Question 1

How to install Wireshark on Ubuntu?

Accepted Answer

Use the package manager with 'sudo apt install wireshark', then configure capture permissions by adding your user to the wireshark group. Post-install, you may need to set up dumpcap for live capture as per the README.

Question 2

Wireshark vs tcpdump: which is better for servers?

Accepted Answer

Use tcpdump for quick, lightweight command-line capture on servers, and Wireshark or TShark for deeper analysis with a GUI or scriptable output. TShark offers Wireshark's dissection in a CLI form.

Question 3

How to filter for DNS traffic in Wireshark?

Accepted Answer

Apply a display filter like 'dns' to isolate DNS packets. You can refine it with specifics, e.g., 'dns.qry.name contains example.com'. The filtering system is powerful but requires learning its syntax.

Question 4

Can Wireshark decrypt SSL/TLS traffic?

Accepted Answer

Only if you have the session keys; otherwise, it shows encrypted data. You can configure it to use keys from browsers or servers, but this requires manual setup and may not work for all scenarios.

Question 5

How to use TShark to analyze a pcap file?

Accepted Answer

Run 'tshark -r file.pcap' to read and display packets. Add filters with '-Y' for display filters or '-T' for output formats like JSON, enabling automated processing in scripts.

Question 6

What are the alternatives to Wireshark for simple sniffing?

Accepted Answer

For basic tasks, tools like tcpdump (CLI) or lightweight GUIs like Colasoft Capsa exist. However, they lack Wireshark's deep protocol support and cross-platform tool suite.

Wireshark

What is Wireshark?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions