3. Capturing Traffic for Offline Analysis¶
If Wireshark isn’t available on the host that you want to analyze, you can capture traffic from the console/terminal. Then you can use Wireshark to display/analyze the captured traffic offline (instead of as live traffic).
To capture traffic from the console/terminal, use tcpdump or tshark.
To learn about these tools, enter
tcpdump --help or
Note: On some hosts, you may need administrator permissions to capture traffic. If you happen to need them and you don’t run as sudo/admin, you will not see any interfaces available to capture. Just close Wireshark and rerun it as sudo/admin.