All Products
Search
Document Center

Elastic Compute Service:Capture network packets with tcpdump and Wireshark

Last Updated:May 15, 2026

Capture and analyze raw network traffic with tcpdump (Linux) or Wireshark (Windows) to diagnose packet loss, latency, and connectivity issues.

Packet capture process

The following figure shows the packet capture process.

image

Notes on the preceding process:

No.

Step

Description

1

Identify issue symptoms

Use tools such as ping and traceroute to determine whether the following issues exist:

  • Packet loss occurs.

  • Network latency is too high.

  • Specific services or ports are inaccessible.

2

Choose a packet capture tool

Choose a packet capture tool based on your operating system:

  • Linux instances: tcpdump, a command-line tool with rich filtering parameters.

  • Windows instances: Wireshark, a graphical packet capture tool.

3

Install and configure the packet capture tool

Configure filter conditions before capturing to improve efficiency.

4

Capture network packets

Clarify the following before capturing:

  • The network port.

  • The target port.

  • The protocol type.

5

Analyze the captured data

Analyze the captured data:

  • Check the TCP handshake process.

  • Identify retransmission packets.

  • Analyze response time.

  • Troubleshoot error codes.

6

Resolve the issue and verify the results

If the captured data is insufficient, use other tools for further troubleshooting:

  • Use ping and traceroute to check connectivity, packet loss, and latency.

  • Check route table configurations or network device logs.

Use the tcpdump tool in Linux instances

Most Linux distributions have tcpdump pre-installed. If not, install it with a package manager such as APT or YUM. See Use package management tools to manage software.

Description

tcpdump command:

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
               [ -c count ] [ --count ] [ -C file_size ]
               [ -E spi@ipaddr algo:secret,...  ]
               [ -F file ] [ -G rotate_seconds ] [ -i interface ]
               [ --immediate-mode ] [ -j tstamp_type ] [ -m module ]
               [ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]
               [ -r file ] [ -s snaplen ] [ -T type ] [ --version ]
               [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]
               [ -z postrotate-command ] [ -Z user ]
               [ --time-stamp-precision=tstamp_precision ]
               [ --micro ] [ --nano ]
               [ expression ]

Frequently used parameters:

Parameter

Description

-s

The capture size. A value of 0 uses the system-defined capture size.

-w

Saves captured packets to a file instead of printing to the console.

-i

The network interface on which to listen.

-vvv

Prints detailed interaction data.

expression

The filter expression. Supports the following primitives:

  • Type: host, net, or port.

  • Direction: src, dst, src or dst, src and dst.

  • Protocol: ICMP, IP, ARP, RARP, TCP, UDP.

Note

See tcpdump man page for all parameters and usage.

Examples

The following examples show common tcpdump commands and their outputs.

  • Capture packets for a specific interface and port

    Capture packets on the eth0 interface for port 22 and print to the console:

    tcpdump -s 0 -i eth0 port 22

    During capture, packet data displays in real time. Press Ctrl+C to stop. A summary displays after capture stops.

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:24:59.414951 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442372:442536, ack 53, win 141, length 164
    20:24:59.415002 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442536:442700, ack 53, win 141, length 164
    20:24:59.415052 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442700:442864, ack 53, win 141, length 164
    20:24:59.415103 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442864:443028, ack 53, win 141, length 164
  • Capture packets with verbose output

    Capture packets on the eth1 interface for port 22 with verbose output:

    tcpdump -s 0 -i eth1 -vvv port 22

    During capture, packet data displays in real time. Press Ctrl+C to stop. A summary displays after capture stops.

    tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    15:45:54.817920 IP (tos 0x10, ttl 64, id 61958, offset 0, flags [DF], proto TCP (6), length 172)
        iZr1ulp9t4u4a8Z.ssh > 123.xxx.xxx.74.2057: Flags [P.], cksum 0x80cd (incorrect -> 0x2ee9), seq 890113592:890113724, ack 2345612678, win 592, length 132
    15:45:54.894215 IP (tos 0x14, ttl 116, id 16850, offset 0, flags [DF], proto TCP (6), length 40)
        123.139.88.74.2057 > iZr1ulp9t4u4a8Z.ssh: Flags [.], cksum 0x1e6a (correct), seq 1, ack 132, win 1021, length 0
    15:45:54.913403 IP (tos 0x10, ttl 64, id 61959, offset 0, flags [DF], proto TCP (6), length 172)
        iZr1ulp9t4u4a8Z.ssh > 123.xxx.xxx.74.2057: Flags [P.], cksum 0x80cd (incorrect -> 0x1105), seq 132:264, ack 1, win 592, length 132
    15:45:54.988025 IP (tos 0x10, ttl 64, id 61960, offset 0, flags [DF], proto TCP (6), length 236)
        iZr1ulp9t4u4a8Z.ssh > 123.xxx.xxx.74.2057: Flags [P.], cksum 0x810d (incorrect -> 0x98d1), seq 264:460, ack 1, win 592, length 196
  • Capture packets of a specific protocol for a specific IP

    Capture ICMP packets on the eth0 interface for a specific destination IP:

    tcpdump -s 0 -i eth0 -vvv dst 123.xxx.xxx.74 and icmp

    During capture, packet data displays in real time. Press Ctrl+C to stop. A summary displays after capture stops.

    tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    15:43:29.116058 IP (tos 0x14, ttl 64, id 26185, offset 0, flags [none], proto ICMP (1), length 60)
        iZr1ulp9t4u4a8Z > 123.xxx.xxx.74: ICMP echo reply, id 2048, seq 65, length 40
    15:43:30.129600 IP (tos 0x14, ttl 64, id 27043, offset 0, flags [none], proto ICMP (1), length 60)
        iZr1ulp9t4u4a8Z > 123.xxx.xxx.74: ICMP echo reply, id 2048, seq 66, length 40
    15:43:31.141576 IP (tos 0x14, ttl 64, id 27201, offset 0, flags [none], proto ICMP (1), length 60)
        iZr1ulp9t4u4a8Z > 123.xxx.xxx.74: ICMP echo reply, id 2048, seq 67, length 40
    15:43:32.153912 IP (tos 0x14, ttl 64, id 27802, offset 0, flags [none], proto ICMP (1), length 60)
        iZr1ulp9t4u4a8Z > 123.xxx.xxx.74: ICMP echo reply, id 2048, seq 68, length 40
  • Capture packets and save to a file

    Capture packets on all interfaces and save to a file:

    tcpdump -i any -s 0 -w test.cap

    Sample output indicating capture is in progress:

    tcpdump: data link type LINUX_SLL2
    tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

    Press Ctrl+C to stop. A summary displays after capture stops.

    ^C97 packets captured
    127 packets received by filter
    0 packets dropped by kernel
  • View a capture file

    View the content of a tcpdump capture file:

    tcpdump -r test.cap

Use the Wireshark tool in Windows instances

Wireshark provides a graphical interface for capturing and analyzing network packets on Windows instances.

Procedure

  1. Install and start Wireshark.

    Download the installation package from the Wireshark official website and install it.

  2. Choose Capture> Options.

  3. On the Wireshark Capture Options page, select a network interface based on the interface name or IP address, and click Start.

    image

  4. After sufficient packets are captured, choose Capture > Stop.

  5. Choose File > Save to save the captured packets.

  6. (Optional) To view a packet capture file, choose File > Open and select the file.

Note

See the Wireshark official website for usage guides and data analysis methods.

References