Drill: Read and Analyze Saved pcap Files¶
Goal¶
Use tcpdump to read saved pcap files and apply display filters to analyze previously captured traffic.
Setup¶
- Linux system with tcpdump installed
- A pcap file to analyze (or create one with a test capture)
Commands¶
Create a test capture first:
tcpdump -i any -w /tmp/test.pcap -c 100 2>/dev/null &
curl -s https://example.com > /dev/null 2>&1
sleep 2 && kill %1 2>/dev/null
Read a pcap file:
Read with no DNS resolution:
Filter while reading:
Show only SYN and SYN-ACK (connection attempts):
Show only RST packets (connection resets):
Show packet payload in ASCII:
Count packets per source IP:
tcpdump -nn -r /tmp/test.pcap 2>/dev/null | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10
Extract specific conversation:
Write filtered results to new pcap:
What to Look For¶
- TCP flag patterns: SYN without SYN-ACK means connection never established
- RST packets after established connections suggest abrupt termination
- Retransmissions (same seq number) indicate packet loss
- Time gaps between packets reveal latency issues
Common Mistakes¶
- Forgetting
-nnand waiting for DNS resolution on every packet in the file - Applying capture filters syntax when reading (BPF filters work on read too)
- Not creating filtered subsets of large pcap files for focused analysis
- Confusing display output ordering with actual packet timing