
A tcpdump Primer with Examples - danielrm26
https://danielmiessler.com/study/tcpdump/
======
ZenoArrow
> "tcpdump is the premier network analysis tool for information security
> professionals. Having a solid grasp of this über-powerful application is
> mandatory for anyone desiring a thorough understanding of TCP/IP. Many
> prefer to use higher level analysis tools such as Ethereal Wireshark, but I
> believe this to usually be a mistake."

"When using a tool that displays network traffic a more natural (raw) way the
burden of analysis is placed directly on the human rather than the
application. This approach cultivates continued and elevated understanding of
the TCP/IP suite, and for this reason I strongly advocate using tcpdump
instead of other tools whenever possible."

What a load of nonsense. There is nothing inherently better about using
tcpdump over Wireshark other than its ubiquity.

The idea that using Wireshark somehow robs you of insight into what your
network activity is has no basis in reality. You're just as capable of viewing
the raw network data in Wireshark as you are by using tcpdump. Wireshark may
make it easier to analyse data, but you still have to know what you're working
with to make good decisions when filtering and analysing network data.
Furthermore, if you feel like you have to use the command line tcpdump and
Tshark (Wireshark on the command line) are very similar. Lastly, if you've got
a network capture made using tcpdump, you can open it with Wireshark/Tshark.
There's literally nothing that makes tcpdump the superior tool, they're
complimentary.

~~~
Daviey
For extensive analysis, I tend to use tcpdump on the remote host - dump to
pcap, and then dig through it locally using wireshark.

~~~
ZenoArrow
Yeah, that's what I mean about them being complimentary, tcpdump being useful
to create the initial capture on a remote host, and Wireshark being useful to
sift through it.

