Go to main content

Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle® Solaris 11.3

Exit Print View

Updated: March 2019

Analyzing Network Traffic With TShark and Wireshark

TShark is a command-line network traffic analyzer that enables you to capture packet data from a live network or read packets from a previously saved capture file by either printing a decoded form of those packets to the standard output or by writing the packets to a file. Without any options, TShark works similarly to the tcpdump command and also uses the same live capture file format, libpcap. In addition, TShark is capable of detecting, reading, and writing the same capture files as those that are supported by Wireshark.

Wireshark is a third-party graphical user interface (GUI) network protocol analyzer that is used to interactively dump and analyze network traffic. Similar to the snoop command, you can use Wireshark to browse packet data on a live network or from a previously saved capture file. By default, Wireshark uses the libpcap format for file captures, which is also used by the tcpdump utility and other similar tools. A key advantage of using Wireshark is that it is capable of reading and importing several other file formats besides the libpcap format.

    Both TShark and Wireshark provide several unique features, including the following:

  • Capable of assembling all of the packets in a TCP conversation and displaying the data in that conversation in ASCII, EBCDIC or hex format

  • Contain more filterable fields than in other network protocol analyzers

  • Use a syntax that is richer than other network protocol analyzers for creating filters

To use TShark and Wireshark on your Oracle Solaris system, first check that the software packages are installed, and if necessary, install them as follows:

# pkg install tshark
# pkg install wireshark

For more information, see the tshark(1) and wireshark(1) man pages.

See also the Wireshark documentation at http://www.wireshark.org.