Description: Dave Goodell's notes
Jun 13, 2017
[tl;dr: per-packet coloring is now supported in tshark (command-line Wireshark) with --color ]
I regularly use tshark when doing protocol work, often several times per week. It’s a great way to take load off my brain instead of constantly parsing packets with my eyeballs directly from a raw hex dump. tshark is like tcpdump on steroids, providing me the majority of the benefits of Wireshark but without having to leave the terminal, use the mouse, or slurp a .pcap file around between machines. With tshark I can usually just view the .pcap file on the same server I used to capture it.