Frequently Asked Question

How is Wireshark different from tcpdump?

Wireshark and tcpdump capture the same packets, both sit on top of libpcap; but they present them very differently. tcpdump is a terminal tool that prints a one-line summary per packet and runs anywhere SSH does, including embedded boxes. Wireshark is a desktop GUI that decodes hundreds of protocols, shows the packet bytes side by side with a fully expanded protocol tree, follows TCP and HTTP streams, builds flow graphs, and lets you click your way through a capture interactively.

The usual workflow is to capture on a remote box with tcpdump (sudo tcpdump -i eth0 -w /tmp/cap.pcap port 443), copy the .pcap file off, and open it in Wireshark on your laptop. Wireshark's filter syntax is richer than tcpdump's BPF, tcp.flags.syn == 1 && tcp.flags.ack == 0, http.request.method == "POST", dns.qry.name contains "example", but the captures are interchangeable. Both tools require root or the appropriate capabilities to read raw packets.