I was going to write a tcpdump tutorial to help myself learn it again. Then I found Daniel Miessler already did it, with wonderful style and formatting. Recommended.
What’s missing from Daniel’s tutorial is how to interpret the output depending on your situation. Kind of hard to write, since there are virtually unlimited network trouble scenarios! One place you might start is Netgate’s list of practical troubleshooting examples. This shows how to troubleshoot port forwarding not working, IPsec tunnels not connecting, and outbound NAT configuration.
I also wanted to know how to diagnose dropped packets in tcpdump. It simply prints a summary of dropped packets at the end. (if you see this, you can try increasing the packet capture buffer size by passing the -B option to tcpdump)
I found there are many reasons for dropped packets, including but not limited to:
- packets can go through hardware filtering, and still end up as not intended for the host (multicast)
- NIC ring buffers can get full and be unable to cope with bursty traffic
- CPUs receiving NIC interrupts can get too busy to process
- Cable/hardware/duplex problems
- NIC driver problems
- MTU problems, jumbo frames, slightly oversized ethernet frames
Finally, Henry Van Styn at Linux Journal has a good guide on tcpdump-fu. He writes:
“How much sense the output makes depends on how well you understand the protocols in question. tcpdump tailors its output to match the protocol(s) of the given packet. … There is no better way to learn how networks and protocols work than from watching their actual packets.“