Prompt: How to read pcap file from tcpdump?

[ link: https://chatgpt.com/share/69868332-b6a0-800f-b3f5-a491c251f128 ]

To read and analyze a .pcap file generated by tcpdump, use one of the methods below, depending on whether you prefer command-line or GUI tools.

---

1. Read a PCAP file using tcpdump (CLI)

Basic read:

tcpdump -r capture.pcap

Verbose output:

tcpdump -r capture.pcap -v
tcpdump -r capture.pcap -vv
tcpdump -r capture.pcap -vvv

Human-readable (no name/port resolution):

tcpdump -r capture.pcap -nn

Show packet timestamps:

tcpdump -tttt -r capture.pcap

Filter while reading (example: only TCP traffic on port 443):

tcpdump -r capture.pcap tcp port 443

---

2. Common tcpdump filters when reading PCAP

---

3. Display packet payload (hex / ASCII)

Show packet contents:

tcpdump -r capture.pcap -X

Hex only:

tcpdump -r capture.pcap -xx

---

4. Read PCAP using Wireshark (GUI – recommended for deep analysis)

Steps:

1. Open Wireshark

2. File → Open

3. Select the .pcap file

4. Use display filters (e.g. ip.addr == 10.10.1.5)

5. Right-click a packet → Follow → TCP Stream

Useful features:

• Protocol decoding

• TCP stream reconstruction

• Graphs and statistics

• Export objects (HTTP, DNS, TLS)

---

5. Extract specific packets to a new PCAP

Example: extract only DNS traffic:

tcpdump -r capture.pcap port 53 -w dns-only.pcap

---

6. Read PCAP on systems without Wireshark

Use tshark (CLI version of Wireshark):

tshark -r capture.pcap

Filter example:

tshark -r capture.pcap -Y "tcp.port == 443"

---

7. Quick troubleshooting tips

• Use -nn to avoid slow DNS lookups

• Start with -v before using -X (payloads can be noisy)

• Large PCAP? Combine filters or extract subsets first

• Check link-layer type:

tcpdump -r capture.pcap -e

---

If you want, provide:

• The protocol you are investigating (DNS, TLS, HTTP, etc.)

• Whether this is for IBM Fusion / OCP / MetroDR / Kubernetes

• Sample tcpdump command used to capture the file

I can give a targeted analysis workflow and exact filters.