wireshark

Start Wireshark graphical interface

$ wireshark

$ wireshark [capture.pcap]

$ wireshark -i [eth0]

$ wireshark -i [eth0] -f "port 80"

$ wireshark -i [eth0] -a duration:[60]

$ wireshark -Y "http" [capture.pcap]

$ wireshark -i [eth0] -w [output.pcap]

wireshark [options] [file]

Wireshark is a graphical network protocol analyzer for capturing and interactively analyzing network traffic. It decodes hundreds of protocols and provides detailed packet information in a user-friendly interface.
The application displays packets in a three-pane window: packet list, packet details (protocol tree), and packet bytes. Powerful display filters allow isolating specific traffic patterns. Capture filters reduce capture file size.
Wireshark is the industry standard for network troubleshooting, security analysis, protocol development, and education. It supports live capture from numerous interface types and can read many capture file formats.

-i interface

Capture on specified interface.

Capture filter (BPF syntax).

Display filter.

Write capture to file.

Read capture file.

Autostop condition (duration, filesize, packets).

Ring buffer options.

Start capturing immediately.

List available interfaces.

Update packet list in real-time.

List timestamp types for interface.

ip.addr == 192.168.1.1: Filter by IP
tcp.port == 80: Filter by TCP port
http: Show HTTP traffic
dns: Show DNS traffic
tcp.flags.syn == 1: SYN packets
frame contains "password": Search content

Requires privileges for live capture (root or capnetraw capability). Large captures use significant memory. Display filters differ from capture filters in syntax. Some protocols require additional dissector plugins.

Wireshark began as Ethereal, created by Gerald Combs in 1998. After trademark issues, it was renamed to Wireshark in 2006. It has become the most widely used network protocol analyzer, supported by an active community and the Wireshark Foundation. The project continues adding support for new protocols.

tshark(1), tcpdump(1), dumpcap(1), ngrep(1)