How do tshark, ngrep, and tcpdump Differ and When to Use Them


[:en]What happens on a network has always been an interest of mine. In graduate school in the 1980s, I worked on networking software. Later I used software protocol analyzers such as netwatch (later the commercial LANWatch) to dissect packets. A few years ago I contributed to what is now the Wireshark protocol analyzer. Lanwatch uses a windowing interface to display networking packets. Sometimes, though, that may be impossible or inappropriate.

Character-based (or text-based: without windows) tools are used in many situations. Generally, those are where the hardware platform does not support windows such as with an embedded system such as an internet router. Three common tools in this open-source collection are tshark, ngrep, and tcpdump.


I use tshark more often than any other text-based protocol analyzer because of its flexibility and wide range of protocols it can decode. It is probably clear from the name that tshark is a part of the Wireshark project. It even uses the same code for dissecting packets. It is included in the Wireshark distribution.

In addition to capturing and displaying network traffic, tshark also read multiple formats common for captured data, including the files created by tcpdump which is a popular format on Linux and other UNIX-like systems. tshark can output not only traditional text but also Postscript or JSON for further printing or processing.

The many features and decodes of tshark make it a larger program than the other two discussed here. That means a common use case is to capture network traffic with one of the other tools and use tshark or Wireshark for the analysis.


ngrep is a much smaller tool than tshark. It supports the decoding of fewer protocols but was designed for a particular case. Its goal was to allow a user to specify particular packets for which to search. While tshark supports search, ngrep is very straightforward. It uses a search pattern description similar to the grep family of search tools as opposed to the format of tshark/Wireshark which is more familiar to programmers. For instance when looking for either 'best' or 'worst' one would use "best|worst" in ngrep and "best || worst" in a Wireshark display filter. There are a few examples in the Wikipedia article. I use ngrep for finding or capturing specific packets quickly.


tcpdump was the protocol analyzer/packet dumping tool for UNIX and UNIX-like systems for years. Today it is primarily used to capture packets or as a "quick and dirty" solution when neither of the other tools is available.

Its command line is simple and basic use is familiar to many users. It also uses a format for selecting packets to capture than the other two tools. There is some overlap, but the specific format for the capture expressions is in the pcap-filter manual.

Each of these tools is a bit different from the others. As I noted I tend to use tshark or ngrep these days a lot more than I use tcpdump when I need a text-based tool. These are all valuable tools for the network administrator or technician's toolbox.[:]

Written by John McDermott

John McDermott, CPLP, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.

Chat With Us