Wireshark Packet Analysis — Capturing, Filtering, and Network Troubleshooting
A practical guide to using Wireshark for network packet capture and analysis — from basic capturing to advanced filters, protocol analysis, and real-world troubleshooting scenarios.
What is Wireshark?
Wireshark is the world's most widely used network protocol analyzer. It captures network traffic in real-time and displays it in a human-readable format, allowing you to inspect every packet flowing through your network.
When to Use Wireshark
- Troubleshooting — Diagnose connectivity issues, slow performance, dropped connections
- Security analysis — Detect suspicious traffic, malware communication, data exfiltration
- Protocol debugging — Verify MQTT, SNMP, HTTP, DNS, and other protocols are working correctly
- Learning — Understand how network protocols actually work at the packet level
- Forensics — Analyze captured traffic after a security incident
Getting Started
Installation
bash
# Ubuntu/Debian
sudo apt install wireshark
sudo usermod -aG wireshark $USER # Allow non-root capture
# Windows/macOS: Download from wireshark.orgBasic Capture
- Launch Wireshark
- Select a network interface (eth0, wlan0, etc.)
- Click the shark fin icon to start capturing
- Perform the network activity you want to analyze
- Click the red square to stop
The Wireshark Interface
┌──────────────────────────────────────────────────┐
│ Display Filter Bar: ip.addr == 10.0.0.1 │
├────┬───────┬──────────┬───────┬──────────────────┤
│ No │ Time │ Source │ Dest │ Protocol Info │ ← Packet List
├────┼───────┼──────────┼───────┼──────────────────┤
│ 1 │ 0.000 │ 10.0.0.1│ 10.0.│ TCP SYN │
│ 2 │ 0.001 │ 10.0.0.5│ 10.0.│ TCP SYN-ACK │
│ 3 │ 0.002 │ 10.0.0.1│ 10.0.│ TCP ACK │
├────┴───────┴──────────┴───────┴──────────────────┤
│ Frame 1: 74 bytes on wire │
│ ► Ethernet II: Src: aa:bb:cc:dd:ee:ff │ ← Packet Details
│ ► Internet Protocol: Src: 10.0.0.1 │
│ ► Transmission Control Protocol: Src Port: 52431│
├──────────────────────────────────────────────────┤
│ 0000 aa bb cc dd ee ff 11 22 33 44 55 66 08 00 │ ← Hex Dump
│ 0010 45 00 00 3c 1c 46 40 00 40 06 ... │
└──────────────────────────────────────────────────┘
Display Filters
Display filters are the most powerful Wireshark feature. They let you focus on exactly the traffic you need.
Basic Filters
# Filter by IP address
ip.addr == 10.0.0.1 # Source or destination
ip.src == 10.0.0.1 # Source only
ip.dst == 10.0.0.1 # Destination only
# Filter by protocol
tcp # All TCP traffic
udp # All UDP traffic
dns # DNS queries and responses
http # HTTP traffic
mqtt # MQTT messages
snmp # SNMP traffic
icmp # Ping / ICMP
# Filter by port
tcp.port == 80 # HTTP (source or dest)
tcp.dstport == 443 # HTTPS destination
udp.port == 161 # SNMP
tcp.port == 1883 # MQTT
Advanced Filters
# Combine with AND/OR/NOT
ip.addr == 10.0.0.1 && tcp.port == 80
ip.addr == 10.0.0.1 || ip.addr == 10.0.0.2
!arp # Exclude ARP traffic
# HTTP-specific
http.request.method == "POST"
http.response.code == 404
http.host contains "example.com"
# TCP analysis
tcp.analysis.retransmission # Find retransmissions
tcp.analysis.zero_window # Zero window (flow control)
tcp.analysis.duplicate_ack # Duplicate ACKs
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only (new connections)
# DNS
dns.qry.name contains "example.com"
dns.flags.rcode != 0 # DNS errors
# SNMP
snmp.community == "public"
snmp.version == 3
Capture Filters (BPF)
Capture filters reduce the amount of data captured (applied before capture):
# Capture only traffic to/from a specific host
host 10.0.0.1
# Capture only HTTP traffic
port 80
# Capture only SNMP
port 161
# Capture only specific subnet
net 192.168.1.0/24
# Exclude SSH (useful when capturing over SSH)
not port 22
Practical Troubleshooting Scenarios
Scenario 1: Slow Website
# Filter for the web server
ip.addr == webserver.ip && tcp.port == 80
# Look for:
# 1. TCP retransmissions (packet loss)
tcp.analysis.retransmission
# 2. High latency (time between SYN and SYN-ACK)
# Right-click → Set Time Reference on SYN packet
# 3. Zero window (server or client overwhelmed)
tcp.analysis.zero_window
Scenario 2: DNS Resolution Failure
# Capture DNS traffic
dns
# Look for:
# 1. Queries with no response
dns.qry.name contains "targetdomain"
# 2. DNS errors (NXDOMAIN, SERVFAIL)
dns.flags.rcode != 0
# 3. Slow DNS response time
# Statistics → DNS → check response times
Scenario 3: MQTT Not Connecting
# Filter MQTT traffic
mqtt
# Look for:
# 1. CONNECT packets and CONNACK responses
mqtt.msgtype == 1 # CONNECT
mqtt.msgtype == 2 # CONNACK
# 2. CONNACK return code (0 = success)
mqtt.connack.return_code != 0 # Failed connections
# 3. Check if TLS handshake fails (if using MQTTS)
ssl.handshake.type == 1 # Client Hello
Scenario 4: SNMP Polling Issues
# Filter SNMP
snmp
# Look for:
# 1. GetRequest with no GetResponse
snmp.pdu_type == 0 # GetRequest
snmp.pdu_type == 2 # GetResponse
# 2. SNMP errors
snmp.error_status != 0
# 3. Community string being sent
snmp.community
Useful Statistics
Conversations
Statistics → Conversations — Shows top talkers:
Address A Address B Packets Bytes Duration
10.0.0.1 10.0.0.5 12,543 8.5 MB 120.3s
10.0.0.1 10.0.0.10 3,241 1.2 MB 60.1s
Protocol Hierarchy
Statistics → Protocol Hierarchy — Shows traffic breakdown:
Protocol % Packets % Bytes
TCP 78.2% 85.1%
HTTP 45.3% 62.4%
TLS 30.1% 20.5%
UDP 20.5% 13.8%
DNS 12.1% 2.3%
SNMP 8.4% 11.5%
I/O Graphs
Statistics → I/O Graphs — Plot traffic over time with custom filters. Useful for identifying traffic spikes or patterns.
Command-Line: tshark
For headless/server environments, use tshark (Wireshark's CLI):
bash
# Capture to file
tshark -i eth0 -w capture.pcap -c 10000
# Read and filter a capture file
tshark -r capture.pcap -Y "http.request.method == POST"
# Extract specific fields
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name -e dns.a
# Live capture with display filter
tshark -i eth0 -Y "snmp" -T fields -e ip.src -e snmp.community
# Capture statistics
tshark -r capture.pcap -z conv,tcpSecurity and Ethics
- Only capture traffic you are authorized to monitor
- Use capture filters to avoid capturing sensitive data unnecessarily
- Be aware of data protection regulations (GDPR, etc.)
- Secure your capture files — they may contain credentials and sensitive data
- In production environments, use port mirroring (SPAN) on the switch
Conclusion
Wireshark is an essential tool for any network engineer or administrator. Whether you're debugging IoT protocol issues, investigating security incidents, or verifying network performance, the ability to see exactly what's happening at the packet level is invaluable. Master display filters and you'll solve network problems faster than ever.
Related: NMAP Network Scanning, SNMP Network Monitoring, and Network Monitoring Best Practices.