Wireshark is the most popular tool for deep packet inspection and network analysis. It captures all traffic on a network interface and allows analyzing it at the individual packet level. For network engineers and security specialists, it is indispensable when diagnosing connectivity issues, analyzing protocols, or investigating security incidents. The GUI interface enables intuitive work with filters and visualizations that are not available in the terminal.
Installation¶
sudo apt install wireshark
brew install --cask wireshark
Display Filters¶
http # all HTTP traffic
tcp.port == 443 # TLS/HTTPS traffic
ip.addr == 10.0.1.50 # traffic to/from a specific IP
http.response.code >= 400 # HTTP errors
!(arp || dns) # everything except ARP and DNS
tcp.analysis.retransmission # TCP retransmissions (connectivity issues)
Display filters are significantly more powerful than capture filters — they allow filtering by any field in any protocol. Filters can be combined with logical operators (&&, ||, !) and compare values (<, >, ==, !=, contains, matches).
Key Features¶
- Follow TCP Stream — shows the entire conversation between client and server in readable form
- Statistics -> Conversations — overview of who communicates with whom and data volume
- Statistics -> I/O Graph — traffic visualization over time, useful for identifying spikes
- Statistics -> Protocol Hierarchy — traffic breakdown by protocol
Remote Capture¶
ssh user@server 'sudo tcpdump -w - port 80' | wireshark -k -i -
This approach combines the strengths of both tools — tcpdump captures packets directly on the remote server without GUI overhead, and Wireshark analyzes them locally with the full GUI. Alternatively, capture a pcap file on the server and download it for local analysis.
Wireshark for Deep Analysis¶
tcpdump on the server for quick capture, Wireshark locally for detailed analysis. This combination covers most network diagnostic scenarios from simple connectivity issues to complex application protocol analysis.