Wireshark Essentials: A Beginner’s Guide to Network Packet Analysis

Mastering Wireshark: Troubleshooting Network Problems Step‑by‑Step

Introduction Wireshark is a powerful network protocol analyzer that captures and displays packets traveling through a network. This step‑by‑step guide shows practical workflows and techniques to diagnose common network problems, from slow connections to application errors.

1. Prepare before you capture

• Define the problem: Identify symptoms (slow, lost packets, DNS failures, etc.).
• Scope the capture: Choose the right host or network segment and capture timeframe.
• Permissions and safety: Run captures with appropriate privileges and avoid collecting sensitive traffic unless authorized.
• Set capture filters: Use BPF filters to limit noise, e.g., host 10.0.0.5 or tcp port 80.

2. Capture basics

• Start a live capture: Select the correct interface (wired, wireless, virtual).
• Use ring buffers for long traces: Limit file size and number of files to manage storage.
• Save raw captures: Keep a .pcapng for reproducibility.

3. Narrow the view with display filters

• Difference between capture and display filters: Capture filters reduce stored packets; display filters refine what you see.
• Common display filters:
  • tcp — show TCP traffic
  • icmp — show ping/traceroute traffic
  • dns — show DNS queries/responses
  • http — show HTTP traffic
  • ip.addr == 10.0.0.5 — packets to/from an IP
• Tip: Build filters iteratively — start broad then tighten.

4. Diagnose common problems — step‑by‑step workflows

A. Slow web pages

1. Filter for the client and server: ip.addr == CLIENT_IP && tcp.port == 80 || tcp.port == 443.
2. Find the TCP stream: right‑click a packet → “Follow” → “TCP Stream”.
3. Look for retransmissions, duplicate ACKs, or high RTTs (column “Time” and TCP analysis flags).
4. Check TLS setup delays by inspecting the handshake messages and time gaps.
5. If many retransmissions occur, investigate link errors, congestion, or faulty NICs.

B. Intermittent connectivity / packet loss

1. Capture on both ends if possible.
2. Filter for relevant flows and inspect ICMP Destination Unreachable or TCP RSTs.
3. Use “Statistics → Summary” and “IO Graphs” to visualize packet rates and loss patterns.
4. Look for bursts of retransmissions, out‑of‑order packets, or sudden drops in sequence numbers.

C. DNS failures

1. Filter: dns or udp.port == 53.
2. Check if queries receive responses and match transaction IDs.
3. Verify response codes (NXDOMAIN, SERVFAIL).
4. If the client doesn’t receive responses, check intermediate firewalls or NAT translations.

D. Slow DNS resolution

1. Identify time gaps between query and response.
2. Find whether multiple queries are attempted (fallback to other resolvers).
3. Check EDNS/large responses that may be fragmented or dropped.

E. Application‑level errors (HTTP APIs)

1. Filter by HTTP and inspect request/response codes and headers.
2. Use “Follow → HTTP Stream” to view full exchanges.
3. Look for repeated 4xx/5xx errors and correlate with upstream service calls or backend timeouts.

5. Use Wireshark tools and statistics

• Protocol Hierarchy: Quick view of top protocols and traffic distribution.
• Conversations & Endpoints: Identify top talkers and problematic endpoints.
• IO Graphs: Visualize traffic patterns over time; overlay filters for comparison.
• Expert Information: See flagged anomalies (retransmissions, crashes, malformed packets).

6. Advanced tips

• Name resolution: Enable/disable to avoid extra DNS noise; use “Resolve Names” for readability.
• Coloring rules: Create custom colors to highlight important packets (retransmits, errors).
• Custom columns: Add columns for TCP flags, sequence numbers, or latency metrics.
• Scripting & tshark: Use tshark for automated filtering, extraction, and integration with monitoring systems. Example:

tshark -r capture.pcapng -Y “tcp.analysis.retransmission” -T fields -e frame.number -e ip.src -e ip