tcpdump

tcpdump is a packet capture and decode CLI for inspecting live network traffic or reading saved packet traces. It sits close to the wire: you filter traffic with pcap expressions, print protocol details, or write raw packets to capture files for later analysis.

• Capture traffic on a chosen interface and narrow it with pcap filter expressions so you can isolate DNS, HTTP, TLS, VPN, or host-to-host flows during outages and protocol debugging.
• Read existing pcap or pcapng files, print decoded packet details, or emit matching packet counts when you need scripted inspection of saved traces.
• Write raw captures to files, rotate them by size or time, and hand them off to Wireshark or follow-up CLI analysis during longer investigations.

• Non-interactive flags, filter expressions, buffered stdout controls, and documented exit codes make it usable in scripted inspect-then-verify loops.
• It is especially useful when an agent needs raw network evidence: capture now, reread the file with tighter filters later, or use --count for simple scalar checks on saved captures.
• Parsed output is human-oriented text rather than structured JSON, and live capture often needs elevated privileges plus networking knowledge to avoid noisy or incomplete traces.

• Capturing from live interfaces may require root or capture privileges; reading saved packet files does not.
• Snapshot length, buffering, and rotation settings affect fidelity and packet loss, so automation is usually safer when it saves capture files instead of parsing console text alone.