TCP Dump and Packet Capture

Vocabulary flashcards covering key terms related to tcpdump, PCAP, and packet analysis with Wireshark.

tcpdump

A command-line tool that captures and displays network packets (TCP/IP and more) in text form; can also write captures to a file with -w.

PCAP file

Packet Capture file produced by tcpdump when using -w; used for later offline analysis in tools like Wireshark.

-w option

tcpdump option that writes captured packets to a PCAP file rather than printing to the screen.

Wireshark

Graphical packet analyzer that opens PCAP files for detailed inspection and analysis.

IPv4 and IPv6 in tcpdump

In tcpdump output, IPv4 packets are labeled as IP and IPv6 packets as IPv6.

Packet header fields shown

Each packet line includes timestamp, source IP, destination IP, protocol, flags, sequence number, acknowledgment number, window size, and length.

TCP flags

Control bits in the TCP header (SYN, ACK, FIN, RST, etc.) that manage connection state.

Sequence number and Acknowledgment number

TCP numbers used for reliable data transfer: sequence identifies data bytes; acknowledgment indicates next expected byte.

TCP window size

Flow-control value that limits the amount of unacknowledged data.

Availability by OS

tcpdump is built-in by default on Linux, Unix, and macOS; on Windows you must install it separately.

Text-based vs graphical analysis

tcpdump runs in the terminal as a text-based tool, whereas Wireshark provides a graphical interface.

Capture-and-analyze workflow

Capture traffic with tcpdump and load the PCAP into Wireshark (or re-run in tcpdump) for analysis.