The most surprising thing about tcpdump and Wireshark is that they’re fundamentally the same tool, just with different interfaces.
Let’s see tcpdump in action. Imagine you’re debugging a slow application that’s making HTTP requests to a backend service on 192.168.1.100:8080. You suspect network issues.
On your server, you’d run tcpdump:
sudo tcpdump -i eth0 -s0 -w /tmp/http_traffic.pcap host 192.168.1.100 and port 8080
This command:
-i eth0: Listens on theeth0network interface.-s0: Captures the full packet (snaplen 0 means capture entire packet).-w /tmp/http_traffic.pcap: Writes the captured packets to a file namedhttp_traffic.pcapin the/tmpdirectory.host 192.168.1.100 and port 8080: This is the filter. It tellstcpdumpto only capture packets going to or from the IP address192.168.1.100and specifically on port8080.
Now, you let this run for a minute while your application is active, then stop it with Ctrl+C. You can then analyze this .pcap file using Wireshark on your desktop.
# On your desktop machine, assuming you have Wireshark installed
wireshark /tmp/http_traffic.pcap
Wireshark opens and displays all the captured packets. You can then apply more complex filters within Wireshark’s GUI, like tcp.analysis.retransmission to find dropped packets, or http.request to see only the HTTP requests.
The problem tcpdump and Wireshark solve is visibility into network traffic. When an application misbehaves and you suspect the network, you need to see exactly what packets are being sent and received. Are requests even leaving? Are responses coming back? Are they corrupted? Are there delays? Packet capture tools provide this granular, low-level view.
Internally, both tcpdump and Wireshark use the libpcap (on Unix-like systems) or WinPcap/Npcap (on Windows) library to capture packets directly from the network interface. The difference is the presentation layer. tcpdump is the command-line interface to libpcap, offering raw packet data and filtering at capture time. Wireshark is a graphical application built on top of libpcap (or Npcap) that captures packets and then provides a rich GUI for live analysis, filtering, and deep inspection of packet contents.
The exact levers you control are primarily the network interface and the capture filters. For example, to capture all traffic on your network interface enp3s0 but exclude SSH traffic (port 22), you’d use:
sudo tcpdump -i enp3s0 -s0 'not port 22' -w /tmp/no_ssh.pcap
This is incredibly powerful for isolating problems. Instead of wading through gigabytes of unrelated traffic, you narrow down the capture to precisely what you need.
The one thing most people don’t realize is that tcpdump’s filtering syntax is directly usable within Wireshark’s display filter bar, and vice-versa for basic filters. You can even use tcpdump to capture traffic and then pipe it directly into Wireshark for live analysis without saving to a file first, though this requires careful setup.
If you’re analyzing specific application protocols, the next step is to dive into Wireshark’s protocol dissectors and expert information features.