An XDA writer this week made the case for skipping Wireshark on Windows 11 and starting with pktmon, the built-in packet monitor. That framing matches a bigger reality most operators live with: the box we need to sniff is rarely the box we are sitting in front of. It could be a Docker container, an unmanaged VPS, a Raspberry Pi in a closet, or an OPNsense router with nothing open but SSH. That is the headless packet capture problem, and Wireshark’s GUI is not the answer. What we need is a CLI that runs over SSH, writes a rotating pcap unattended, and reads BPF filters the way Wireshark’s capture engine does. We tested seven tools that do exactly that, on Windows and Linux hosts, and ranked them by strength.
What to look for in a headless packet capture tool
A remote capture has different constraints than a desktop one. Six things move the needle:
- BPF filter support. The same
tcp port 443 and host 10.0.0.1syntax should work; a filter that misses on capture cannot be recovered later. - Small binary, few dependencies. Alpine and stripped Debian images should not need X11 just to record traffic.
- Rotate-and-write to pcap. Overnight captures fill disks; a ring buffer via
-C,-G, or an equivalent flag matters more than any GUI feature. - Non-root operation where possible.
setcap cap_net_rawlets us drop root on shared boxes. - Protocol-aware output. When the answer is “is that DNS request malformed”, a decoded line beats a hexdump.
- SSH-friendly. TTY-safe output, no ncurses stalls, no assumptions about a 200-column terminal.
That is the checklist. Now the tools.
Quick comparison
| Tool | Best for | Platforms | Free plan | Starting price/mo | Rating |
|---|---|---|---|---|---|
| TShark | Full Wireshark dissectors on the command line | Windows, macOS, Linux | Yes | Free | 5/5 |
| tcpdump | Ubiquitous headless captures on Linux and BSD | Linux, macOS, BSD | Yes | Free | 5/5 |
| pktmon | Windows captures without installing anything | Windows 10, 11, Server 2019+ | Yes | Free | 4/5 |
| tcpflow | Reconstructing TCP streams into files | Linux, macOS | Yes | Free | 4/5 |
| ngrep | Grep-style pattern matching over the wire | Linux, macOS, Windows | Yes | Free | 4/5 |
| Zeek | Turning packets into searchable logs | Linux, macOS, BSD | Yes | Free | 4.5/5 |
| Termshark | Wireshark’s UI inside an SSH session | Linux, macOS, Windows, BSD | Yes | Free | 4/5 |
The tools
1. TShark, for full Wireshark dissectors on the command line
TShark ships with Wireshark and runs the exact same dissector engine, minus the GUI. Every protocol Wireshark decodes, TShark decodes on stdout, and every display filter we know from Wireshark works verbatim (-Y "http.request.method == POST"). Point it at an interface with -i eth0, add -w capture.pcap to write, add -b duration:600 -b files:24 to rotate hourly across a full day, and we have unattended capture and analysis in one binary.
Where it falls short: on Windows it needs the full Wireshark install to pick up Npcap; on stripped Linux images it pulls in the dissector libraries, which are not tiny. Live TLS decryption still needs a keylog file, same as the GUI.
Pricing: Free, open-source, GPLv2.
Platforms: Windows, macOS, most Linux distributions, BSD.
Download: Wireshark Foundation
Bottom line: the default when we want Wireshark’s brain without Wireshark’s window.
2. tcpdump, for headless captures on Linux and BSD
tcpdump is the tool every Unix host already has, or is one package away from having. tcpdump -i eth0 -w /var/log/capture.pcap -G 3600 -C 200 'tcp port 443' records to a rotating pcap we can pull down later and open in Wireshark, TShark, or any of the tools below. Its BPF filter syntax matches Wireshark’s capture filters exactly, and the binary weighs in under 2 MB on most distributions.
Where it falls short: no display filters, no protocol decoding beyond the built-in -vvv mode. On macOS Big Sur and later, some interfaces are locked down without extra permissions.
Pricing: Free, open-source, 3-clause BSD.
Platforms: Linux, macOS, FreeBSD, OpenBSD, NetBSD.
Download: The Tcpdump Group
Bottom line: the reflex answer on any Unix box that runs headless.
3. pktmon, for Windows captures without installing anything
pktmon is the Packet Monitor Microsoft ships with Windows 10, Windows 11, and Windows Server 2019 and later. pktmon start --capture --pkt-type all --file-size 200 records to an ETL file that we convert with pktmon pcapng (or, on older builds, pktmon etl2txt) and open in Wireshark or TShark elsewhere. For a Server Core box, or a hardened laptop where installing a sniffer is a change ticket, pktmon does the capture with tools already on disk.
Where it falls short: the CLI is verbose, its filter syntax uses component IDs rather than BPF, and the ETL-to-pcap step is an extra move that ties us to a Windows machine for the conversion.
Pricing: Free, ships with Windows.
Platforms: Windows 10, Windows 11, Windows Server 2019+.
Download: Microsoft Learn
Bottom line: the answer when the host is Windows and touching the software inventory is not.
4. tcpflow, for reconstructing TCP streams into files
tcpflow captures live traffic (or reads a pcap) and writes each reconstructed TCP flow to its own file, one direction per file. That is often what we actually want when the question is “what did this client send to that server” and paging through packets in Wireshark is the wrong altitude. It ships in Debian, Ubuntu, Fedora, and Homebrew, and its filter language is straight BPF.
Where it falls short: UDP is a second-class citizen; TLS and other encrypted flows dump ciphertext just like tcpdump does. Reconstructed files also grow quickly on long captures.
Pricing: Free, open-source, GPLv3.
Platforms: Linux, macOS.
Download: Simson Garfinkel on GitHub
Bottom line: the pick when the deliverable is “the HTTP body”, not “the packet trace”.
5. ngrep, for grep-style pattern matching over the wire
ngrep brings a familiar POSIX-style pattern to live traffic and to pcap files. ngrep -q -W byline -d eth0 'GET|POST' 'tcp port 80' prints only packets whose payload matches the regex, with the surrounding BPF filter narrowing the interface side. For quick questions like “is the client sending the wrong Host header” or “does the response contain that error string”, ngrep beats display-filter gymnastics.
Where it falls short: it does not understand TLS or HTTP/2 framing, so anything encrypted comes back as noise. Its release cadence has slowed, and while most distributions still package it, some no longer do.
Pricing: Free, open-source, revised BSD.
Platforms: Linux, macOS, Windows via WSL.
Download: ngrep on GitHub
Bottom line: the one to reach for when our first instinct is grep.
6. Zeek, for turning packets into searchable logs
Zeek, formerly Bro, sits between raw capture and a full IDS. Instead of pcap, it writes structured logs per protocol (conn.log, dns.log, http.log, ssl.log, x509.log, and dozens more) that we can grep, ship to Splunk or Loki, or feed into a SIEM. On a home-lab tap or a router with a mirror port, Zeek gives us weeks of behavioural data in a footprint pcap could not touch.
Where it falls short: it is not a five-minute install; expect a compile step or a distro package plus a light config pass. The learning curve is real, and the value shows up on day two, not day zero.
Pricing: Free, open-source, revised BSD.
Platforms: Linux, macOS, FreeBSD.
Download: The Zeek Project
Bottom line: the choice when we want to answer questions weeks later, not stare at packets today.
7. Termshark, for Wireshark’s UI inside an SSH session
Termshark is a terminal front end for TShark. Open a pcap or attach to a live interface and we get a familiar packet list, protocol tree, and hex pane, all rendered in the terminal already open. It works over SSH, over tmux, over a serial console into a headless VM, wherever a TTY is all we have.
Where it falls short: at 80 columns the layout gets cramped, and live captures on very high packet-per-second links can lag the UI. It is a viewer, not a replacement for scripted collection.
Pricing: Free, open-source, MIT.
Platforms: Linux, macOS, Windows, FreeBSD.
Download: Termshark
Bottom line: the closest we get to Wireshark on a box that will never have a display.
How to pick
- If the host is a modern Windows box we do not own: pktmon. Nothing to install, nothing to explain to security.
- If the host is Linux or BSD and we own it: tcpdump for capture, TShark for analysis on our own workstation.
- If the capture has to happen inside a container or an Alpine image: tcpdump, or a slim TShark sidecar. tcpflow when TCP streams are the actual deliverable.
- If we need a Wireshark-shaped view but only have SSH: Termshark. It is the fastest way to get a familiar interface on a foreign box.
- If the question is “does any packet contain string X”: ngrep. State the pattern, get the packets.
- If we care about behaviour across weeks, not the current five minutes: Zeek. It turns the network into a query-able dataset.
- If we are doing forensics on a pcap someone else captured: TShark on the command line, tcpflow when the artefacts matter more than the wire order.
FAQ
What is the best headless packet capture tool for a Windows server?
pktmon on Windows Server 2019 and later. It ships with the OS, captures at the ETW layer, rotates on its own, and outputs pcapng directly on current builds. When we need Wireshark’s dissectors, we convert the file and open it in TShark on a workstation.
Can we run TShark or tcpdump without root?
Yes on Linux, with setcap cap_net_raw,cap_net_admin+eip on the binary. That grants capture privileges to a specific executable without giving the caller full root. On BSD, add the user to the group that owns the bpf devices. On Windows, TShark needs Administrator to talk to Npcap.
How do we rotate captures so a long-running session does not fill the disk?
tcpdump uses -G <seconds> for time-based rotation and -C <MB> for size-based, combined with -W <count> to cap how many files are kept. TShark exposes the same via -b duration: and -b filesize:. pktmon caps with --file-size and its circular log mode. Zeek rotates its logs on a fixed schedule on its own.
Is Wireshark’s display filter language the same as tcpdump’s syntax?
No. tcpdump and TShark’s capture filter (-f) use BPF syntax (tcp port 443 and host 10.0.0.1). Wireshark and TShark’s display filter (-Y) is a different language (tcp.port == 443 && ip.addr == 10.0.0.1). Both are worth learning; the capture-side filter runs at kernel speed, the display-side one runs over already-captured packets.
Can pktmon replace Wireshark completely?
No. pktmon is a capture tool, not an analyser. It records to ETL, converts to pcapng on newer builds, and stops. To decode TLS handshakes, HTTP/2 streams, or QUIC, we still open the resulting pcap in Wireshark or TShark. The two are complements, not substitutes.
Are these tools safe to run on a production host?
Yes with reasonable care. Packet capture is passive and does not modify traffic, but the CPU cost on a busy link is not zero, and pcap files can grow fast. Cap the disk with a rotation policy, narrow the BPF filter to cap the CPU, and prefer a mirror port or tap over inline capture where the risk profile matters.