GUI required? Use on headless Ubuntu Server via SSH?

edit

(If I shouldn't turn this into a "newbie's questions" thread beyond the scope of my original question, please let me know.)

What's the most expedient way to access/read the pcapng files that tshark writes?

Got it -- tcpdump

tcpdump is also useful but doesn't have some of the filtering capabilities that tshark has. Use whatever's appropriate for you.

To examine the captures, transfer them to another host that can run Wireshark.

I meant tcpdump only for examining the tshark pcapng file output, after Ctrl-C-ing out of tshark.

tcpdump dissects much less traffic than tshark, but if it meets your needs it's good enough. Arguably you could also use tcpdump to make the captures.

Not sure what you mean by "dissects." To expand my previous: I'm capturing with tshark -w to generate a pcapng file, then using tcpdump -r to open the file with standard output redirected to a text file, which I then view in an editor.

I could, as you suggest, copy tshark's output file to my Mac and use Wireshark there to open/read the file. Would that provide any additional useful info?

tcpdump (and tshark and wireshark and dumpcap) can all capture all the traffic, but their filtering capabilities differ.

Similarly, their output capabilities all differ when attempting to display the contents of the captured traffic, generally least output to most is dumpcap (doesn't show packet details) <- tcpdump <- tshark <- wireshark

(Thanks for bearing with me!)

Since tcpdump -> tshark for display capabilities, might it be better to use--

tshark [filtering options] > output.txt
Ctrl-C # interested for now only in 1st few seconds

than what I've done so far:

tshark [filtering options] -w file.pcapng
Ctrl-C
tcpdump -r file.pcapng > output.txt