tcpdump: Capture Traffic to Debug CI Connectivity
tcpdump prints or saves the packets crossing a network interface, so you can see whether a connection sends SYNs, gets resets, or never leaves the host.
When a connection fails and the logs are silent, tcpdump shows the wire truth: was the SYN sent, did it get a RST, did DNS go out. It is the last resort that ends the guessing.
What it does
tcpdump puts an interface into a capture mode and prints a one-line summary of each matching packet, or writes raw packets to a pcap file with -w. A filter expression narrows the capture to the host, port, or protocol you care about.
Common usage
# watch traffic to a host, numeric output, stop after 20 packets
tcpdump -i any -n -c 20 host db.internal
# capture only the SYN/ACK handshake on a port
tcpdump -i any -n 'tcp port 5432 and tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'
# save to a file for later analysis
tcpdump -i any -n -w /tmp/capture.pcap port 443Options
| Flag | What it does |
|---|---|
| -i <iface> | Interface to capture on (any captures all) |
| -n | Do not resolve hosts/ports to names (avoids DNS noise) |
| -c <count> | Stop after capturing N packets |
| -w <file> | Write raw packets to a pcap file |
| -v / -vv | More verbose per-packet detail |
| -s 0 | Capture the full packet (older defaults truncated) |
In CI
Use -c or run tcpdump in the background and kill it after the failing step, otherwise it captures forever and the job never ends. -n is important: without it tcpdump does reverse-DNS on every packet, which is slow and pollutes the output with the very lookups you may be debugging.
Common errors in CI
"tcpdump: <iface>: You don't have permission to capture on that device" or "Operation not permitted" means the process lacks CAP_NET_RAW; run as root or grant the capability. "tcpdump: <iface>: No such device exists" means the interface name is wrong; use -D to list interfaces or capture on any.