目录
他们之间的关系大概如下
libpcap => tcpdump
=> dumpcap => tshark\Wireshark
tcpdump 、dumpcap 都是基于libpcap 封装,dumpcap 是 tshark\Wireshark 的引擎,而Wireshark 是 tshark的GUI 版本。
区别
Wireshark – a powerful sniffer, with a GUI, which can decode lots of protocols, lots of filters.
Wireshark – 一个强大的嗅探器,带有GUI,可以解码很多协议,很多过滤器。
tshark – command-line version of Wireshark
tshark – Wireshark 的命令行版本
dumpcap (part of Wireshark) – can only capture traffic and can be used by Wireshark / tshark
Dumpcap(Wireshark的一部分) - 只能捕获流量,可以被Wireshark/tshark使用
补充(相比之下Dumpcap会比tshark节省内存)
tcpdump – limited protocol decoding but available on most *NIX platforms
tcpdump – 有限的协议解码,但在大多数 *NIX 平台上可用
tcpdump wireshark 对比
| Sr No |
Wireshark |
Tcpdump |
| 1 |
Wireshark is a graphical user interface tool that helps you to catch data packets. |
Tcpdump is a CLI-based packet capturing tool. |
| 2 |
It does packet analysis, and it can decode data payloads if the encryption keys are identified, and it can recognize data payloads from file transfers such as smtp, http, etc. |
Tcpdump only provides do a simple analysis of such types of traffic, such as DNS queries. |
| 3 |
It has advanced network interfaces |
It has system based conventional interfaces |
| 4 |
Wireshark is good for complex filters |
Tcpdump is used for simple filters. |
| 5 |
It provides decoding of protocol-based packet capturing. |
It is less efficient in decoding compared to Wireshark. |
Tshark 和 Dumpcap 性能对比
Tony Fortunato有进行过测试并把结果发布在YOUTUBE上Wireshark tshark vs dumpcap。当然该测试针对的时利用率低于 50% 且帧大小约为 800 字节的流量捕获的流量,结果是 Dumpcap 相比 Tshark 都会随着数据增加而丢包,但 Dumpcap 会表现得更好点。
参考
https://techyrick.com/dumpcap/
tcpdump-vs-wireshark
Wireshark Packet Capture: Tshark Vs. Dumpcap