0

Wireshark will guess what higher level protocols are being used in a packet, but how can I get tcpdump to do likewise (or any other linux command line tool)?

For example, the following screenshot shows wireshark detecting "HTTP" as the protocol being captured: http://www.tohir.co.za/wp-content/uploads/2010/09/wireshark_filters.png

However, the cli output of tcpdump simply says it's "IP" protocol -- which is not false, but I am wanting a tool which can determine for me what common higher level protocol is being used.

Alexander Bird
  • 431
  • 2
  • 7
  • 14
  • 1
    no, tcpdump is very simple in that regard and it's the reason wireshark was created. wireshark also has a CLI component, why not just use that? – madeddie Aug 11 '16 at 20:56
  • 1
    ie [tshark](https://www.wireshark.org/docs/man-pages/tshark.html). – Zoredache Aug 11 '16 at 21:04

1 Answers1

1

tcpdumps main purpose is to capture packets. This has to be done fast, since you do not want to miss packets.

Wiresharks main purpose is to analyse packets. For analysing, you normaly have plenty of time. For capturing (on windows), wireshark uses a special driver, which also just sees 'IP' packages.

Thus, tcpdump and wireshark are simply different tools for different tasks. But they work perfectly together.

Thomas SV
  • 53
  • 5