Packet captures are often the fastest way to tell whether a failure lives in DNS, TCP, TLS, the firewall, or the application itself. For live traffic, install Wireshark on Debian from the default APT repositories; that path uses Debian’s dumpcap permission model instead of running the full GUI as root.
The same commands work on Debian 13 (Trixie), Debian 12 (Bookworm), and Debian 11 (Bullseye). APT installs the Wireshark desktop app, tshark, and Debian’s dumpcap permission handling. The Wireshark Flatpak on Flathub can open saved capture files, but it does not replace the Debian packages for live packet capture.
Install Wireshark on Debian
Start by refreshing Debian’s package index so APT uses current repository metadata:
sudo apt updateThese commands use
sudofor system-level package installation and permission changes. If your account cannot run sudo yet, add a user to sudoers on Debian before continuing.
Install the graphical Wireshark package and the separate tshark command-line package:
sudo apt install wireshark tsharkThe wireshark package installs the desktop analyzer. The tshark package installs the terminal analyzer used for command-line packet captures and version checks. APT also installs wireshark-common, which owns /usr/bin/dumpcap, and libcap2-bin, which supplies the capability-checking tool for dumpcap verification.
Verify the installed command-line analyzer:
tshark --versionThe first line prints the installed TShark and Wireshark branch. Match that output against the expected branch for your Debian release:
| Debian release | Default Wireshark branch | Package source |
|---|---|---|
| Debian 13 (Trixie) | 4.4.x | Default APT and security sources |
| Debian 12 (Bookworm) | 4.0.x | Default APT and security sources |
| Debian 11 (Bullseye) | 3.4.x | Default APT and security sources |
Security updates can change the exact patch-level package revision, but the same install command works across Debian 13, 12, and 11. On Debian 12 and Debian 11, wireshark is a meta-package that pulls the wireshark-qt desktop package; Debian 13 packages the graphical application directly as wireshark.
Use APT Instead of Flatpak for Live Capture
Choose Debian’s APT packages when you need to capture packets from local interfaces. The Flathub package can open saved capture files, but it does not provide the Debian dumpcap permission setup that lets a normal desktop session capture traffic through the wireshark group. If you only need the Flatpak for saved-file analysis, install Flatpak on Debian before using Flathub.
Configure Wireshark Capture Permissions
During installation, Debian asks whether non-superusers should be able to capture packets. The default answer is No, so select Yes for normal desktop use. That choice creates the wireshark group and grants capture capabilities to /usr/bin/dumpcap, which lets Wireshark and tshark capture traffic without running the whole application as root.
If you selected No, missed the prompt, or need to change the setting later, reconfigure the package:
sudo dpkg-reconfigure wireshark-commonSelect Yes when prompted, then add your account to the Wireshark group.
Add Your User to the Wireshark Group
Add your current account to the wireshark group:
sudo usermod -aG wireshark "$USER"The -aG flags append the group without replacing your existing supplementary groups. Log out of the desktop session and back in so graphical apps inherit the new group membership. For the current terminal only, you can start a temporary group session with:
newgrp wiresharkAfter logging back in, confirm that wireshark appears in your group list:
id -nG | tr ' ' '\n' | grep '^wireshark$'Expected output:
wireshark
Verify Debian dumpcap Capabilities
Use the full path for getcap because regular user shells may not include administrative sbin directories in PATH. The libcap2-bin package supplies the command, and /usr/sbin/getcap is available on Debian 13, 12, and 11:
/usr/sbin/getcap /usr/bin/dumpcapExpected output when capture permissions are configured correctly:
/usr/bin/dumpcap cap_net_admin,cap_net_raw=eip
Launch Wireshark on Debian
Wireshark is a desktop application, so launch it from an active graphical session. From a terminal inside that session, run:
wiresharkYou can also open it from the applications menu by searching for Wireshark. GNOME lists it from Activities and Show Applications; KDE Plasma, Xfce, and Cinnamon place it in their normal application menus.
Use tshark for Command-Line Captures
tshark uses the same packet capture and protocol dissection engine as Wireshark, but it runs from the terminal. This is useful for quick checks, scripts, and saved captures you want to open later in the GUI.
List capture interfaces first:
tshark -DRelevant output includes the real network interface, the Linux any pseudo-interface, loopback, and optional extcap helpers. The helper list varies by Wireshark branch and installed support, so use the numbered interface that matches your system:
1. enp0s3 2. any 3. lo (Loopback) 4. bluetooth-monitor 5. nflog 6. nfqueue 7. dbus-system 8. dbus-session 9. ciscodump (Cisco remote capture) 10. dpauxmon (DisplayPort AUX channel monitor capture) 11. randpkt (Random packet generator) 12. sdjournal (systemd Journal Export) 13. sshdump (SSH remote capture) 14. udpdump (UDP Listener remote capture) 15. wifidump (Wi-Fi remote capture)
Capture traffic from all interfaces for 10 seconds with the Linux any interface:
tshark -i any -a duration:10On Linux, the any interface can print a promiscuous-mode warning. That is expected for this pseudo-interface; the capture can still complete.
Save a bounded capture for later analysis in the Wireshark GUI:
tshark -i any -a duration:30 -w capture.pcapngOpen capture.pcapng from Wireshark when you need filtering, stream following, protocol details, or export tools. Wireshark’s official documentation covers display filters and deeper packet-analysis workflows after installation.
Troubleshoot Wireshark on Debian
No Network Interfaces Appear in Wireshark
If Wireshark opens but shows no capture interfaces, your session probably does not have the wireshark group yet or wireshark-common was configured without non-root capture support.
Check whether your current shell has the wireshark group:
id -nG | tr ' ' '\n' | grep '^wireshark$'When the group is active, the command prints:
wireshark
If the command prints nothing, add your account and log out completely:
sudo usermod -aG wireshark "$USER"If the group exists but interfaces are still missing after a fresh login, reconfigure wireshark-common and select Yes:
sudo dpkg-reconfigure wireshark-commontshark Reports Dumpcap Permission Denied
When group membership has not reached the current session, tshark -D may fail with:
tshark: Couldn't run dumpcap in child process: Permission denied
Start a temporary terminal session with the wireshark group, or log out and back in for a clean desktop session:
newgrp wiresharkThen retry the interface list:
tshark -Ddumpcap Has No Capture Capabilities
If /usr/sbin/getcap /usr/bin/dumpcap prints nothing, Debian has not applied the capture capabilities. Reconfigure the common package and choose Yes:
sudo dpkg-reconfigure wireshark-commonThen retest the dumpcap capabilities:
/usr/sbin/getcap /usr/bin/dumpcapThe command should return:
/usr/bin/dumpcap cap_net_admin,cap_net_raw=eip
Manage Wireshark on Debian
Update Wireshark
Wireshark updates arrive through Debian’s normal package repositories. Refresh APT metadata, then upgrade the installed Wireshark package set:
sudo apt update
sudo apt install --only-upgrade wireshark tshark wireshark-commonAPT includes matching dependency packages such as wireshark-qt on Debian 12 and Debian 11 when they need the same security update. A full system upgrade also includes Wireshark updates when Debian publishes them:
sudo apt update
sudo apt upgradeRemove Wireshark
Remove the Wireshark packages with:
sudo apt remove wireshark tshark wireshark-commonOn Debian 12 and Debian 11, APT also removes the related wireshark-qt package because it depends on wireshark-common. If APT lists only Wireshark-related libraries and Qt dependencies you no longer need, you can review and confirm the separate cleanup step:
sudo apt autoremoveIf you also want to undo the non-root capture permission change for your account, remove your user from the wireshark group. Existing sessions keep their current groups until you log out.
sudo gpasswd -d "$USER" wiresharkThe next command permanently deletes Wireshark settings, profiles, and preferences for your user account. It does not remove packet captures saved elsewhere, so back up anything under
~/.config/wireshark/that you want to keep.
rm -rf -- "$HOME/.config/wireshark"Confirm the main packages are no longer installed:
dpkg -l wireshark tshark wireshark-common wireshark-qt 2>/dev/null | grep '^ii' || trueNo output means those packages are no longer installed.
Conclusion
Wireshark is installed on Debian with tshark available for terminal captures and dumpcap configured for non-root packet access. For follow-up network checks, install Nmap on Debian pairs well with packet captures, and enable SSH on Debian helps inspect remote systems securely.
Thank you for sharing. Cheers.