This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark and pcaps

0
  1. How do I use Wireshark to look at pcaps?
  2. How do I tcp-dump and how do I use the tcp-dump to look at pcaps?
  3. How do I tcp-prep to turn the pcaps into something that can be replayed?
  4. How do I tcp-replay to play the traffic on the network against firewalls and servers?

asked 04 Jan '13, 11:39

dalawh's gravatar image

dalawh
1335
accept rate: 0%

edited 04 Jan '13, 11:49


One Answer:

0

If by pcaps you mean files in pcap format containing previously captured network traffic, then:

  1. Open the pcap files in wireshark with "file -> open"
  2. Use the command "tcpdump -r <pcapfile>"
  3. See: http://tcpreplay.synfin.net/wiki/tcpprep
  4. See: http://tcpreplay.synfin.net/wiki/tcpreplay

answered 04 Jan '13, 12:23

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Since part one uses the GUI and part two use a command prompt, is there a way I can do it all under one?

(04 Jan '13, 13:03) dalawh

tcpdump is a different program with different kind of output. However, wireshark is more detailed and powerful in it's dissection, so yes, I would say you can do both with wireshark.

(04 Jan '13, 13:09) SYN-bit ♦♦

How would you tcpdump with Wireshark? You only gave me the command line version or was that command line meant to be used inside the GUI?

(04 Jan '13, 13:17) dalawh

What do you mean with "how would you tcpdump", tcpdump is a program. Please have a look at the user's guide of wireshark.

(04 Jan '13, 13:29) SYN-bit ♦♦

I was trying to tcp dump without the command. Guess you can't. Thanks for the help. I will try these out and see what happens.

(04 Jan '13, 13:43) dalawh

If you mean you want to capture packets from the GUI, yes you can, go to "Capture -> Options"

(04 Jan '13, 13:46) SYN-bit ♦♦

Does tcpdump not come with Wireshark? If it doesn't, where can I get it? When I use the command, it says it was not recognized.

(07 Jan '13, 10:16) dalawh

tcpdump is part of the most Unix like systems (you might have to install it though). It is not part of windows. What is your OS?

(07 Jan '13, 10:32) Kurt Knochner ♦

@Kurt I am using Windows 7. Is there anyway to do it with Win7?

(07 Jan '13, 10:48) dalawh

if you really need/want tcpdump, there are two options:

BTW: Why do you want to use tcpdump if you can use the much better tshark (part of Wireshark)?

(07 Jan '13, 10:55) Kurt Knochner ♦

Isn't tshark just Wireshark, but used with command prompt? I couldn't tcpdump with Wireshark, so I didn't think I could with tshark.

(07 Jan '13, 11:01) dalawh

Isn't tshark just Wireshark, but used with command prompt?

well, yes and no. tshark shares most of the functionality with wireshark, but not all. And yes: tshark is the CLI tool, while Wireshark is the GUI tool.

I couldn't tcpdump with Wireshark,

by I couldn't **tcpdump** you mean capturing traffic (which is the right term for 'dumping' network packets to disk), right? If so, what problems did you have?

(07 Jan '13, 11:08) Kurt Knochner ♦

Again, what do you mean with "tcpdump" as a action? If you mean "capture network traffic and save it to disk", then both wireshark and tshark can do that for you...

If you mean something else with "tcpdump", pleae enlighten us...

(07 Jan '13, 11:09) SYN-bit ♦♦

So tcpdump and Wireshark are both programs that do the same thing (packet analyzer), but Wireshark is more powerful?

Does tcpdump a phrase for capturing packets? Based on the name, I assumed it would only capture TCP related packets. I am all new to this stuff.

(07 Jan '13, 11:13) dalawh

Some people use "tcpdump" as a verb, just like some people use "xerox" as a verb when they mean they want to make a photocopy. But both terms are not verbs in principle :-)

tcpdump is a program that, just like wireshark and tshark, captures packets and displays them on the screen with a little interpretation for the viewer to make life easier for them.

It is also possible to save packets in a (binary) file for later analysis. This is true for both tcpdump as wireshark (and also for tshark).

(07 Jan '13, 11:20) SYN-bit ♦♦

Is there any part of tcpdump that is better than Wireshark or is Wireshark far superior?

(07 Jan '13, 11:28) dalawh

It's like comparing apples with pears, I do want to eat both, but I eat more apples :-)

I use wireshark and tshark the most, but I use tcpdump on the following occasions:

  • on systems where there is only tcpdump installed (on loadbalancers and such)
  • when I quickly want to see output with mac-addresses and vlan tags (tshark can do that on the CLI, but you need to configure your columns first)
  • when I need to quickly filter a set of large tracefiles and only need to select on ip addresses and ports (tcpdump uses bpf which is very fast, but has less functionality than tsharks filters)
(07 Jan '13, 11:37) SYN-bit ♦♦

wireshark/tshark is far superior in terms of functionality and ability to dissect protocols. tcpdump 'usually' needs less system resources (esp. RAM) while capturing traffic.

(07 Jan '13, 13:55) Kurt Knochner ♦
showing 5 of 18 show 13 more comments