TShark is a command-line network traffic analyzer that enables you to capture packet data from a live network or read packets from a previously saved capture file by either printing a decoded form of those packets to the standard output or by writing the packets to a file. Without any options, TShark works similarly to the tcpdump command and also uses the same live capture file format, libpcap. In addition, TShark is capable of detecting, reading, and writing the same capture files as those that are supported by Wireshark.
Wireshark is a third-party graphical user interface (GUI) network protocol analyzer that is used to interactively dump and analyze network traffic. Similar to the snoop command, you can use Wireshark to browse packet data on a live network or from a previously saved capture file. By default, Wireshark uses the libpcap format for file captures, which is also used by the tcpdump utility and other similar tools. A key advantage of using Wireshark is that it is capable of reading and importing several other file formats besides the libpcap format.
Both TShark and Wireshark provide several unique features, including the following:
Capable of assembling all of the packets in a TCP conversation and displaying the data in that conversation in ASCII, EBCDIC or hex format
Contain more filterable fields than in other network protocol analyzers
Use a syntax that is richer than other network protocol analyzers for creating filters
To use TShark and Wireshark on your Oracle Solaris system, first check that the software packages are installed, and if necessary, install them as follows:
# pkg install tshark
# pkg install wireshark
For more information, see the tshark (1) and wireshark (1) man pages.
See also the Wireshark documentation at http://www.wireshark.org/.