Packet Capture / Protocol Analysis

tcpdump and wireshark

Do the following

Bring up two shell windows. Position them so you can see both, or most of both, at the same time.

In each of them, become the "root" user (at the command prompt type "su -" then press Enter)

Capture with tcpdump

In the first shell window, run the tcpdump command to capture up to 6 packets on your local, loopback interface:
tcpdump -nt -c 6 -i lo

Then, in the second window, have the machine ping itself 3 times:
ping -c 3 127.0.0.1

Observe the activity in the first window caused by the ping command in the second.

Now repeat the procedure, except this time have the tcpdump command put its output in a file named testfile.cap instead of on the screen:
tcpdump -nnt -c 6 -i lo -w testfile.cap

Playback by tcpdump

The session results, depicting the 6 packets that traversed the network in the course of executing three successful pings, now sit in the file. We can play them back onto the screen with tcpdump:
tcpdump -n -r testfile.cap

Playback by wireshark

We can also play them back using Wireshark, because tcpdump stores data in a file format compatible with Wireshark. Wireshark will happily read testfile.cap. In Wireshark:

File/Open menu choice
In the left panel, click "filesystem"
Then in the right panel click "root" then select "testfile.cap" and press the "Open" button.
Note you are looking at the same material you saw in tcpdump, differently presented.