Timeline analysis: Map packet events to system logs for correlation.
# Extract timestamps and key events
tshark -r capture.pcap -Y "tcp.analysis.retransmission" -T fields -e frame.time -e ip.src -e ip.dst
Resources
- tcpdump Manual — Complete command reference
- Wireshark Display Filter Reference — All protocol filters
- Wireshark Network Analysis Guide — Official user guide
- AWS VPC Traffic Mirroring — Cloud capture setup
- Azure Network Watcher Packet Capture
- TShark Command Reference
Comments