Wireshark Vs. Tcpdump



Packet capturing analysis, like log analysis, traffic analysis is also important for network security. Traffic analysis is done by packet captures and packet analysis. Traffic in a network is the basically a flow of packets. Now, being able to capture and inspect those packets is important to understand in what type of traffic flowing in our network, we would like to protect.

For this analysis, a range of tools are available, and Wireshark & tcpdump are the 2 most common one.


What does Google say?

Tcpdump: It is a data-network packet analyser computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Wireshark: It is a free and open-source packet analyzer, used for network troubleshooting, analysis, software and communications protocol development, and education.


**Remember packets are just collection of data or groupings of 1’s and 0’s, they just represent information depending upon the values of this data and their position in the data stream.


Let’s dig a bit deeper.

User Interface:


CLI based packet capturing tool.


 For beginners, tcpdump is a better choice as it offers you a better environment to learn. But once you have a yours fingers set, wireshark is a better platform to work.


Available Network Interfaces:



 Tcpdump, more often provides you for the system based conventional interfaces. But when it comes to additional network interfaces, these are better mapped in wireshark. So, depending upon your use you can choose.

PCAP library:

Packet Capture or PCAP is an application programming interface that captures live network packet data from OSI model Layers 2-7. Network analyzers like tcpdump, wireshark create .pcap files to collect and record packet data from a network. PCAP comes in a range of formats including LibpcapWinPcap, and PCAPng.

Both tcpdump and wireshark use the same open source libpcap library. 


Traffic analyzed:

As already defined, network traffic is the flow of packets in a network. Depending upon the port service and flags, the traffic varies.
Tcpdump can do only the basic analysis of some types of traffic like dns queries etc.
Whereas, wireshark is way more extensible in protocol and packet analysis, it can decrypt the data payloads if the encryption keys are known, identify data payloads from file transfers like even from smtp, http etc.

So, for simple filters tcpdump is always a good choice, but for complex filters wireshark should be your priority.

Reading pcap files:

PCAP is a valuable resource for file analysis and to monitor your network traffic. Packet collection tools like Wireshark allow you to collect network traffic and translate it into a format that’s human-readable. And this pcap file can be generated on any system by capturing the files on that system, shared to another and the captured packets can be analysed from this pcap file here.

Both tcpdump & wireshark support reading packet captures from a file, i.e. it reads pcap files too.

Note: Method of generating pcap file is different in both the tools. The above section is only about reading the already generated pcap files.


Operating modes:

Unlike Wireshark, tcpdump has CLI based execution which restricts the available operations on any captured packet. And so, tcpdump’s default operating mode is to provide a brief packet analysis, so as to minimize the operations and make the CLI execution smoother.

Wireshark’s understanding of application level protocols even extends to its filter strength. This allows filter rules like finding http requests with specific strings in the URL.  For example,  http.request.uri matches “q=wireshark”, this filter string will locate packets in our capturing that contain a specified string within it. In this case it would match a query parameter from a URL searching for “Wireshark”. Performing this string filter using Wireshark is way too easier as compared to tcpdump.

For Wireshark, just use the search bar and add the filter.

For tcpdump, command: (the filter string must be already known to you, and must be stored in the iptable)

sudo iptables -A INPUT -m string --alog bm --string attack_string -j DROP

 If your traffic analysis is brief, no doubt go with tcpdump, else if the analysis is more tabulated choose wireshark. 


Output format and PCAP file generation:

As already stated, tcpdump by default operates on minimal output format for better performance. Although pcap files capture the OSI layers 2-7, yet tcpdump converts key info from layers 3 and up into human readable format only. Then it prints info of each packet in the std:output or into your terminal. So, rather than direct I/O execution, tcpdump first generates a pcap of the captured packet (by default pcap file is not saved, it’s a user command), and then prints into the CLI. Even it’s possible to view the actual raw data contained in the packet (flag: -x or  -X).

Wireshark generates the pcap file for OSI layers 2-7, which it only generates when the user wants to save the captured packet externally. The output is directly displayed in the GUI, rather than generating a pcap file first, unlike tcpdump.

For a captured packet, tcpdump shows the time stamp of capturing the packet, layer 3 protocol, source and destination ip addresses, packet sequence, packet window size and payload length.

When captured a packet using wireshark, there are 3 windows: packet list window, packet layers and hexadecimal representation of the captured packer header. The same packet detail displayed by tcpdump is simply in the packet list window. In addition to this, by selecting every layer from the packet layer section, you can view the entire hexadecimal data of the captured packet, of that particular layer. 

So, in terms of output, wireshark is really awesome.


IP and port analysis:

Both, wireshark and tcpdump convert the source and destination IP address in dotted code format. It shows the port number used by the communication.

Although it performance this dotted format conversion, by default tcpdump will attempt to resolve host addresses to host names. Tcpdump allows you to replace port numbers with commonly associated services to that port. (flag: –n)

Wireshark’s better understanding of application protocols enables efficient filtering of packets on the basis of protocols along with their specific fields. It even allows tcp streams or session , which lets us to quickly reassemble and view both sides of the tcp session, so the complete 2-way exchange of information is quickly available to you. Wireshark also has the ability to decode WPA and web-encrypted packets. It can extract audio streams from unencrypted audio transfers. 

This efficient filtering and decoding of protocol based packet capturing in wireshark, it gives you a great edge over tcpdump.


Although, wireshark seems to be way better than tcpdump, yet for simple and short-hand based packet capturing, tcpdump is preferred. For simple scans and packet capturing, the output accuracy of tcpdump has better figures. But when it comes to complex scans, wireshark is always one’s first choice.


Demo scans:



Red: time stamp

Magenta: Layer 3 protocol (IPv4, here)

Yellow: source and destination ip address

Green: TCP flag

Brown:  TCP sequence number

Pink: ack number

Blue: tcp window size

Purple: payload size

Tcpdump allows us to inspect these values from packets directly.

Tcpdump gives a view of the contained data that fits into the various fields that make up the headers or layers of the packet.



Blue- list of packets

Red- layer wise representation of selected packet

Green- hexadecimal representation of the packet data

Above the packet list pane is the display filter box which allows complex filtration of packets shown. This is different from capture filters which follows the lib pcap standards from tcpdump.


The main aim is to analyze the network traffic by capturing the packets. Now, which tool to use is all personal preference, in terms of your ease with the tool, what output format you demand, and most importantly type of packet capturing simple/complex.