My toolbox: Wireshark
In my previous toolbox article I talked about HttpToolkit and how awesome it is to see http requests in action. There is an older tool, which is probably the Swiss Army knife of network debugging tools (and yes, I am old enough to have contributed to its predecessor tcpdump), Wireshark.
Wireshark directly operates on the network layer(s) of the machine it is running on, which on one side means you can ‘see’ all the traffic going on. This also means that you can’t see what is e.g. inside a https connection. Here HttpToolkit is the way to go.
After starting Wireshark (which usually needs to be done as a privileged user because of its power), a list of detected network interfaces is shown and it is possible to enter a filter for traffic on the selected interface. As you can see in the above screenshot, filter expressions can be quite elaborate; more below. The list of interfaces also shows some sparklines about the traffic they get, this may be a good hint to see which one to select. The one for localhost (e.g. when doing curl http://localhost:8085/ localhost is used) is marked with Loopback and is commonly called lo0.
After the recording has started a view with a list at the top appears and each line shows one single data packet with source & destination, the IP protocol used and some decoded information about the packet. When you click on a row, more details show up in the text view below.
You may have seen the slight bracket at the left for packets 18–21: those packets together belong to one TCP connection that has been split into multiple IP packets on the wire.
The above view is probably rather non-interesting and much too verbose. The text field below the icons, allows to apply a display filter:
The list of possible filter items is large. Wireshark has a wizard to interactively compose such a filter. Unfortunately it is a bit hidden — I’ve marked the place to call it with the orange circle in the previous screenshot.
Best is probably to fire up Wireshark and try it out yourself. On macOS it is easy to install from Homebrew via brew install — cask wireshark. It may be that you also need to install an additional package to change the access rights of bpf , which is the (pseudo) device that provides the filtering: brew install — cask wireshark-chmodbpf
tl;dr
Wireshark is a super powerful tool when it comes to all kinds of debugging and understanding what is going on on the network layers of your computer. Its interface may be a bit arcane but it is worth a try. Wireshark has helped me so many times that I can’t praise its value loud enough.
