dump and analyze network traffic

Wireshark

GUI application for capturing and dissecting network traffic.

Filter syntax

Full filter reference

Some useful filters:

Tshark

Command line version of Wireshark, typically installed alongside it. Useful for scripting and very large files that Wireshark can choke on.

Filter a pcap file by IP address: tshark -r file.pcap.gz -2 -R 'ip.addr == 1.2.3.4' -w ip-1234.pcap

Tcpdump

Quick tcpdump command which will dump packets to verify connectivity:

sudo tcpdump -i eth0 -s0 -X

To filter to/from a specific host, use host 1.2.3.4; for ICMP use icmp