Contact 1-828-376-0458
Tech Blog

Using tcpdump and Wireshark: Linux and FreeBSD Network Capture and Analysis Guide

Capture network traffic on a headless Linux or FreeBSD server with tcpdump, save it as a pcap file, and review the results locally in Wireshark.

Published
March 5, 2024
Author
Adam Strohl
Reading time
3 minutes

Network Capture and Analysis Guide

A common approach when troubleshooting network issues is to use a packet sniffer. On a headless server with no GUI, especially one located in another facility or region, running Wireshark directly on the server is usually not practical.

The practical approach is to create a pcap file with tcpdump, download that file to your workstation, and review it locally in Wireshark.

Capturing Traffic with tcpdump

Access the server through your command line or terminal. tcpdump usually requires root privileges, so you may need to use sudo on Linux, FreeBSD, or macOS.

To capture packets on a specific interface and write them to a file, use:

sudo tcpdump -n -i [interface] -w [filename].pcap

We recommend using the -n flag to disable DNS lookups. DNS lookups can slow down capture output, make later review harder, and introduce misleading reverse DNS results. This is partly preference, but it is a good default when collecting troubleshooting data.

Replace [interface] with the network interface you want to capture from. Examples include eth0 on many Linux systems or another active interface shown by the system. Use the following command to list available interfaces:

tcpdump -D

Replace [filename] with the name you want to use for the capture file.

Filtering the Capture

You can add filters to capture only specific traffic. This helps keep capture files smaller and reduces noise during later analysis.

To capture only TCP traffic:

sudo tcpdump -n -i [interface] -w [filename].pcap tcp

To filter by a specific port:

sudo tcpdump -n -i [interface] -w [filename].pcap src or dst port 110

To filter by a specific host:

sudo tcpdump -n -i [interface] -w [filename].pcap src or dst host 1.2.3.4

Let tcpdump run long enough to capture the traffic you need. When you are ready to stop the capture, press Ctrl+C.

Analyzing the pcap File with Wireshark

Open Wireshark on your workstation. If Wireshark is not already installed, download it from the official Wireshark website.

In Wireshark, go to:

File > Open

Select your .pcap file and open it. Wireshark will load the captured packets so you can inspect the session.

A few useful starting points:

  • Use display filters to narrow the packet list. For example, enter http in the filter bar to show HTTP traffic.
  • Select a packet to inspect protocol details, source and destination addresses, and protocol-specific fields.
  • To review a conversation between two endpoints, right-click a packet and choose Follow, then select the appropriate stream type such as TCP Stream or UDP Stream.

Looking for Common Problems

When reviewing a pcap file, you are usually looking for anomalies, failed communication, timing problems, or traffic that does not match expectations.

Common issues to look for include:

  • Retransmissions and duplicate ACKs, which can indicate packet loss or network congestion.
  • Large time gaps between packets, which may indicate network delay or application delay.
  • Excessive ARP requests, which can suggest IP address conflicts, local network problems, or possible ARP spoofing.
  • DNS queries without responses, which may indicate resolver, firewall, routing, or DNS server issues.
  • Unexpected protocols, ports, or destinations, which may indicate misconfiguration or suspicious activity.

Security Considerations for pcap Files

Treat pcap files as sensitive data. A capture file can contain a snapshot of traffic from the capture window, including credentials, session tokens, email content, internal hostnames, IP addresses, and other sensitive information.

Use appropriate controls when storing, transferring, and deleting packet captures.

  • Limit access to authorized personnel only.
  • Store pcap files securely, especially if they need to be retained.
  • Use encryption when transferring or storing captures outside a controlled environment.
  • Analyze captures on a trusted workstation.
  • Delete pcap files after analysis unless there is a clear operational, legal, or security reason to retain them.
  • Follow your organization's data retention and disposal policies.

When to Use This Workflow

This tcpdump-to-Wireshark workflow is useful when you need packet-level visibility but cannot run a graphical analyzer directly on the server.

It is especially useful for:

  • Troubleshooting intermittent service failures
  • Reviewing connection attempts between systems
  • Investigating DNS, HTTP, SMTP, or other protocol behavior
  • Confirming whether traffic is reaching a server
  • Comparing expected traffic against actual traffic
  • Collecting evidence for deeper network analysis

A-Team Systems supports Linux and FreeBSD production environments where reliable operations, troubleshooting discipline, and clear infrastructure ownership matter.

For help with production Linux or FreeBSD systems, contact A-Team Systems.

Need help with Linux or FreeBSD infrastructure?

A-Team Systems provides engineer-led support for production Linux and FreeBSD environments, including troubleshooting, operational oversight, and ongoing infrastructure management.

Contact A-Team Systems