tcpdump vs Wireshark: when to use which
Compare tcpdump and Wireshark for packet capture, protocol analysis, and network debugging.
tcpdump vs Wireshark: when to use which
tcpdump and Wireshark both analyze network packets, but tcpdump operates on the command line while Wireshark provides a graphical interface with deep protocol decoding.
How tcpdump Captures and Displays Packets
tcpdump runs on the command line with no GUI dependency. It captures packets using the libpcap library and displays a one-line summary per packet showing timestamp, source, destination, protocol, flags, and size. tcpdump is installed on most Linux servers by default and requires no desktop environment.
How Wireshark Analyzes Packets
Wireshark provides a graphical interface with three-pane display: packet list, protocol detail tree, and raw hex dump. Wireshark decodes hundreds of application-layer protocols (HTTP/2, gRPC, DNS, TLS, MySQL, PostgreSQL) and displays their fields in a structured tree. Wireshark also includes display filters, stream reassembly, and statistical analysis tools.
Feature Comparison: tcpdump vs Wireshark
| Feature | tcpdump | Wireshark |
|---|---|---|
| Interface | Command line | Graphical (GUI) |
| Installation | Pre-installed on most Linux servers | Requires separate installation and desktop |
| Protocol decoding | Basic (IP, TCP, UDP, DNS, HTTP) | Deep (hundreds of protocols) |
| Capture filters | BPF syntax | BPF syntax (same as tcpdump) |
| Display filters | Not supported (use grep) | Full display filter language |
| Stream reassembly | Not supported | TCP stream, HTTP stream, TLS decryption |
| Output format | Text (one line per packet) | GUI tree, hex dump, JSON, XML |
| pcap file support | Read and write | Read and write (same format) |
| Remote capture | Runs directly on the server | Requires remote capture agent or pcap file |
When to Use tcpdump
Use tcpdump for live captures on production servers where no GUI is available, for quick connectivity verification ("is traffic reaching this port?"), for capturing packets to a pcap file, and for scripted packet analysis. tcpdump is the right tool when the question is "are packets arriving?" rather than "what is inside those packets?"
When to Use Wireshark
Use Wireshark for deep protocol analysis, TLS decryption (with session keys), HTTP/2 and gRPC inspection, database wire protocol debugging, and any analysis that requires reassembling TCP streams. The common workflow: capture with tcpdump on the server, transfer the pcap file, and analyze in Wireshark on a workstation.