Packet Capture Guide

Learn how to capture network traffic across different operating systems

Windows

Using Wireshark

  1. Download and install Wireshark from wireshark.org
  2. Launch Wireshark with administrator privileges
  3. Select a network interface from the list (usually your WiFi or Ethernet adapter)
  4. Click the blue shark fin icon to start capturing packets
  5. Apply filters using the filter bar (e.g., "http" for HTTP traffic)
  6. Click the red square icon to stop capturing
  7. Save the capture file using File → Save

Using PowerShell

netsh trace start capture=yes tracefile=capture.etl
# Wait for the desired capture duration
netsh trace stop

macOS

Using tcpdump

sudo tcpdump -i any -w capture.pcap

Common tcpdump options:

  • -i any: Capture on all interfaces
  • -n: Don't resolve hostnames
  • -v: Verbose output
  • port 80: Capture HTTP traffic
  • host example.com: Capture traffic to/from specific host

Using Wireshark

Wireshark is also available for macOS through:

  1. Homebrew: brew install --cask wireshark
  2. Direct download from wireshark.org

Linux

Using tcpdump

sudo tcpdump -i any -w capture.pcap

Using tshark (CLI Wireshark)

sudo tshark -i any -w capture.pcapng

Installation Commands

Ubuntu/Debian:

sudo apt install tcpdump tshark

RHEL:

sudo dnf install tcpdump wireshark-cli

Arch Linux:

sudo pacman -S tcpdump wireshark-cli

Filter Cheatsheet

Basic Syntax

Host filters:

host example.com          # Traffic to/from host
src host 192.168.1.100   # Traffic from source
dst host 10.0.0.1        # Traffic to destination

Port filters:

port 80                  # HTTP traffic
port 443                 # HTTPS traffic
src port 53             # DNS queries
dst port 3306           # MySQL traffic

Protocol filters:

tcp                      # TCP traffic only
udp                      # UDP traffic only
icmp                     # ICMP (ping) traffic
arp                      # ARP traffic

Advanced Filters

Combining filters:

tcp and port 80          # HTTP over TCP
host example.com and not port 443   # Non-HTTPS traffic
src 192.168.1.0/24 and tcp         # TCP from subnet

Packet size filters:

greater 1000             # Packets larger than 1000 bytes
less 128                # Packets smaller than 128 bytes

TCP flags:

tcp[tcpflags] & tcp-syn != 0   # SYN packets
tcp[tcpflags] & tcp-rst != 0   # RST packets
tcp[tcpflags] & tcp-fin != 0   # FIN packets

Common Use Cases

HTTP traffic:

port 80 or port 443      # Web traffic
host example.com and port 80   # Web traffic to specific host

Network troubleshooting:

icmp or arp              # Network discovery traffic
tcp[tcpflags] == tcp-syn   # Connection attempts
host not 192.168.1.1 and not arp   # Non-local, non-ARP

Application monitoring:

port 3306 or port 6379   # MySQL and Redis traffic
dst port 53              # DNS lookups
port 5432 and host db.example.com   # PostgreSQL to specific host