Using tcpdump, Wireshark, and Understanding Encapsulation Alex, 10 June 202529 April 2025 Packet analysis starts with a simple question: What is really happening on the wire? Tools like tcpdump and Wireshark don’t just observe—they dissect, reveal, and expose. But their value grows when paired with an understanding of how data wraps itself in layers through encapsulation. tcpdump: Command-Line Precision tcpdump is fast, scriptable, and brutally efficient. It operates at the command line and strips away distractions. Basic Commands Worth Memorizing tcpdump -i eth0: Captures traffic on interface eth0. tcpdump -nn: Disables name resolution to show raw IPs and ports. tcpdump port 80: Filters only HTTP traffic. tcpdump -w capture.pcap: Saves output to a PCAP file for later analysis. Use tcpdump when: Working on remote servers over SSH. Automating packet captures in scripts. Capturing in minimal environments without GUIs. Practical Use Cases Verifying that DNS traffic is reaching its destination. Checking TCP handshake behavior. Isolating traffic from a specific host or subnet. Measuring packet size and frequency during stress testing. tcpdump lets you slice traffic in real-time. But it doesn’t offer rich context or visualization. That’s where Wireshark steps in. Wireshark: Full-Spectrum Packet Inspection Wireshark turns network packets into readable stories. It colors, groups, and annotates every byte. Features That Matter Deep inspection across protocols (over 2,000 supported). Reassembly of TCP streams. Graphical analysis: flow graphs, IO graphs, and time-sequence graphs. Filtering with precision using display filters (e.g., http.request.method == "GET"). Use Wireshark when: Investigating latency spikes or retransmissions. Decoding application-layer protocols. Teaching protocol structure visually. Reviewing encrypted vs. plain-text transmission behavior. Filter Tips That Save Time ip.addr == 192.168.0.1: Filters packets to or from a specific IP. tcp.analysis.retransmission: Catches TCP retransmissions. tls: Isolates encrypted TLS traffic for handshake analysis. dns: Breaks down DNS requests and responses. Wireshark captures packets too, but its real strength is decoding and context. Use it for review—not just capture. Understanding Encapsulation Encapsulation wraps data like Russian nesting dolls. Each layer adds headers, modifies content, and shapes transmission. An HTTP GET request doesn’t ride the wire alone. It’s wrapped in TCP, then IP, then Ethernet. OSI vs. TCP/IP Stack Breakdown LayerProtocol ExamplesFunction7HTTP, FTPApplication-specific logic6TLS, SSLEncryption and compression5TCP, UDPSegmentation and reliability4IP, ICMPLogical addressing, routing3Ethernet, Wi-FiPhysical addressing, MAC delivery2/1Bits & MediumTransmission on copper, fiber, air Each header provides instructions to the next stop. The router reads the IP header. The switch reads the Ethernet header. The application parses the payload. Remove a header too early, and the packet is lost in transit. Packet Dissection Example A basic HTTP request appears like this in Wireshark: Ethernet Header Source MAC: 00:0c:29:… Destination MAC: ff:ff:ff:ff:ff:ff IP Header Source IP: 10.0.0.5 Destination IP: 93.184.216.34 TCP Header Source Port: 49500 Destination Port: 80 HTTP Payload GET /index.html HTTP/1.1 Each section carries its purpose. Together, they move data from one machine to another in a structured form. Putting It All Together Use tcpdump to extract. Use Wireshark to visualize. Use encapsulation knowledge to interpret. A failed request? Check if the TCP handshake completed. A DNS timeout? Verify whether the query reached the resolver. A TLS handshake failure? Inspect the certificate chain and protocol version. Understanding the mechanics behind the traffic flow makes packet inspection more than a technical routine—it turns it into insight-driven diagnostics. Cloud & Infrastructure