You're on a headless Linux server with no GUI. What's the standard packet-capture workflow?

Correct: (d). tcpdump is the command-line capture tool; Wireshark is the GUI analyser. Capture where the traffic is (tcpdump -w ), copy the .pcap off, and analyse where you have a screen.

You don't know which interface the traffic uses on a Linux box. What's the first command, and the safe interface choice?

Correct: (c). tcpdump -D lists available interfaces. The any pseudo-device captures on all interfaces — the safe choice when you don't yet know which one the traffic uses.

What does -nn do in tcpdump, and why type it reflexively?

Correct: (a). -n skips IP-to-hostname lookups; the second n skips port-to-service lookups. No DNS round-trips means a faster capture, no self-generated DNS noise, and raw numbers you can match against firewall rules.

Which command correctly filters for one host AND one port and writes the result to a file for Wireshark?

Correct: (c). Use the BPF and keyword to combine conditions, and -w to write raw frames to a .pcap . (a) uses or (too broad), (b) reads a file, and (d) -D just lists interfaces.

In a capture, a client [S] goes out and the server replies with a lone [R] . What does that usually indicate?

Correct: (c). A healthy handshake answers a SYN [S] with a SYN-ACK [S.] . A lone [R] (RST) right after the SYN usually means the destination port is closed or a firewall denied the session.

On a PAN-OS firewall, a packet shows up in the receive capture but never in transmit , and appears in drop . What does the four-stage comparison tell you?

Correct: (b). PAN-OS captures on four dataplane stages — receive (ingress), firewall (post-policy), transmit (egress), and drop. A packet in receive + drop but not transmit means the dataplane discarded it before it left. That's the whole point of running all four and comparing.

On a FortiGate, you run diagnose sniffer packet any 'host 10.1.1.5' 6 100 a . What does the 6 control?

Correct: (b). In diagnose sniffer packet [interface] [filter] [verbosity] [count] [timestamp] , the verbosity integer is the third field. 6 = full packet contents (like tcpdump -X ); here 100 is the count and a the absolute timestamp.

On a Cisco ASA, what's the correct way to capture only traffic from 192.168.1.100 on the inside interface?

Correct: (a). On a Cisco ASA you bind a capture to an access-list that selects the interesting traffic, then attach the capture to an interface. View it live with show capture CAP and export the pcap over HTTPS. The PA and FortiGate commands belong to those vendors.

Why must you always set a filter before capturing on a busy production firewall?

Correct: (d). Unfiltered capture on a 10 Gbps interface saturates the management/capture CPU; latency spikes and an HA pair can miss heartbeats and trigger a failover. Always filter by IP/port first and add a count limit so it stops on its own.

Your SPAN/mirror capture shows SYNs leaving but no SYN-ACKs coming back, so you suspect the server is down. What's the more likely explanation?

Correct: (b). A SPAN/mirror port often mirrors only one direction, and with asymmetric routing the request and reply take different paths — so a single tap sees only half the flow. Fix it by mirroring both directions (TX and RX), tapping a chokepoint both flows traverse, or capturing on the endpoint/firewall itself.

Mastering Network Packet Capture — tcpdump, Palo Alto, FortiGate, Cisco ASA

Pick where you want to start

Set up capture

List interfaces and start a basic, count-limited tcpdump.

Master filters

Filter by port, host and the -nn / -w flags.

Read TCP flags

[S], [S.], [.], [F.], [R] — what the handshake is telling you.

Firewall capture

Palo Alto 4-stage, FortiGate sniffer, Cisco ASA.

🚀Key Takeaways

In this guide, you'll learn how to use tcpdump, filter traffic effectively, and perform captures on enterprise firewalls like Palo Alto, FortiGate, and Cisco ASA.

Legend endpoint / capture host (royal) the device sniffing the wire — tcpdump / firewall (cyan) destination — server / internet (magenta) packet captured / allowed packet dropped / missed

PAN-OS dataplane — the four capture stages

Capture all four stages — receive, firewall, transmit, drop — and compare them. A packet that shows in receive but not in transmit, and turns up in drop, tells you exactly where it died.

Step 1: Setting Up Packet Capture

Before you can analyze traffic, you need to set up your listening interface. Think of this as choosing which "phone line" to tap. You can list available interfaces using tcpdump.

List Interfaces

student@lab:~$ sudo tcpdump -D
1. eth0 [Up, Running]
2. wlan0 [Up, Running]
3. lo [Up, Running, Loopback]
4. any (Pseudo-device that captures on all interfaces)

Step 2: Starting a Basic Capture

Once you know your interface (e.g., wlan0 for WiFi), you can start listening. It's best to limit the count (-c) initially so you don't get flooded with data.

Basic Capture

student@lab:~$ sudo tcpdump -i wlan0 -c 5

Each line of output represents a single packet, showing the timestamp, source network IP, destination IP, and protocol flags.

Quick check · Limiting a capture

Why is it best practice to add -c 5 (or another small count) when you start a basic tcpdump on a busy interface?

a) It encrypts the captured packets.b) It limits the count so you aren't flooded with data — the capture grabs a few packets and stops on its own.c) It speeds up the network interface.d) It resolves IP addresses to hostnames automatically.

Correct: b. -c caps the number of packets so the capture stops itself instead of flooding you with output — the same self-limiting idea as the count field on a FortiGate sniffer.

Step 3: Mastering Filters

Detailed analysis requires filtering out the noise. You can filter by port, host, or protocol. This is crucial in high-traffic production environments.

Filter by Port (HTTP Traffic)

To see only web traffic, filter for port 80:

student@lab:~$ sudo tcpdump -i wlan0 port 80 -c 10

Filter by Host

To investigate a specific server, use the host filter:

student@lab:~$ sudo tcpdump -i wlan0 host google.com

Anatomy of a production tcpdump command

The two flags every L3 engineer types reflexively: -nn (skip both name and port resolution) and -w (write raw frames to a file). The host ... and port BPF filter scopes the capture before it runs — the golden rule on any busy interface.

Quick check · The -nn flag

A colleague's capture is slow and keeps showing service names like https instead of 443. Which flag fixes both at once?

a) -w — it writes the packets to a file.b) -c — it limits the packet count.c) -nn — it skips both IP-to-hostname and port-to-service-name resolution, so capture stays fast and shows raw numbers.d) -D — it lists the interfaces.

Correct: c. -nn turns off both name resolutions: -n skips DNS lookups, the second n skips port-to-service lookups. No DNS round-trips means a faster capture and raw numbers you can match against firewall rules.

Step 4: Interpreting TCP Flags

Understanding the TCP handshake is vital. Here are the common flags you'll encounter:

[S] SYN: "Hello, I want to connect." (Initiation)
[S.] SYN-ACK: "Hello back, connection accepted." (Response)
[.] ACK: "Got it, connection established." (Confirmation)
[F.] FIN-ACK: "I'm done, closing connection." (Termination)
[R] RST: "Error! Reset connection." (Abort)

The TCP handshake as it appears in a capture

A healthy session is [S] → [S.] → [.], and closes with [F.] FIN-ACK. If the only reply to a [S] is a lone [R], the port is closed or a firewall denied the session.

Quick check · Reading the handshake

In a capture you see a client [S] go out, but the only reply is a single [R] from the server. What does that most likely mean?

a) The connection completed the three-way handshake successfully.b) The server is gracefully closing an established session.c) A lone RST after a SYN usually means the port is closed or a firewall denied the session.d) The packet was DNS, not TCP.

Correct: c. A healthy handshake would answer the SYN with a SYN-ACK [S.]. A lone [R] (RST) straight after the [S] usually means the destination port is closed, or a firewall denied the session.

🔑 Lock in the key terms — tap to flip

🐧

-nn

tap to flip

Skips both name resolutions — IP-to-hostname and port-to-service. Faster captures, no DNS round-trips polluting output, raw numbers you can match to firewall rules.

💾

-w / pcap

tap to flip

-w /tmp/cap.pcap writes raw frames (not the printed summary) to a file. Capture where the traffic is, then open the .pcap in Wireshark where you have a screen.

🔥

packet-diag

tap to flip

PAN-OS dataplane capture. Set a filter first, then capture the four stages — receive, transmit, drop, firewall — to pinpoint exactly where a packet died. Files land in /opt/pancfg/mgmt/pcaps/.

🛡

verbosity 6

tap to flip

The FortiGate sniffer's level: 1 = headers only, 4 = headers + interface, 6 = full packet contents — the equivalent of tcpdump -X.

Enterprise Firewall Commands

In a corporate environment, you'll likely be working with hardware firewalls. Here is a cheat sheet for the major vendors:

🔥 Palo Alto Networks — full 4-stage capture workflow

PAN-OS captures on the dataplane at four stages: receive (ingress), transmit (egress), drop (anything the dataplane discards), and firewall (post-policy, pre-egress). Always run all four — comparing them tells you exactly where a packet died.

PAN-OS · dataplane packet-diag

debug dataplane packet-diag set filter match source 10.1.1.5 destination 8.8.8.8
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture stage receive file rx.pcap
debug dataplane packet-diag set capture stage transmit file tx.pcap
debug dataplane packet-diag set capture stage drop file drop.pcap
debug dataplane packet-diag set capture stage firewall file fw.pcap
debug dataplane packet-diag set capture on
# ... reproduce traffic ...
debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag show setting
# Files in /opt/pancfg/mgmt/pcaps/
view-pcap follow no filter equal yes filter-pcap rx.pcap

🛡 Fortinet (FortiGate)

FortiGate uses a built-in sniffer tool that is very similar to tcpdump. The trailing integer is the verbosity level — 1 = headers only, 3 = headers + payload summary, 4 = headers + interface, 6 = full packet contents (the L3-equivalent of tcpdump -X).

FortiGate · diagnose sniffer packet

# Basic syntax: diagnose sniffer packet [interface] [filter] [verbosity] [count] [timestamp]
diagnose sniffer packet any 'host 192.168.1.100' 4

# Full packet contents (level 6), 100 frames, absolute timestamp
diagnose sniffer packet any 'host 10.1.1.5' 6 100 a

🔵 Cisco ASA

Cisco ASA · capture

# Create Access List
access-list CAP extended permit ip host 192.168.1.100 any

# Apply Capture
capture CAP interface inside access-list CAP

🐧 tcpdump — write to pcap, no name resolution

The two flags every L3 engineer types reflexively: -nn (skip both name and port resolution — capture stays fast and isn't fooled by DNS) and -w (write raw frames to a file for Wireshark).

tcpdump · write pcap

sudo tcpdump -nn -i eth0 -w /tmp/cap.pcap host 10.1.1.5 and port 443

⚠Production gotchas

Unfiltered capture on a 10 Gbps interface will saturate the management CPU and may trigger HA failover.
Capturing on TAP/SPAN may miss asymmetric flows — only one direction may be mirrored.
Vendor firewalls capture on different planes (PA: dataplane vs management — different commands). Always filter by IP/port FIRST, capture SECOND.

Why a SPAN/TAP can miss half the conversation

A SPAN/mirror port often mirrors only one direction; with asymmetric routing the reply takes a different path the tap never sees. Fix it by mirroring both directions (TX and RX), tapping a chokepoint both flows traverse, or capturing on the endpoint/firewall itself.

⚠Enterprise Warning

Always use specific filters on production firewalls. Capturing "all" traffic can crash the CPU and cause a network outage. Be specific and precise.

✓Quick Lab

Quick Lab (10 min): (1) On a Linux box, run sudo tcpdump -nn -i any -w /tmp/cap.pcap host 8.8.8.8 and port 53 — generate DNS lookups with dig. Open in Wireshark and confirm packets captured. (2) On a PA lab, run the 4-stage packet-diag flow (rx/tx/drop/fw), then view-pcap each file to inspect what hit which stage. (3) Compare: which capture method showed you info the other missed?

▶ Watch one capture workflow, start to finish

You're chasing a connectivity issue to 10.1.1.5:443. Press Play for the clean, filtered workflow — then Break it to see the classic "capture everything" mistake on a production firewall, and the fix.

① Pick the interfaceRun sudo tcpdump -D to list interfaces, then choose the one the traffic actually uses (or any if you're not sure).

▼

② Filter FIRSTScope the capture before it runs: host 10.1.1.5 and port 443. On a firewall, the equivalent filter (PA packet-diag set filter, FortiGate 'host 10.1.1.5') goes on first too.

▼

③ Capture to a filesudo tcpdump -nn -i eth0 -w /tmp/cap.pcap host 10.1.1.5 and port 443 — -nn keeps it fast, -w writes raw frames for Wireshark.

▼

④ Reproduce + stopTrigger the traffic, then stop the capture (or let -c / the firewall count field stop it). Read the flags: [S] out, [S.] back = the handshake is healthy.

▼

⑤ Analyse in WiresharkCopy the .pcap off the box and open it in Wireshark — protocol decode, follow-stream, expert info. Capture where the traffic is; analyse where you have a screen.

Press Play to step through the clean workflow, then press Break it.

Quick check · Capture on a production firewall

An engineer runs an unfiltered capture on a 10 Gbps interface of a production firewall to "just have a quick look." What's the real risk?

a) None — firewalls are built to capture all traffic at line rate.b) Every frame is forced up to the capture CPU; it saturates, latency spikes, and on an HA pair it can miss heartbeats and trigger a failover — a "quick look" becomes an outage.c) The capture file is automatically encrypted and unreadable.d) The firewall switches to a backup ISP.

Correct: b. An unfiltered capture on a high-speed interface forces every frame up to the CPU running the capture. That CPU saturates, latency spikes, and on an HA pair it can miss heartbeats and fail over. The rule is always: filter by IP/port first, capture second — and add a count limit so the capture stops on its own.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. The exact framing an interviewer wants to hear.

Pre-curated from this lesson's content + real troubleshooting Q&A. For a live issue, bring your .pcap to chat.techclick.in.

Frequently Asked Questions

The packet-capture questions interviewers and seniors actually ask — and the answers L1/L2 engineers reach for in a live troubleshooting call.

What is the difference between tcpdump and Wireshark?

tcpdump is a command-line capture tool. It sniffs frames on an interface, applies a filter, and either prints a summary or writes raw packets to a file. Wireshark is the GUI analysis tool — protocol decoding, follow-stream, expert info, graphs.

The standard workflow on a headless server is: capture with tcpdump (tcpdump -nn -i eth0 -w /tmp/cap.pcap host 10.1.1.5), copy the .pcap off the box, then open it in Wireshark on your laptop. Capture where the traffic is; analyse where you have a screen.

How do I capture packets on a FortiGate firewall?

FortiGate uses a built-in sniffer that behaves like tcpdump:

diagnose sniffer packet <interface> '<filter>' <verbosity> <count> <timestamp>

Use any for the interface when you don't know which one the traffic uses.
Verbosity: 1 = headers only, 4 = headers + interface name, 6 = full packet contents (the equivalent of tcpdump -X).
Example: diagnose sniffer packet any 'host 10.1.1.5' 6 100 a grabs 100 full frames with an absolute timestamp.

How do I run a packet capture on a Palo Alto firewall?

PAN-OS captures on the dataplane at four stages, and comparing them tells you exactly where a packet died:

receive — packet arrived on the ingress interface
transmit — packet left on egress
drop — dataplane discarded it
firewall — post-policy, pre-egress

Set a filter first (debug dataplane packet-diag set filter match source 10.1.1.5 destination 8.8.8.8), enable all four capture stages, reproduce the traffic, then read each file with view-pcap. Files land in /opt/pancfg/mgmt/pcaps/.

Why does a packet capture slow down — or crash — a production firewall?

An unfiltered capture on a high-speed interface (say 10 Gbps) forces every frame up to the CPU that runs the capture. That CPU saturates, latency spikes, and on an HA pair it can miss heartbeats and trigger a failover — turning a "quick look" into an outage.

The rule is always the same: filter by IP/port first, capture second. Add a count limit (-c on tcpdump, the count field on FortiGate) so the capture stops on its own.

What do the TCP flags [S], [S.], [.], [F.] and [R] mean in tcpdump?

[S] SYN — "I want to connect" (start of the handshake).
[S.] SYN-ACK — "Connection accepted" (the dot is the ACK bit).
[.] ACK — "Got it, established."
[F.] FIN-ACK — "I'm done, closing gracefully."
[R] RST — "Reset / abort." A lone RST after a SYN usually means the port is closed or a firewall denied the session.

How do I filter tcpdump by host and port at the same time?

Use the BPF and keyword to combine conditions:

sudo tcpdump -nn -i eth0 host 10.1.1.5 and port 443

You can chain more: host 10.1.1.5 and (port 443 or port 80). Parentheses need quoting or escaping so the shell doesn't eat them.

What does the -nn flag do in tcpdump, and why use it?

-nn turns off both name resolutions: -n skips IP-to-hostname DNS lookups, and the second n skips port-to-service-name lookups. The result is faster captures (no DNS round-trips while sniffing), no risk of the capture itself generating DNS traffic that pollutes your output, and raw numbers you can match against firewall rules.

How do I save a capture to a file for Wireshark?

Use -w to write raw frames (not the printed summary) to a .pcap file:

sudo tcpdump -nn -i eth0 -w /tmp/cap.pcap host 10.1.1.5 and port 443

Read it back on the CLI with tcpdump -r /tmp/cap.pcap, or open the file directly in Wireshark for full decoding.

My SPAN/TAP capture is missing half the conversation — why?

A SPAN/mirror port often mirrors only one direction, and in networks with asymmetric routing the request and reply take different paths — so a single tap sees only one side of the flow. You'll watch SYNs go out with no SYN-ACKs coming back and wrongly conclude the server is down.

Fix it by mirroring both directions (TX and RX), tapping a single chokepoint both flows traverse, or capturing on the endpoint/firewall itself rather than a mid-path mirror.

What is the Cisco ASA equivalent of a tcpdump capture?

On a Cisco ASA you bind a capture to an access-list that selects the interesting traffic:

access-list CAP extended permit ip host 192.168.1.100 any
capture CAP interface inside access-list CAP

View it live with show capture CAP, and export a pcap for Wireshark over HTTPS from https://<asa-ip>/admin/capture/CAP/pcap.

Keep going →

What's next?

Go deeper on the wire — CISSP Domain 4 covers secure protocols, segmentation, and the network controls that show up in every audit.

Next · CISSP Domain 4: Communication and Network Security Guide Secure the Wire →Practice on exam.techclick.in →

📩 Quiz me on this in 7 days. Opt in and we'll email you 3 micro-questions from this lesson at Day 1, Day 7 and Day 30 — spaced repetition is how it sticks. Un-tick any time.

Mastering Network Packet Capture

Pick where you want to start

Set up capture

Master filters

Read TCP flags

Firewall capture

Step 1: Setting Up Packet Capture

Step 2: Starting a Basic Capture

Step 3: Mastering Filters

Filter by Port (HTTP Traffic)

Filter by Host

Step 4: Interpreting TCP Flags

Enterprise Firewall Commands

🔥 Palo Alto Networks — full 4-stage capture workflow

🛡 Fortinet (FortiGate)

🔵 Cisco ASA

🐧 tcpdump — write to pcap, no name resolution

▶ Watch one capture workflow, start to finish

🤖 Ask the AI Tutor

📝 Check your understanding

Frequently Asked Questions

What's next?

Build a complete network-security skillset