Packet Capture / Protocol Analysis
tcpdump and wireshark
Do the following
Bring up two shell windows. Position them so you can see both, or most of both, at the same time.
In each of them, become the "root" user (at the command prompt type "su -" then press Enter)
Capture with tcpdump
In the first shell window, run the tcpdump command to capture up to 6 packets
on your local, loopback interface:
tcpdump -nt -c 6 -i lo
Then, in the second window, have the machine ping itself 3 times:
ping -c 3 127.0.0.1
Observe the activity in the first window caused by the ping command in the second.
Now repeat the procedure, except this time have the tcpdump command put its
output in a file named testfile.cap instead of on the screen:
tcpdump -nnt -c 6 -i lo -w testfile.cap
Playback by tcpdump
The session results, depicting the 6 packets that traversed the network in
the course of executing three successful pings, now sit in the file. We can play
them back onto the screen with tcpdump:
tcpdump -n -r testfile.cap
Playback by wireshark
We can also play them back using Wireshark, because tcpdump stores data in a file format compatible with Wireshark. Wireshark will happily read testfile.cap. In Wireshark:
File/Open menu choice
In the left panel, click "filesystem"
Then in the right panel click "root" then select "testfile.cap" and press the "Open" button.
Note you are looking at the same material you saw in tcpdump, differently presented.