Capturing Packets

Packet capture records the raw network traffic flowing across an interface. It is the ground truth of what actually happened on the wire.

Analysts use captures to investigate incidents, debug protocols, and hunt for malicious activity.

The two essential tools are Wireshark, a graphical analyzer, and tcpdump, a command-line capture tool.

• tcpdump: lightweight, perfect for servers and remote capture.
• Wireshark: rich GUI for deep analysis.