Why is tcpdump better than Wireshark?

What is the alternative to Wireshark for Linux?

If you're running a Linux server, odds are you're running Wireshark.

This is one of the best-known network sniffing applications available for Linux, and it can do a lot of useful things like deep packet inspection, protocol analysis, and debugging. The biggest problem with Wireshark for Linux is that it requires root permissions. This isn't ideal for non-administrative use. Luckily, there are alternatives. Let's take a look.

Wireshark alternatives: What does the software provide? Unlike most network sniffing apps, Wireshark provides network protocol analysis features, including data viewing, filtering, protocol decoding, and dumping. It supports IP and TCP protocols in a single capture, giving you the ability to analyze traffic from multiple interfaces and layers of protocol. You can also view network flows in detail with Wireshark by decoding TCP and UDP headers. It can also read and display a multitude of file types, including compressed formats like pcap, as well as network captures.

What isn't Wireshark able to do? It's limited on what it can do. For example, Wireshark can only examine a small fraction of the packets in a pcap file. What's worse, Wireshark only supports 32 bit Ethernet (802.3) captures. That doesn't work for any version of IPX or VMBus, for example. These days, we need to make sure we get the right layer 2 media for our communications. That means you'll need the Wireshark equivalents.

What about other options? We've covered a number of options already. However, Wireshark is the most popular of them, so I'd recommend using that if you have the option. If not, the Wireshark alternatives listed below would also be good options. Most have their own reasons for existing, too. Some are just better at doing certain things than others.

Pcapdump. As its name suggests, pcapdump was built specifically to support Linux network captures.

Why is tcpdump better than Wireshark?

The short answer is "because it's more comprehensive, and has a much wider range of capabilities".

The longer answer is a bit technical, but here goes: Wireshark is a packet sniffer that is useful for discovering how applications work. It supports a wide variety of protocols, so it can be used to decode many different network protocols. Wireshark can also show network statistics, analyze SSL/TLS sessions, and even decode HTTP responses.

Wireshark is good, but it can be quite difficult to set up, configure, and use. Tcpdump is a packet analyzer that was designed for people who want to decode TCP/IP packets on the command line, instead of using a graphical interface. Tcpdump is really just a glorified filter.

Tcpdump is easier to set up, configure, and use. Tcpdump is more complete. Tcpdump can decode HTTP responses, show network statistics, and even decodes HTTP cookies.

What makes tcpdump better than Wireshark? Wireshark is designed to decode many different protocols, and tcpdump is designed to decode TCP/IP packets on the command line. Wireshark provides a much wider range of capabilities, but tcpdump can do some things that Wireshark cannot. For example:

Tcpdump is able to decode HTTP responses, showing the text of the responses, their headers, and even HTTP cookies. Wireshark cannot show this information.

Tcpdump is able to decode HTTP responses, showing the TCP stream between client and server. Wireshark cannot show network statistics, so tcpdump shows how much bandwidth each TCP connection uses. Wireshark can decode SSL/TLS sessions, while tcpdump can't.