Wireshark Packet Capture: Tshark Vs. Dumpcap

The Wireshark network protocol analyzer provides three basic methods for capturing packets: the GUI, Tshark, and Dumpcap. The GUI is the most common technique used by network analysts, but those who want to capture from scripts or simply don’t want to work through the GUI use Tshark or Dumpcap.

There's been a lot of debate over Tshark and Dumpcap since they are both command-line tools, support basic capture filters and can write to files. I tested these two utilities back when 100 megabits was all we had to worry about; generally speaking, it didn’t matter much which one I chose. Now, with 1 gigabit the norm, I felt like it was time to revisit this topic.

In this video, I use a traffic generator and laptop with Wireshark to test both methods to see how they performed.

It was important to make my tests as realistic as possible. I see no value in blasting 1 Gb of traffic at a laptop since I don’t know many analysts who would use their laptops and Wireshark in those scenarios. Hardware-based packet capture tools are best suited for high-packet rate or high utilization scenarios. Instead, I focused on traffic captures involving less than 50% utilization with a frame size of approximately 800 bytes.

The results were very interesting, even though I expected an increase in packet loss as the frame rate increased. I didn’t expect Dumpcap to perform as well as it did. As I state in the video, I encourage any network analyst who relies on the software method for capturing packets rather than hardware-based equipment to invest in a traffic generator to test your equipment.