Wireshark provides tshark and dumpcap, and I've also seen people using the wireshark binary or even tcpdump to collect/save network traffic.
Online it is claimed that tshark or dumpcap hardly make a difference though. There are also some other discussion about the memory footprint.
So what is the difference between these tools?
Is one newer than another one (i.e. is one "legacy" and should not be used anymore) and are there other – generally accepted – recommendations for which to use?
Edit: I've seen this question, but it just explains the basics. So if you have a use-case of just collect traffic, what should one use here?
Or more general: Which tool can satisfy which use case?
Best Answer
Wiresharkis a graphical application.tsharkis that application without the GUI. (i.e. command line.)dumpcapis a further refinement removing the capture logic; it's purpose is to dump a previously recorded capture, possibly filtering it into a new capture file. All three applications can write to a file. The GUI can actually select which packets one wants to save. (tsharkwill record everything.)tcpdumpis a different, older, traffic capture application. It never had a GUI. And has a very different filter syntax, and capture packet format.(Personal preference... I use
tcpdumpat the command line and for capture files. Then usewiresharkto look at the traffic in detail.)