Here is another handy little trick for tcpdump that will help you identify some potential network issues. Often times when there is some trouble along the line you will see reset connections. This happens for many reasons and can be an indication of everything form a network program to a crashed application that suddenly stops responding.
The trick I use to identify those rest connections is this
tcpdump -n -v 'tcp[tcpflags] & (tcp-rst) != 0'
So, what does all of this mean? The
-n says not to perform a DNS lookup to try to resolve the address. This slows things tremendously and can push a lot of traffic to your DNS servers depending on your network.
-v tells it to use verbose mode, which gives you additional header information. The
tcp[tcpflags] tells tcpdump to examine the tcp flags portion of the packet header to look for the
(tcp-rst) flag and see if it is not set to 0,
It is important to note that using this expression requires the
tcp[tcpflags] & (tcp-rst) != 0 to be enclosed in ‘ single quotes to prevent the shell from trying to interpret it.
This will show you all of the connections that are being reset across your network. Take what you see with a grain of salt, because not every connection that has a reset is necessarily a problem. If you are seeing unusually high levels of these or odd patterns of resets it might merit a deeper investigation.