3

Wireshark provides tshark and dumpcap, and I've also seen people using the wireshark binary or even tcpdump to collect/save network traffic.

Online it is claimed that tshark or dumpcap hardly make a difference though. There are also some other discussion about the memory footprint.

So what is the difference between these tools? Is one newer than another one (i.e. is one "legacy" and should not be used anymore) and are there other – generally accepted – recommendations for which to use?

Edit: I've seen this question, but it just explains the basics. So if you have a use-case of just collect traffic, what should one use here? Or more general: Which tool can satisfy which use case?

rugk
  • 133
  • 1
  • 5

2 Answers2

11

Wireshark is a graphical application. tshark is that application without the GUI. (i.e. command line.) dumpcap, per Wireshark's documentation, is "a small program whose only purpose is to capture network traffic, while retaining advanced features like capturing to multiple files (since version 0.99.0). Dumpcap is the engine under the Wireshark/tshark hood." All three applications can write to a file. Wireshark's GUI can select which packets one wants to save. (tshark will record everything.)

tcpdump is a different, older, traffic capture application. It never had a GUI. And has a very different filter syntax, and capture packet format.

(Personal preference... I use tcpdump at the command line and for capture files. Then use Wireshark to look at the traffic in detail.)

user1134918
  • 3
  • 2
Ricky
  • 31,438
  • 2
  • 43
  • 84
1

What people will use it depends on their knowledge but also on tool availability on the system. Because of graphical user interface I prefer to use wireshark. Also it has a lot of knowledge about decoding protocols and presenting the composing fields (and it helps you use those fields to make custom display filters).

Note: filter syntax used to select captured packets is different from the display filter.

tshark & dupmcap (present in wireshark distribution) are command line tools used to capture network traffic from terminal.

Note: tshark uses dumpcap.

So when it is possible to lose packets (LAN speed is so big that matches capture&writing speed) use dumpcap. See info & video from https://www.networkcomputing.com/networking/wireshark-packet-capture-tshark-vs-dumpcap.

Both tools have nice features as in capture in files and limit the packets size, file size or even the number of files (and you can use them circularly). See https://www.wireshark.org/docs/man-pages/dumpcap.html and https://www.wireshark.org/docs/man-pages/tshark.html.

To underline what is writeen above, I would like to quote https://tshark.dev/capture/dumpcap/: "Dumpcap is the part of the wireshark suite that captures packets. Unlike Wireshark and tshark, dumpcap cannot see non-physical interfaces like extcap interfaces. tshark has most of the same flags that dumpcap has because tshark calls dumpcap for much of its capture functionality."

But wireshark&comp it is not installed on all systems. So I am using tcpdump in command line when wireshark is not available or when I want quickly to debug network/routing issues (e.g. I want to see only if the packets are flowing in both ways on a known port).

Claudiu Cruceanu
  • 11
  • 3