On 8/26/23 5:32 AM, Erik Auerswald wrote:
There is a CLI "version" of Wireshark called "TShark" (tshark).
It is from the wireshark developers. It provides more detailed
information than tcpdump, i.e., the Wireshark protocol dissection.
(I usually start with tcpdump for a first impression. TShark provides
an alternative to copying a capture file to a system with a GUI.)
I absolutely agree.
My experience is that most systems I want to capture packets on do have
tcpdump installed but don't have tshark installed. Or at least at the
time I want to do the capture.
As such, I use tcpdump for things on system and occasionally pull
pcap(ng) files back to my workstation where I use Wireshark with all my
preferences and local name resolution information.
I have also used Wireshark's remote capability a few times where it can
use ssh to remotely run tcpdump on a remote system. That's a very slick
feature when you take the few minutes to set it up the first time. --
I did this on systems I routinely captured traffic on. E.g. I
frequently have my primary workstation pre-configured to ssh into the
router / firewall and remotely run tcpdump to display in Wireshark
running on said workstation.
Grant. . . .
