Tcpdump is a command line version of wireshark, so it requires elevated permissions. Tcpdump is for linux and windows version of tcpdump is windump and it uses winpcap instead. Most linux comes with tcpdump, but you can sudo dnf install it along with libcap which is a library for network packet capture. Note that all packet capture tools work in promiscuous mode, meaning it captures all data flows unless specifically filtered.
To use tcpdump, you need to first know what interface you want to capture and the data. Tcpdump allows you to capture a specific interface and allows you to display all packets or capture and display specific packets of your choosing. You can either type specific protocol/ports or type “not port x/” to filter data for your specific needs for example. You can use logical operators as well to apply multiple filters. To save the capture on tcpdump, you simply type “-w” which stands for write and it will save it as a .pcap format. Wireshark is much more powerful and easier to use compared to tcpdump. However, tcpdump is extremely useful when you are doing a simple and quick analysis, as long as you are used to using CLI.
HansITAcademy 