Network Packet Analyzer


 The Application Layer


Network Packet Analyzer

Network Packet Analyzers are the tools which capture the raw data from the interface of system and generates meaningful information, this provides understanding of how actually the network or protocol is behaving.
There are numbers of Network packet analyzers are available in market to choose from. In such scenario, choice of any packet analyzer is highly depends on the features available with any particular tool. Here we have chosen two very popular Network packet analyzer one if TCPDump and another is Wireshark, we will check & compare the features available with both of these tools.

Platform Support:Wireshark and TCPDump both are open source tools and have support on multiple platforms like all flavor of Linux, Solaris, FreeBSD, MacOS, OpenBSD etc. for Windows TCPdump’s modified version is used which is known as WinDump. In research we have also found that TCPDump is supported on the Android platform however for the Wireshark Android platform support is not available but due to its open source nature modified version for the same is available which is known as Packet Capture for android, however it is having limited features.

1)User Interface

Wireshark:Wireshark is available with the GUI (Graphical User Interface). Due to GUI support it is very user friendly and even can be used by the novice users. It is very easy to see and identify the parameters with wireshark due to GUI support. Wireshark GUI is having 3 main region known as Packet List Pane, Packet Detail Pane & Packet Byte Pane respectively it represents the List of Packet captured, Detailed information on each packet which is selected for the analysis and Raw Binary data. Wireshark also having the CLI interface through which the data can be captured and analyze, this CLI interface is called T-shark. However, the use of GUI is more efficient as its easier to identify the parameters.

TCPDump:TCPDump is basically a tool which was designed for Linux only and as the Linux operating system is more rely on the CLI, TCPDump is also having CLI user interface. It is only having CLI interface and no support for GUI interaction.

2)Simulation Support:

Wireshark:Wireshark is used for real world applications as well as it also supports the traffic capture from the simulated environment. Network Simulator (ns), GNS3 and OPNET are the few simulators which are used to create simulated network and observe the behavior of the network / protocol or Device. These are majorly used by students to learn the complex fundamentals of networking. By use of Wireshark in conjunction with such simulators it’s great advantage for students to have deep analysis on how things works in real time.

TCPDump:TCPDump does not support any simulated packet capture. It only supports the real time traffic capture.

3)Traffic Filter Support:

Wireshark:Wireshark is capable to capture only Specific type of traffic or it can be used to capture all the traffic then to display only interested traffic on the screen (Packet List Pane). Wireshark is having mainly two different filter option to accomplish these things.1)Capture Filter: Capture filter is used to capture only interested traffic the all network traffic trans versing through interface. It uses built-in BPF (Berkeley Packet Filter) logic and omits all unwanted traffic and capture only target traffic.

2)Display Filter: Display filter is used to customize the displayed traffic in the Packet List Pane. It uses when Network admin wants to narrow down the search from big capture files.
Wireshark also avails the flexibility to generate customized display filter for more granular applications.

TCPDump:TCPDump natively captures all the traffic and then we can use the specific commands to display the specific traffic packets based on various parameters. It does not have capability to apply filter to capture any specific traffic.

4)Remote Traffic capture:

Wireshark:Wireshark natively does not support remote destination network traffic capture. For such kind of traffic capture, it requires network devices with specific configuration to forward the traffic of remote network to Wireshark installed system. Wireshark only can capture traffic which is enters or eaves the interface of system which is Wireshark installed on.

TCPDump:TCPDump is having inbuilt feature which supports the traffic capture of remote network over virtual line sessions like Telnet or SSH (Secure Shell Handshake). This allows Network administrator to monitor network traffic even from remote location.

5)Protocol Support:

Latest version of Wireshark supports more than 1100 different protocols, which means Wireshark can reconstruct the information from Raw (Binary Data) for over 1100 protocols.
TCPDump only supports limited number of protocols which are included in TCP/IP suite. As TCPDump was initially designed for the analysis of TCP issues, so it’s more focused on the protocols which are defined with TCP/IP suite and can only capture specific protocols.

6)GeoIP-Location Support:

Wireshark is flexible to display the Geo IP Location for the same the Wireshark need to be configured with the Geo IP database. With the use of Geo IP the Location of the server or other Node can be identified till Country, State and City level.
TCPDump is not having any feature which ca identify the geographical Location of IP address with which the communication is happening.

7)Visual Graph generation:

Wireshark natively support the features of graph generation for specific conversations. It can also generate visual graphs for TCP features like Time Sequence, Throughput, Round Trip Time & Window scaling. Also the Bandwidth utilization and many other parameter graphs can be generated with Wireshark.
Being a CLI tool TCPDump is not natively supporting Visual graph generation features, however such requirement can be fulfilling by capturing interesting traffic dump and use the same with other vendor applications like xplot or TCPtrace.

8)Deep Inspections:

Wireshark is capable to trace the packets for deep analysis and can reveal the Header information attached with data on each layer as well as also provides the ability to investigate actual user data.
TCPdump only capable to reveal the Header information attached with data and not able to reveal the actual user data itself.

9)Display Representation:

Wireshark is able to segregate and display the information gathered on the OSI or TCP/IP layer based format.
TCPDump is display the information in clear text and not able to segregate the same in the OSI layer based format.
10)Specific Traffic Analysis:
Wireshark is able to analyze all the application specific traffic like VIOP, Voice Traffic, Realtime Video Streaming etc.
TCPdump only capable to analyze the TCP based traffic. It also does not able to capture UDP and other Application specifit traffic for VOIP, Voice, Real time video steaming etc.

11)Identify Abnormal Communication:

Wireshark is using the color code representation for the abnormal communication happened between the source and destination and this color representation scheme can be modified as per the user requirements.
TCPdump is not capable to recognize any abnormality in communication, as it is CLI based tool it just shown the information and not able to identify and highlight the specific abnormalities.

12)Service based Traffic Identification

Wireshark is capable of representing the Data based on the services using option named as Protocol Hierarchy. With use of feature the network administrator can easily identify and locate the services which is used on target host.
TCPdump is not capable to categorized the data based on the protocol hierarchy. So host based services cannot be identified by TCPdump.

13)User friendliness:

Wireshark is GUI based tool and due to which it is more user friendly, even non-technical user can easily get acquainted with wireshark with basic understanding of networking protocol. 
Being a CLI based tool, it is more complex and only can be used effectively by the user who is having detailed knowledge of TCPdump command Line as well as Networking fundamentals. Hence TCPdump is not so user friendly.

Apart from these there are numbers of other packet analyzers are available in the market like Colasoft Capsa, ngrep, Ettercap, netsniff-ng etc. But as per our research it is concluded that the wireshark is more easy to use and can get detailed information about the network communication among all the available network analyzer tools.


Place Order For A Top Grade Assignment Now

We have some amazing discount offers running for the students

Place Your Order


How to useg eoip - the wireshark wiki. (n.d.). Retrieved February 13, 2018, from
TCPDUMP/LIBPCAP public repository. (n.d.). Retrieved from
Wireshark tutorial. (2013, October 10). Retrieved from
Zhou, K. (2009, May 13). Top 5 most welcomed packet sniffers. Retrieved from

Get Quality Assignment Without Paying Upfront

Hire World's #1 Assignment Help Company

Place Your Order