This famous command-line packet capture tool is invaluable for troubleshooting thorny network problems.

Virtually all modern variations of Unix ship with the tcpdump utility. Its deceptively simple interface hides a very powerful and complex tool designed to capture data from a network interface, filter it, and print it out so you can get a better grasp of what is really happening on your network. Note that you need to be root to capture packets with tcpdump.

The simplest way to start it is to run it while specifying the network device you would like to listen to:

remote:~# tcpdump -i eth0

If you are logged into a remote machine while doing this, you will see a flood of traffic fly by, even on an unloaded machine. This is because tcpdump is capturing your ssh session traffic and displaying it to your terminal, which generates more traffic, which is again displayed, in an endless loop of wasted bits. This is easily avoided by using a simple filter. For example, you could just ignore all ssh traffic:

remote:~# tcpdump -i eth0 -n 'port ! 22'

Here I also specified the -n switch, which tells tcpdump to skip DNS lookups for every host it encounters. When capturing network data, the name of the game is speed. If your machine is tied up with some other network function (like looking up DNS names), it could miss packets as they fly past, particularly on a busy network. Skipping lookups speeds up capturing, but it means that you will be looking at IP addresses and ...