Difference between sniffer tools I am unsure what the following networking tools do. They all seem to do a similar thing. First some background. I am familiar with cisco IOS. I am doing some linux networking experimentation with virtual machines so I am trying to create a small virtual network. I started playing with virtual interfaces (tun/tap, loop br etc) and I'd like to be able to examine the traffic going through them for debug purposes. I'm a bit unsure of what tool to use. I know of the following: 1. tshark (wireshark) 2. dumpcap 3. tcpdump 4. ettercap I think tshark/wireshark uses dumpcap underneath. ettercap seems to be a man-in-the-middle attack tool. Which tool (others not listed included) would you use to debug an interface?

* wireshark - powerfull sniffer which can decode lots of protocols, lots of filters.

* tshark - command line version of wireshark

* dumpcap (part of wireshark) - can only capture traffic and can be used by wireshark / tshark

* tcpdump - limited protocol decoding but available on most *NIX platforms

* ettercap - used for injecting traffic not sniffing




All tools use libpcap (on windows winpcap) for sniffing. Wireshark/tshark /dumpcap can use tcpdump filter syntax as capture filter.

As tcpdump is available on most *NIX system I usually use tcpdump. Depending on the problem I sometimes use tcpdump to capture traffic and write it to a file, and then later use wireshark to analyze it. If available, I use tshark but if the problem gets more complicated I still like to write the data to a file and then use Wireshark for analysis.