Whisperly Logo
Whisperly
Back to Blog
Learning
Tutorial

PCAP Analysis for Developers: What You Actually Need to Know

Skip the networking textbook. Learn just enough about packet captures to debug your production issues effectively.

whisperly Team
10 min read
December 20, 2023

The Developer's Reality

Most developers don't need to become networking experts to debug production issues. This guide focuses on the 20% of PCAP knowledge that solves 80% of real-world problems.

What is a PCAP File?

PCAP (Packet Capture) is a file format that stores network traffic data. Think of it as a recording of all the network communications happening on a network interface during a specific time period.

PCAP File Basics

What's in a PCAP

  • Raw network packets

    Complete network frames with all protocol headers and data

  • Timestamps

    Precise timing information for each packet

  • Metadata

    Interface information, capture duration, file stats

Common File Formats

  • .pcap

    Original format, widely supported

  • .pcapng

    Next-generation format with enhanced features

  • .cap

    Alternative extension, same as .pcap

When Do You Need PCAP Analysis?

PCAP analysis is particularly useful when other debugging methods fall short:

Network Performance Issues

High Latency

When application metrics show slowness but system metrics look normal

Intermittent Failures

Problems that occur sporadically and are hard to reproduce

Connection Problems

Issues with establishing or maintaining network connections

Security Investigations

Unusual Traffic Patterns

Unexpected data flows or connections to unfamiliar destinations

Data Exfiltration

Suspected unauthorized data transfers from your systems

Protocol Violations

Incorrect or malicious use of network protocols

Essential PCAP Analysis Concepts

You don't need to understand every protocol detail. Focus on these key concepts:

1

The OSI Model (Simplified)

Understanding the network layers helps you know what to look for:

3
Application Layer

HTTP, DNS, SMTP - What developers interact with directly

4
Transport Layer

TCP, UDP - Responsible for end-to-end communication

2
Internet Layer

IP - Handles routing packets across networks

2

TCP Connection Lifecycle

Most application traffic uses TCP, so understanding its connection process is crucial:

Three-Way Handshake

SYN → SYN-ACK → ACK (Establishes connection)

Data Transfer

Application data exchanged with sequence/acknowledgment numbers

Connection Termination

FIN → ACK → FIN → ACK (Graceful closure)

3

Common Patterns to Look For

These patterns often indicate specific types of problems:

Problem Indicators

  • Retransmitted packets (duplicate data)
  • Missing acknowledgments (unconfirmed data)
  • Connection timeouts (incomplete handshakes)
  • Unexpected resets (abrupt connection closures)

Normal Patterns

  • Consistent packet sequencing
  • Regular acknowledgment flow
  • Expected connection establishment
  • Graceful connection termination

How to Capture PCAP Files

Before you can analyze network traffic, you need to capture it. Here are the most common methods:

Capture Tools and Commands

1. tcpdump (Most Common)

# Capture all traffic on interface eth0
sudo tcpdump -i eth0 -w capture.pcap

# Capture only HTTP traffic
sudo tcpdump -i eth0 port 80 -w http-traffic.pcap

# Capture traffic to/from specific host
sudo tcpdump -i eth0 host example.com -w host-traffic.pcap

# Capture for specific duration
sudo timeout 60 tcpdump -i eth0 -w timed-capture.pcap

2. Wireshark (GUI Tool)

# Install Wireshark
sudo apt install wireshark # Ubuntu/Debian
brew install --cask wireshark # macOS

# Run Wireshark GUI
wireshark

# Use tshark (command-line version)
tshark -i eth0 -w capture.pcap

3. Cloud Platform Tools

# AWS VPC Traffic Mirroring
aws ec2 create-traffic-mirror-session ...

# GCP Packet Mirroring
gcloud compute packet-mirrorings create ...

# Azure Network Watcher
az network watcher packet-capture create ...

Analyzing PCAP Files: A Practical Approach

When analyzing PCAP files, focus on these practical steps rather than deep protocol knowledge:

1

Start with the Big Picture

Before diving into details, get an overview of the capture:

# Get basic statistics with capinfos
capinfos capture.pcap

# Get protocol hierarchy with tshark
tshark -r capture.pcap -q -z io,phs

# Get conversation statistics
tshark -r capture.pcap -q -z conv,tcp
2

Filter for Relevant Traffic

Narrow down to the specific traffic you're investigating:

# Filter by IP address
tshark -r capture.pcap -Y "ip.addr == 192.168.1.100"

# Filter by port
tshark -r capture.pcap -Y "tcp.port == 80"

# Filter by protocol
tshark -r capture.pcap -Y "http"

# Combine filters
tshark -r capture.pcap -Y "ip.addr == 192.168.1.100 && tcp.port == 80"
3

Look for Anomalies

Search for common indicators of problems:

# Find TCP retransmissions
tshark -r capture.pcap -Y "tcp.analysis.retransmission"

# Find duplicate ACKs
tshark -r capture.pcap -Y "tcp.analysis.duplicate_ack"

# Find connection timeouts
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0"

# Find connection resets
tshark -r capture.pcap -Y "tcp.flags.reset == 1"

Real-World Example: Debugging a Slow API

Let's walk through a practical example of using PCAP analysis to debug a slow API call:

Scenario

Problem

  • • API response time: 5 seconds (normal: 200ms)
  • • Database queries: Normal performance
  • • Application logs: No errors
  • • System metrics: CPU/memory normal

Hypothesis

  • • Network latency between services
  • • TCP connection establishment delays
  • • Packet loss causing retransmissions

Analysis Process

1
Capture Traffic

Used tcpdump to capture traffic during slow API calls

2
Filter for API Traffic

Applied filters to focus on HTTP traffic to the API endpoint

3
Identify Anomalies

Found 47 TCP retransmissions during the 5-second period

4
Root Cause

Network congestion was causing packet loss, requiring retransmissions

Tools for PCAP Analysis

While you can analyze PCAP files with command-line tools, these GUI tools make it much easier:

Command-Line Tools

  • tcpdump

    Capture and basic analysis of network traffic

  • tshark

    Command-line version of Wireshark with powerful filtering

  • capinfos

    Display metadata and statistics about PCAP files

GUI Tools

  • Wireshark

    Industry-standard GUI tool with powerful analysis features

  • whisperly

    AI-powered analysis that explains network issues in plain English

  • CloudShark

    Web-based PCAP analysis tool with collaboration features

Best Practices for PCAP Analysis

Follow these practices to make your PCAP analysis more effective:

Capture Best Practices

  • Capture during problem occurrence, not normal operation
  • Use appropriate filters to limit capture size
  • Document the time and conditions of capture
  • Capture on the correct network interface

Analysis Best Practices

  • Start with high-level statistics before diving into packets
  • Use display filters to focus on relevant traffic
  • Look for patterns rather than individual anomalies
  • Correlate findings with application logs and metrics

Analyze PCAP Files in Seconds

Upload your PCAP file to whisperly and get instant insights without learning Wireshark. AI-powered network analysis for developers.

Try whisperly - Free PCAP AnalysisPCAP Analysis Guide

Related Articles

Database Connection Timeouts

Why your database "timeouts" aren't actually database problems.

Read Article

API Timeout Debugging Guide

Step-by-step process to diagnose API timeouts without learning Wireshark.

Read Article

DNS Issues: The Silent Killer

Why DNS problems are the #1 cause of mysterious "network timeouts".

Read Article