Packet Capture and Analysis

Production-Grade Capture with tcpdump

For senior engineers, tcpdump is the primary tool for capturing traffic on headless servers. The key is filtering before writing to disk to avoid I/O bottlenecks and massive capture files.

Essential Filters and Syntax

Capture on interface eth0, limit to 100 packets, and write to a file:

Complex Logic with Primitives: Filtering by protocol, port, and flags is crucial. The following captures only TCP SYN packets (connection initiation) excluding port 22 (SSH) to avoid feedback loops:

Host and Network Filtering:

Wireshark Analysis Techniques

Following TCP Streams

Wireshark's "Follow TCP Stream" reassembles the payload from distinct packets into a coherent data stream. This is vital for viewing plaintext HTTP/1.1 exchanges or identifying protocol violation errors in custom TCP protocols.

Analyzing TLS Handshakes

Debugging HTTPS often requires inspecting the Client Hello and Server Hello messages.

• Client Hello: Verify SNI (Server Name Indication) extension to ensure the correct virtual host is requested. Check supported Cipher Suites.
• Server Hello: Confirm the selected Cipher Suite and TLS version. If the server sends a handshake failure, it usually denotes a mismatch here.

Decrypting HTTP/2 and TLS

Modern traffic is encrypted. To analyze HTTP/2 frames (HEADERS, DATA, RST_STREAM), you must decrypt the session. This is achieved by exporting the ephemeral session keys from the client (e.g., setting SSLKEYLOGFILE env var in curl or Chrome) and loading this file into Wireshark's TLS preferences.