Using CentOS 5.2 or Red Hat Enterprise Linux 5, install and run Wireshark (formerly Ethereal) over the command line.

Install Wireshark:

yum install wireshark

Run a capture:

tethereal -i eth1 -w ~/mycapture.pcap

This command will run Wireshark/Ethereal, capture on the eth1 interface and output the data to /yourhomedir/mycapture.pcap

Why would you want to do this? If you want to capture packets from a headless or remote Linux PC and analyse the data elsewhere.

Right now I’m at home, but I have a headless CentOS box at work that’s running ntop from a mirrored port, in order to look at network traffic flowing over the router. To increase the capability of the CentOS box, I want to use it to capture packets using Wireshark, then download the .pcap file over WinSCP and look at the data on my laptop using Wireshark for Windows.

Written by Phil Wiffen

Phil is an IT Professional working in Cambridge, England. He generally blogs about useful solutions that he comes across in his work/play.



i want to ask how can i open GUI of wireshark in linux?




To install a wireshark GUI type:

yum install wireshark-gnome

let it install, then find wireshark in Applications->Internet of Linux.

Do remember that to install Wireshark first day you initially need to go:

yum install wireshark




Is it possible to filter the packets that are sniffed on the linux box? by executing the command tethereal -i eth1 -w ~/mycapture.pcap, it captures all the packets. I know we can filter the results on the wireshark program but what I was looking at was to only sniff SIP packets in the first place. I am not interested on the other protocols. Your expert advice would be greatly appreciated.



you need to install wireshark-gnome for graphical window and u have to use graphical desktop session .


Thanks for the post! I’m kinda noob in RHEL and didn’t know the wireshark-gnome thing! Ubuntu spoiled me…

Leave a Reply

Your email address will not be published. Required fields are marked *