Network Troubleshooting for Beginners: Listening to the Wires

Introduction

Imagine: ping works, DNS responds, ports are open, mtr shows no loss, but curl returns errors like connection reset by peer or SSL handshake failed. There’s clearly a problem, but standard tools are powerless.

At such moments, the only option is to look at the actual traffic — in other words, “listen to the wires.” This process is called packet sniffing or packet analysis. In this article, we’ll go through how to use three key tools: tcpdump, sngrep, and Wireshark.

tcpdump — The Ear of Your Server 👂

tcpdump is the de facto standard for capturing packets on Unix systems. It shows “raw” data directly in the console and can write dumps to a file for further analysis in Wireshark.

How to use tcpdump

1. List interfaces:

   sudo tcpdump -D
   

   This is important if the server has multiple network cards.

2. Capture traffic for a specific host:

   sudo tcpdump -i eth0 host 8.8.8.8
   

3. Filter by port and protocol:

   sudo tcpdump -i eth0 tcp port 443
   

4. Save dump for Wireshark:

   sudo tcpdump -i eth0 -w /tmp/capture.pcap
   

5. Limit size or duration of capture:

   # Capture only the first 1000 packets
   sudo tcpdump -i eth0 -c 1000
   
   # Create a new file every minute (-G) and save the full packet (-s 0)
   sudo tcpdump -i eth0 -s 0 -w /tmp/capture-%Y-%m-%d_%H:%M:%S.pcap -G 60
   

⚡ Tip: -c and -G help avoid flooding the disk with dumps during long diagnostics.

sngrep — Dialogues in the Terminal 🗣️

sngrep was originally created for VoIP (SIP) but can also display other TCP/UDP sessions. Its main convenience is grouping packets into dialogs.

How to use sngrep

1. Install:

   sudo apt update && sudo apt install -y sngrep
   

2. Run with privileges:

   sudo sngrep
   

3. Navigation:

   • Arrows — select session.
   • Enter — view dialog details.
   • / — search by IP or port number.

4. Filter SIP calls:

   sudo sngrep port 5060
   

⚡ Useful when you need to quickly debug SIP registration, INVITE, or HTTP sessions without diving into the “raw” tcpdump output.

Wireshark — The Network Microscope 🔬

Wireshark is a GUI packet analyzer and the gold standard for in-depth network investigation.

How to use Wireshark

1. Open a saved dump:

   wireshark /tmp/capture.pcap
   

2. Display filters:

   • Only HTTP requests:

     http.request
     

   • Only TLS handshakes:

     tls.handshake
     

3. Follow TCP Stream — collect packets from a single connection and show the full dialog (handy for HTTP, SMTP, and even binary protocols).

4. Coloring rules — highlight packets based on conditions (e.g., show TCP-reset in red).

⚡ Important: capture filters (port 443) are set during capture (e.g., in tcpdump), while display filters (tls.handshake) are applied only when analyzing an already captured dump.

⚡ If working over SSH, you can write a tcpdump capture file on the server, then download it and open it in Wireshark.

Tool Comparison

Checklist of Common Beginner Mistakes ⚠️

1. Running tcpdump or sngrep without sudo → interface access will be restricted.
2. Saving dumps without the -s 0 option → packets are truncated by default (usually 96 bytes).
3. Mixing up capture filter (tcpdump/BPF) and display filter (Wireshark).
4. Capturing without limits (-c or -G) → disk gets filled with gigabytes of data.
5. Opening a pcap file in a text editor instead of Wireshark.
6. Trusting only headers (flags, handshake) and forgetting to check the payload.
7. Thinking tcpdump automatically shows DNS names — but it can slow down analysis (better use -n to disable resolving).

Conclusion

Network traffic analysis is a deep dive at the highest level. When standard checks don’t provide answers, packet sniffers let you:

• see what’s really happening “on the wire”;
• verify correctness of handshakes, timings, and dialogs;
• find the culprit: server, client, NAT, firewall, or network.

To master these tools, you need practice. Try:

1. Capturing your own HTTP traffic.
2. Observing how a DNS query works.
3. Analyzing a TLS handshake.

Only through practice will you realize how useful it is to “listen to the wires.”