How to Diagnose Game Network Issues with tcpdump: Real-World Cases and Tips

In game operations, network‑related failures are common; using tcpdump to capture packets and Wireshark to analyze them helps quickly locate and resolve issues.

Background

Typical problems include patch update failures, mobile lag, login failures, etc. Instead of blaming the network, first capture traffic with tcpdump to decide the next steps.

Common Cases

1. Client update failure

During a test in November 2012, some players could not update. Packet capture showed the client was redirected to a non‑company IP address.

The capture reveals that the download request was sent to an external IP, indicating a possible DNS hijack or CDN misconfiguration.

2. Virtual machine bandwidth anomaly

The reported minimum and maximum bandwidth were both 100 Mb/s, which is abnormal. A packet capture showed SYN packets carrying data, indicating a possible DOS attack.

In current TCP implementations, SYN packets do not carry data.

Note: TCP Fast Open in newer kernels does allow data in SYN packets.

3. Nginx 499 error

During operation of the “You” messaging tool, many 499 status codes appeared in Nginx logs, meaning the client closed the connection.

Two issues were identified:

Red‑circled packets show a 54‑second delay from NetScaler SYN receipt to backend forwarding.

Yellow‑circled packets show the client sending a FIN,ACK 0.6 s after the HTTP request.

4. Mobile game access anomaly

Packet capture revealed three root causes:

China Mobile’s equipment may filter HTTP traffic, requiring a complaint to the carrier.

The client’s User‑Agent header is incomplete; RFC 2616 marks it as SHOULD but many servers treat it as required.

POST data was placed entirely in HTTP headers, resulting in a zero‑length body; the request should be optimized.

Techniques

1. Wireshark configuration tips

Disable protocol dissection for irrelevant layers.

Use absolute sequence numbers.

Define custom HTTP ports (e.g., 10001) to force HTTP decoding.

Enable "Follow TCP Stream" and other trace features.

Apply filters such as

tcp.analysis.retransmission or tcp.analysis.fast_retransmission or tcp.flags.reset == 1 or icmp

to isolate problematic traffic.

2. Essential tcpdump parameters

-i : specify the capture interface (default is the lowest‑numbered UP interface, usually eth0).

-nnn : disable name resolution for IPs and ports.

-s : set snap length;

-s 0

captures the full packet (up to 262144 bytes).

-c : limit the number of captured packets.

-w : write the capture to a file for later analysis with Wireshark.

3. tcpdump filter examples

host a.b.c.d

: capture traffic to or from a specific host.

tcp port x

: capture traffic on a specific TCP port.

icmp

: capture ICMP packets.

! port 22

: capture all traffic except SSH.

Filters can be combined, e.g.,

host a.b.c.d and tcp port x

or

tcp port x or icmp

.

4. Using tcpdump on Android

Root access is required. Download the Android binary from

http://www.androidtcpdump.com/android-tcpdump/downloads

and use

adb

(download from

http://developer.android.com

) to push the binary to the device, then capture traffic similarly to Linux.

Underlying Principles

1. tcpdump call model

tcpdump relies on the libpcap library, which provides a packet‑level interface directly to the network driver (OSI Layer 2). Example C code:

<code>#include &lt;sys/socket.h&gt;
#include &lt;netpacket/packet.h&gt;
#include &lt;net/ethernet.h&gt; /* the L2 protocols */
packet_socket = socket(PF_PACKET, int socket_type, int protocol);
</code>

PF_PACKET sockets receive raw Ethernet frames.

socket_type

can be

SOCK_RAW

(includes link‑layer headers) or

SOCK_DGRAM

(IP layer only). Using

htons(ETH_P_ALL)

captures all protocols.

2. tcpdump and iptables

tcpdump captures packets before they enter the Linux network stack, so packets dropped by iptables INPUT rules are still visible, while those dropped by OUTPUT rules are not.

INPUT DROP → still captured.

OUTPUT DROP → not captured.

Conclusion

When encountering network problems in game operations, start with tcpdump captures; the evidence will often reveal the root cause and guide further troubleshooting.