How to generate TCP dump information

Last updated: Mon Feb 04 23:31:01 GMT 2019

When a test is reporting loss from a location that is difficult to trace, and doesn't appear on the path visualization associated with a specific node, the ThousandEyes team might request a TCP dump in order to attempt to isolate the loss.

Generating a TCP dump is an internal command on all linux distributions.  Basically what happens, is you bind the capture to a specific interface, and capture over a period of time.  Typically, the ThousandEyes team will request a capture over a period of approximately 30 minutes, in order to capture all relevant information.

The relevant command to start a TCP dump is, appropriately, tcpdump, but it needs to be called with a number of parameters.

Determine which network interface to capture

To start, you need to first identify which ethernet interface is being used to connect the machine to the network.  In most cases, this will be eth0, but to check, run ifconfig on the host to identify the correct interface.

dave@vm-dave-dev-1:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:69:f3:a6 
 inet addr: Bcast: Mask:
 inet6 addr: fe80::a00:27ff:fe69:f3a6/64 Scope:Link
 RX packets:216561 errors:0 dropped:0 overruns:0 frame:0
 TX packets:44521 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:127096906 (127.0 MB) TX bytes:3891185 (3.8 MB)

lo Link encap:Local Loopback 
 inet addr: Mask:
 inet6 addr: ::1/128 Scope:Host
 RX packets:905 errors:0 dropped:0 overruns:0 frame:0
 TX packets:905 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0 
 RX bytes:84115 (84.1 KB) TX bytes:84115 (84.1 KB)

In this case, I only have one network interface bound, so I'm going to select that interface by appending -i eth0 to the command.  This will bind the capture to the eth0 interface, and capture all the traffic requested through that interface.

Restricting capture to a specific host or port

If directed by the ThousandEyes team, you may be requested to reduce the amount of data being captured, by targeting a specific port or host in the request.  To restrict based on port, simply append port <portnumber>.  To restrict based on host, simply append host <w.x.y.z> to the command.  These can be done in tandem, if required; the following commands are all syntactically valid.

tcpdump -i eth0 host
tcpdump -i eth0 host port 80
tcpdump -i eth0 port 80 

Writing output to file

We also don't want to interpret the information in real time, but rather capture it to a file that can be used by the ThousandEyes team, so we'll write to a file.  This is accomplished by appending a -w <filename> to the command.

tcpdump -i eth0 host port 80 -w myfilename


Running the capture

Once you have the required commands, simply start the TCP dump with appropriate parameters.  Starting a TCP dump must usually be done in the context of the root user.  Running as a root user is not recommended, so the command sudo is often used to run in the context of a super user account.  Simply prepend sudo to the command to run a tcpdump with superuser permissions.

sudo tcpdump -i eth0 host port 80 -w myfilename

The capture will run until cancelled (press ctrl-c to cancel).  Once the tcp dump is stopped, the number of packets captured by the request will be shown:

dave@vm-dave-dev-1:~$ sudo tcpdump -i eth0 -w mycapturefile
[sudo] password for dave: 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
85 packets captured
85 packets received by filter
0 packets dropped by kernel

Compress the capture

Once the file has been created, it should be compressed for simplicity of transfer.  Simplest method of compression is to use gzip, which is bundled with linux distributions.  The syntax is gzip -c uncompressedfile > targetfile.gz, which will create a compressed version of the file for email transmission.

gzip -c mycapturefile > mycompressedfile.gz

Once the compressed file has been created, send it to the ThousandEyes team for analysis by emailing the gzipped version of the file to

Running a TCP Dump from Windows

Since not everybody has a Mac or Linux server to use, you may need to generate a TCP dump using Windows.  The easiest and most common approach to this is using Wireshark (using a GUI), documented below.

First, download WireShark.  This will install both the WireShark app and winpcap libraries - these are used to bind to a network adapter, and can be used to capture packets.  Download WireShark from

Once you've downloaded WireShark, install it and launch.  The great thing about Wireshark is that everything is controllable from a single interface.  Under the Capture menu, select Options. 


Select the interface you wish to capture by checking the appropriate box, choose appropriate name resolution options (defaults are fine), and ensure that the option for 'use pcap-ng format' is unchecked.  Once you're ready to start capturing packets, click the Start button.

Once you click the start button, WireShark will begin capturing packets, and display them in real time.  This will be a very busy, color-coded interface, which is moving fast.

Once you've captured enough data, click the stop button (also found under Capture > Stop)

If you want to filter your capture to be based on a specific target IP address, click the Capture > Capture Filters option.  This is a very rich expression builder; to target a specific host and port combination (similar to the example above) create a filter similar to the following:

tcp.dstport == 80 and ip.addr ==

Once you've applied the filter (if applicable), click File > Save and save the capture file.  The save will take the applicable filter into account and will exclude any data not displayed in the filter list.  The packet capture file will be large, so always remember to compress the file before sending to ThousandEyes support.