3. Capturing Traffic for Offline Analysis

If Wireshark isn’t available on the host that you want to analyze, you can capture traffic from the console/terminal. Then you can use Wireshark to display/analyze the captured traffic offline (instead of as live traffic).

To capture traffic from the console/terminal, use tcpdump or tshark. To learn about these tools, enter tcpdump --help or tshark --help.

Note: On some hosts, you may need administrator permissions to capture traffic. If you happen to need them and you don’t run as sudo/admin, you will not see any interfaces available to capture. Just close Wireshark and rerun it as sudo/admin.