Packet capture is one of the most fundamental and powerful ways to do network analysis.
If you think that tcpdump has been made obsolete by GUI tools like Wireshark, think again. Wireshark is a great application; it’s just not the right tool for the job in every situation.
tcpdump uses a “one-off-command” approach that lends itself to quick, on-the-spot answers. You can run it through an SSH session, doesn’t need X and is more likely to be there when you need it. And, because tcpdump uses standard command-line conventions (such as writing to STDOUT, which can be redirected), tcpdump can be used in all sorts of creative, interesting and extremely useful ways.
You can even use tcpdump and Wireshark together by capturing the network data with tcpdump for viewing with Wireshark. To ensure that you capture complete packets, use the following command:
tcpdump -i <interface> -s 65535 -w <some-file>
tcpdump fu article introduces some of the basics of packet capture and provide a breakdown of tcpdump syntax and usage. Manual page of tcpdump lists you all the command line options you can use.
If you are embedded Linux system developer, remember that you can easily fit the tcpdump program inside a small embedded Linux system without too much problem (which is not the case with Wireshark, because it is a huge program that needs GUI and has many dependencies).
