Networking & Protocols
Putting it together: trace and capture reading
Crux Read real tooling output — a tcpdump capture, a dig trace, a curl TLS handshake, and an Alt-Svc HTTP/3 negotiation — and diagnose what the bytes actually say.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitProduction diagnosis is reading tooling output, not reciting RFCs. Four real captures span the stack — a packet trace, a resolver walk, a TLS handshake, and an HTTP/3 upgrade. Read each one and say what actually happened on the wire.
Goal
Practise the senior move: open the capture, find the line that tells the story, and translate raw protocol output into a single sentence about what the network did and what to do next.
Capture 1 — tcpdump of a connection open
12:00:00.000000 IP 10.0.0.5.51514 > 93.184.216.34.443: Flags [S], seq 1001, win 64240, length 0
12:00:00.056120 IP 93.184.216.34.443 > 10.0.0.5.51514: Flags [S.], seq 7001, ack 1002, win 65535, length 0
12:00:00.056300 IP 10.0.0.5.51514 > 93.184.216.34.443: Flags [.], ack 7002, win 64240, length 0
12:00:00.056480 IP 10.0.0.5.51514 > 93.184.216.34.443: Flags [P.], seq 1002:1519, ack 7002, length 517 Quiz
Completed
What do these four packets show, and what is the dominant cost so far?
Heads-up No application data has been exchanged. TLS has not even finished — the 517-byte PSH is the ClientHello. The handshake bytes carry no HTTP yet.
Heads-up These are SYN, SYN-ACK, ACK, then ClientHello — a clean handshake, not retransmits. Retransmits would show repeated seq numbers and longer gaps.
Heads-up The IP was already resolved before these packets; DNS runs over a separate query (usually UDP/53) and does not appear here. This is pure TCP plus the start of TLS.
Capture 2 — dig +trace
$ dig +trace www.example.com
. 518400 IN NS a.root-servers.net.
com. 172800 IN NS a.gtld-servers.net.
example.com. 172800 IN NS a.iana-servers.net.
www.example.com. 60 IN A 93.184.216.34
;; Received 56 bytes from 199.43.135.53#53(a.iana-servers.net) in 48 ms Quiz
Completed
The final A record has TTL 60. The site sits behind a CDN. What does that 60-second TTL cost you, and is it the right default?
Heads-up dig +trace bypasses caches to show the delegation walk, but real clients honour the 60 s TTL. The low TTL genuinely increases how often users pay cold-DNS latency.
Heads-up TTL is a caching duration, not a size. A shorter TTL means more frequent lookups — more cold-DNS cost, not faster resolution.
Heads-up TTL governs cache lifetime; it has nothing to do with whether DNSSEC validation runs. The trade-off here is failover speed versus repeated lookup latency.
Capture 3 — curl -v TLS handshake
* Connected to example.com (93.184.216.34) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2 Quiz
Completed
This is a TLS 1.3 handshake. Two facts a senior reads off it immediately?
Heads-up A resumed handshake skips Certificate and CERT verify and uses a PSK. The presence of those messages means a full 1-RTT handshake with a fresh certificate verification.
Heads-up The last line shows the server accepted h2 — ALPN succeeded and selected HTTP/2. There is no fallback here.
Heads-up That is a TLS 1.3 AEAD cipher suite, and every line is tagged TLSv1.3. The version is unambiguous in the trace.
Capture 4 — Alt-Svc and the HTTP/3 upgrade
$ curl -sI https://example.com
HTTP/2 200
alt-svc: h3=":443"; ma=86400
$ curl --http3 -sI https://example.com
HTTP/3 200 Quiz
Completed
The first response came over HTTP/2 yet advertises h3. Why does the browser still reach the page over HTTP/2 on the very first visit?
Heads-up This is by design. There is no way to know HTTP/3 is available before connecting, so the first connection uses TCP and Alt-Svc advertises h3 for future connections.
Heads-up The second command with --http3 reaches HTTP/3 fine. The first used the default (h2 over TCP) because h3 had not yet been discovered via Alt-Svc.
Heads-up ma (max-age) is a duration in seconds — 24 hours — for which the Alt-Svc advertisement is cached, not a request count.
Recap
Reading the stack from its own output: a tcpdump shows the SYN/SYN-ACK/ACK plus the ClientHello, so you can see one RTT of TCP before any TLS data; dig +trace exposes the delegation walk and the TTL that decides how often cold-DNS cost recurs; a curl TLS trace tells full-vs-resumed (Certificate present) and which ALPN protocol won; and the Alt-Svc header reveals that HTTP/3 is discovered on a prior h2 connection and upgraded to QUIC on the next. The skill is finding the one line that tells the story and turning it into an action.