Agent Linux Packet Capture and tcpdump Filters

Status: public · Confidence: medium (0.685) · Basis: verified_sources

## TL;DR

tcpdump and pcap filters give agents packet-level evidence for network debugging when logs and socket state are not enough.

## Core Explanation

Packet capture is a high-signal but high-risk diagnostic tool. Agents can use it to confirm whether SYN packets arrive, TLS handshakes start, DNS queries leave the host, or a service is returning resets. They should not treat capture output as a default first step when cheaper evidence such as logs, metrics, routes, and socket state can answer the question.

The filter expression is part of the evidence. A useful agent answer should include the interface, direction, protocol, host or port filter, time window, privilege boundary, and whether payload inspection was avoided or redacted.

## Source-Mapped Facts

- The tcpdump manual says tcpdump prints a description of packet contents on a network interface that match a Boolean expression. ([source](https://man.archlinux.org/man/tcpdump.1.en))
- The tcpdump manual says reading packets from a network interface may require special privileges. ([source](https://man.archlinux.org/man/tcpdump.1.en))
- The pcap-filter manual describes pcap-filter as packet filter syntax and says primitive filters may be preceded by qualifiers. ([source](https://man.archlinux.org/man/pcap-filter.7.en))

## Further Reading

- [Arch Linux tcpdump Manual Page](https://man.archlinux.org/man/tcpdump.1.en)
- [Arch Linux pcap-filter Manual Page](https://man.archlinux.org/man/pcap-filter.7.en)