2023-03-15
What happens on a network has always been an interest of mine. In graduate school in the 1980s, I worked on networking software. Later I used software protocol analyzers such as netwatch (later the commercial LANWatch) to dissect packets. Finally, a few years ago, I contributed to what is now the Wireshark protocol analyzer. Lanwatch uses a windowing interface to display networking packets. Sometimes, though, that may be impossible or inappropriate.
Character-based (or text-based: without windows) tools are used in many situations. Generally, those are where the hardware platform does not support windows, such as with an embedded system such as an internet router. Three standard tools in this open-source collection are Tshark, ngrep, and tcpdump.
Tshark
I use Tshark more often than any text-based protocol analyzer because of its flexibility and the wide range of protocols it can decode. It is probably clear from the name that Tshark is a part of the Wireshark project. It even uses the same code for dissecting packets. Therefore, it is included in the Wireshark distribution.
In addition to capturing and displaying network traffic, Tshark reads multiple formats standard for captured data, including the files created by tcpdump, a popular format on Linux and other UNIX-like systems. In addition, Tshark can output traditional text and Postscript or JSON for further printing or processing.
The many features and decodes of Tshark make it a more extensive program than the other two discussed here. That means an everyday use case is to capture network traffic with one of the other tools and use Tshark or Wireshark for the analysis.
ngrep
ngrep is a much smaller tool than Tshark. It supports decoding fewer protocols but was designed for a particular case. Its goal was to allow a user to specify particular packets for which to search. While Tshark supports search, ngrep is very straightforward. It uses a search pattern description similar to the grep family of search tools instead of the format of Tshark/Wireshark, which is more familiar to programmers. For instance, when looking for either 'best' or 'worst', one would use "best|worst" in ngrep and "best || worst" in a Wireshark display filter. There are a few examples in the Wikipedia article. I use ngrep for finding or capturing specific packets quickly.
tcpdump
tcpdump was the protocol analyzer/packet dumping tool for UNIX and UNIX-like systems for years. Today it is primarily used to capture packets or as a "quick and dirty" solution when neither of the other tools is available.
Its command line is simple and basic use is familiar to many users. However, it also uses a format for selecting packets to capture more than the other two tools. As a result, there is some overlap, but the specific format for the capture expressions is in the pcap-filter manual.
Each of these tools is a bit different from the others. For example, as I noted, I tend to use Tshark or ngrep these days a lot more than I use tcpdump when I need a text-based tool. Nevertheless, these are all valuable tools for the network administrator or technician's toolbox.
This piece was originally posted on Oct 12, 2021, and has been refreshed with updated styling.
