Network packet monitoring using tcpdump and WireShark

Some times we need to monitor our network traffic closely to find out the misbehavior of the server.
I found a combination of two excellent tools ( tcpdump and wireshark )  to meet my requirements.

Tcpdump ( ) : –

tcpdump is a well known packet capturing tool used in unix machines.  Also its freely available with most of the distributions.

How to  use the tcpdump commands

tcpdump -i <interface> -s <packet snapshot length >  -w <some-file>

1) Capture packets and give the standard output to shell.

tcpdump  -i eth0 -s 65535

c – count ( number of packets )
i – specify the interface
s – packet snapshot length (def: 65535)
2) Capture packets and write the result in to a file ( file.cap ) using ” -w ” option

tcpdump -c 2 -i eth0  -w file.cap

3) Read the captuared file , file.cap

tcpdump -tttt -r file.cap

4) Capture the packets coming through a specific port

tcpdump -i eth0  -c 100 port 22

5) Capture the packets from a specific destination IP

tcpdump -i eth0 port 80 and dst

WireShark (

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network.

How to diagnosis the captuared packets using  WireShark

1) Download and  install this software to your local machine windows or linux .
2) copy / download the captuared file ” file.cap ” to your local machine.
3) Open the file in wireshark


Just like the above pictures , its a GUI . You can diagnosis the packets very easily.