There’s an old saying amongst Network Engineers; Packets Don’t Like.

Obtaining a packet capture when troubleshooting a problem will not only help keep your sanity in check but may also help determine the source of a problem, or at least where to look next.

Many of us rely on Wireshark to perform these tasks, but there’s a whole range of libraries and CLI tools available to help troubleshoot when all you have is CLI access.

Packet Capture Libraries

First let’s look at the libraries that allow for packet captures across various platforms…

Today, you’re either using npcap for Windows, or libpcap for anything else. Now that you can capture packets, you’ll need something to display them with. The following CLI tools exist to capture and display packets, as well as some common example arguments:

tcpdump

tcpdump was one of the first CLI based packet capture tools. When ran without any arguments, it starts capturing packets on the first available interface and outputs the headers to the console.

Capture all packets on interface eth0 that match the host 192.168.1.1.

tcpdump -i eth0 host 192.168.1.1

Capture all packets on interface eth0 and write the contents to a capture file.

tcpdump -i eth0 -w /tmp/capture.pcap

tshark

Created by Wireshark, it basically works the same way as tcpdump but has better filtering support, and therefore ideal for analysing large capture files.

Perform a capture on eth0 while filtering for traffic to host 192.168.1.1 only.

tshark -i eth0 host 192.168.1.1

dumpcap

Another tool created by Wireshark, it captures packets and writes them to a file (this can be achieved with both tools above, but dumpcap saves you a few CLI arguments).

Writes the packet capture to the /tmp directory.

dumpcap -i eth0 -w /tmp/capture.pcap

Summary

All three programs effectively do the same thing, so it’s more of a matter of taste as to which one you use. You’ll likely encounter tcpdump installed on more systems than tshark or dumpcap.

	Posted January 25, 2021	Tweet
	Written by John Payne