Wireshark Pocket Book — Uplatz
50 in-depth cards • Wide layout • Readable examples • 20-question interview Q&A included
1) What is Wireshark?
Wireshark is a GUI network protocol analyzer that captures and dissects packets across hundreds of protocols. Use it for troubleshooting, performance, security investigations, and protocol learning. CLI siblings: tshark (analyze) and dumpcap (capture).
# Basic CLI capture (tshark)
tshark -i eth0 -a duration:60 -w capture.pcapng2) Capture vs Display Filters
Capture filters (libpcap syntax) limit what’s saved; set before capture. Display filters (Wireshark syntax) refine what you view post-capture. Prefer display filters for flexibility; use capture filters under heavy load.
# Capture filter (only TCP port 443)
tcp port 443
# Display filter (show only failed HTTP)
http.response.code >= 4003) pcap vs pcapng
pcap is legacy (no comments/multi-interface). pcapng supports interfaces, comments, name resolution, and more metadata. Prefer pcapng for modern workflows.
dumpcap -i eth0 -w out.pcapng4) Promiscuous & Monitor Modes
Promiscuous mode captures frames not destined to your NIC (same L2 segment). Monitor mode (Wi-Fi) captures 802.11 management/control frames. Hardware/driver must support it.
# Linux enabling monitor mode (example)
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up5) Ring Buffers & Long Captures
For long-running captures, use ring buffers to rotate files, preventing disk exhaustion. Great for servers and incident windows.
dumpcap -i any -b filesize:200000 -b files:10 -w /var/log/caps/session.pcapng6) Name Resolution
Wireshark can resolve MAC, IP, and port names. Disable during analysis if it slows you down or introduces confusion. Use local hosts for custom names.
# Toggle in UI: View → Name Resolution
tshark -n # disable name resolution7) Profiles
Profiles store columns, coloring rules, filters, and layout. Create protocol-specific profiles (HTTP, VoIP, TLS) for faster context switching.
Help → About Wireshark → Folders → Personal configuration8) Columns that Matter
Add custom columns for tcp.stream, http.request.method, dns.qry.name, tls.record.content_type. Sorting by these accelerates triage.
Right-click field → Apply as Column9) Coloring Rules
Use coloring to spot problems quickly (e.g., TCP retransmissions, HTTP errors). Keep schemes simple and high contrast.
View → Coloring Rules → + (display filter, fg/bg colors)10) Q&A — “When do I use capture filters?”
Answer: When traffic volume is too high to store everything or you need specific protocols only (e.g., port 53). Otherwise capture broadly and refine with display filters for flexibility.
11) Display Filter Basics
Filters are field-centric (ip.src==10.0.0.5, tcp.flags.syn==1). Combine with and, or, not. Use contains, matches (regex) for payload searches.
ip.addr == 10.1.2.3 and tcp.port == 443 and frame.len > 100012) Filter Shortcuts
Right-click any field → “Apply as Filter” (selected/not selected/and/or). Middle-click to toggle expression builder. Keep a library of saved filters per profile.
tcp.analysis.flags || tcp.retries || tcp.dup_ack13) Follow Streams
“Follow TCP/UDP/HTTP2 Stream” reconstructs bidirectional conversations. Use it to view requests/responses in order, export payloads, and isolate a single tcp.stream.
Right-click packet → Follow → TCP Stream
Display filter auto-set: tcp.stream == N14) Conversations & Endpoints
Statistics → Conversations/Endpoints summarize flows by bytes, packets, and duration—handy to find top talkers, scans, or noisy hosts.
Statistics → Conversations → TCP/UDP tabs15) Reassembly
Wireshark reassembles fragmented IP and segmented TCP streams. If application payloads look truncated, check “Reassemble” settings under each protocol’s preferences.
Edit → Preferences → Protocols → TCP → Allow subdissector to reassemble TCP streams16) Time Display & Deltas
Switch between absolute, relative, or delta time to measure gaps, latency, and jitter. “Time since previous displayed packet” is great for pinpointing stalls.
View → Time Display Format → Seconds Since Previous Displayed Packet17) Expert Information
Wireshark flags anomalies (warnings, notes, chats). Use it as a triage panel for retransmissions, zero-window, malformed packets, and protocol violations.
Analyze → Expert Information18) I/O Graphs
Graph throughput, packet rate, or filter-based series (e.g., tcp.analysis.retransmission). Overlay multiple series to correlate spikes with errors.
Statistics → I/O Graphs → Add Graphs w/ display filters19) Field Extracts with tshark
Extract structured data to CSV/JSON for scripting and dashboards. Combine with display filters to export just what you need.
tshark -r cap.pcapng -Y "http && http.request" -T fields -e frame.time -e ip.src -e http.host -E header=y -E separator=,20) Q&A — “Display filter vs search?”
Answer: Display filters hide non-matching packets and enable field logic; “Find Packet” is a text/hex search that jumps to the next occurrence but doesn’t filter the view.
21) ARP & Neighbor Discovery
Look for ARP who-has/ is-at storms (loops or scans). Duplicate IP detection and gratuitous ARP help diagnose IP conflicts.
arp.opcode == 1 || arp.opcode == 222) DNS Diagnostics
High RTTs or NXDOMAIN spikes can reveal DNS issues. Filter by query name/type, check truncation (TC) and retry behavior (UDP→TCP fallback).
dns && dns.flags.response == 1 && dns.time > 0.223) TCP Handshake & Flags
Validate SYN→SYN/ACK→ACK, MSS/WS options, and SACK permitted. Analyze tcp.analysis flags for retransmissions, fast retransmits, zero window, and out-of-order packets.
tcp.flags.syn==1 || tcp.analysis.retransmission || tcp.analysis.zero_window24) HTTP/1.1–2–3
HTTP1.1: headers and status codes; HTTP2: streams/frames over TLS/ALPN; HTTP3: QUIC over UDP. Use “Follow HTTP2 Stream” and check :authority, :path pseudo-headers.
http.response.code >= 400 || http2 || quic25) TLS Decryption
If you have the client-side key log (NSS/Chrome/Firefox env var), Wireshark can decrypt TLS. Add key log file under TLS protocol prefs. Works for (most) TLS 1.2/1.3 with appropriate secrets.
# Set before launching browser
export SSLKEYLOGFILE=/tmp/keys.log
# Wireshark: Preferences → Protocols → TLS → (Pre)-Master-Secret log filename26) QUIC/HTTP3 Hints
QUIC is encrypted early; SNI may be visible via TLS ClientHello (if prior handshake). Use server_name, ALPN, and connection IDs to group flows. Decrypt only with secrets.
quic && udp.port == 44327) DHCP & IPAM Issues
Watch DHCP Discover/Offer/Request/Ack sequences. Repeated Discover without Offer indicates scope exhaustion or relay issues.
bootp || dhcp28) VoIP: SIP/RTP/RTCP
Decode SIP call setup, then analyze RTP streams (MOS, jitter, packet loss). Use Telephony menus for call flows and audio export if payload not encrypted.
Telephony → VoIP Calls → Flow Sequence / RTP Streams29) SMB & File Transfers
Slow SMB often correlates with small window sizes or excessive chattiness. Filter auth vs data ops; check dialect negotiation and signing.
smb2 && !(smb2.cmd == 5) # exclude session setup to see I/O30) Q&A — “How do I find the slow hop?”
Answer: Measure server vs client deltas. If server response is quick but ACKs arrive late, it’s path/receiver side. Use TCP timestamps and delta times, plus IO Graphs for RTT trends.
31) dumpcap for Reliability
dumpcap is the robust capture engine. Use it for unattended/privileged captures while analyzing later in Wireshark or with tshark.
sudo dumpcap -i any -b duration:300 -b files:20 -w /var/log/caps/rot.pcapng32) Remote Capture
Capture from remote hosts via SSH pipe or extcap connectors. Keep time synchronized (NTP) across devices to compare traces.
ssh user@host "sudo tcpdump -i eth0 -U -w - 'not port 22'" | wireshark -k -i -33) Capture Filters Cheats
Common BPF snippets: host, net, port, proto, and boolean combos. Protect your capture host by excluding its own SSH/management ports.
host 10.0.0.5 and tcp and not (port 22 or port 3389)34) Export Objects
Extract files from protocols (HTTP, SMB, DICOM, TFTP) via “Export Objects.” Validate hashes and handle legal/PII concerns.
File → Export Objects → HTTP/SMB/…35) Packet Comments & Annotations
Add per-packet comments for collaboration; pcapng preserves them. Useful in incident timelines and for hand-offs.
Right-click packet → Packet Comment36) Lua Dissectors
Write lightweight Lua dissectors for proprietary protocols or quick field extraction when built-in dissectors don’t exist.
-- Minimal Lua dissector skeleton placed in plugins/
local p = Proto("demo","DemoProto")
function p.dissector(buf,pinfo,tree) pinfo.cols.protocol="DEMO"; tree:add(p, buf(0):string()) end
DissectorTable.get("tcp.port"):add(5555,p)37) Decrypt Wi-Fi (WPA-PSK)
Provide SSID and PSK in 802.11 prefs; capture the 4-way handshake. Wireshark derives keys to decrypt frames (not enterprise EAP-TLS without secrets).
Preferences → Protocols → IEEE 802.11 → Decryption Keys → wpa-psk:SSID:passphrase38) GeoIP & Name Datasets
Integrate GeoIP databases to map IPs to geo/ASN for quick triage. Keep datasets updated for accuracy.
Preferences → Name Resolution → MaxMind database paths39) Batch Pipelines
Automate log enrichment by exporting fields and joining with SIEM/BQ tables. Great for recurring reports and anomaly hunts.
tshark -r cap.pcapng -Y "tcp" -T json > tcp.json40) Q&A — “Why dumpcap over Wireshark for capture?”
Answer: dumpcap is minimal and stable under load, runs without the GUI, supports ring buffers and privileges separation—ideal for long, unattended captures.
41) Performance Checklist
Confirm full-duplex visibility (SPAN/tap), disable name resolution, use display filters, profile with IO Graphs, inspect TCP windows/SACK, confirm MSS/path MTU, and check queueing delays.
tcp.analysis.bytes_in_flight > 100000 || tcp.window_size_value < 409642) Security Triage Checklist
Look for port scans (many SYNs, no ACKs), beaconing (periodic small UDP/TCP), DNS anomalies (exfil, long TXT), TLS JA3/JA4 outliers, suspicious SNI, and data to unexpected ASNs.
tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.seq==043) HTTP Troubleshooting Cheats
Filter by host/method/status, follow streams, examine latency between request and first byte, and check TCP retransmissions around stalls.
http.host contains "api" && (http.response.code >= 400 || http.request.method == "POST")44) TLS/Cert Cheats
Check version, cipher suite, SNI, certificate CN/SAN, and OCSP stapling. Mismatches or legacy ciphers can break clients or policies.
tls && tls.handshake.type == 11 # Certificate45) Wi-Fi Cheats
Identify deauth floods, channel overlap, and low SNR. In monitor mode, watch management frames for roaming issues and 802.11k/v/r support.
wlan.fc.type_subtype == 0x0c # deauthentication46) Exporting Reports
Use “File → Export Packet Dissections” (CSV/JSON) or tshark for headless exports. Add custom columns first to include them in CSV.
tshark -r cap.pcapng -T fields -E header=y -e frame.time -e ip.src -e ip.dst -e tcp.len47) Common Pitfalls
Capturing at the wrong point in the path, assuming name resolution is accurate, filtering out too much at capture time, ignoring time sync, and misreading retransmissions vs out-of-order.
tcp.analysis.out_of_order && !tcp.analysis.retransmission48) Production Hygiene
Get approvals, scrub PII, time-box captures, encrypt artifacts at rest, rotate ring buffers, and document filters, interfaces, and environment.
dumpcap -i eth0 -b duration:120 -b files:15 -w secure/rot_%F_%H-%M.pcapng49) Quick Reference Filters
Go-to snippets for speed: SYN-only, HTTP errors, slow DNS, TLS ClientHello, QUIC, DHCP failures, ARP storms, SMB signing, SIP errors.
tcp.flags == 0x002 # SYN only
http.response.code >= 500
dns.time > 0.2
tls.handshake.type == 1 # ClientHello
quic
bootp.option.dhcp == 5 && dhcp # ACK
arp.duplicate-address-detected == 1
smb2.flags.signed == 0
sip.Status-Code >= 40050) Interview Q&A — 20 Practical Questions (Expanded)
1) Capture vs display filter? Capture filters (BPF) restrict what gets saved; display filters refine view post-capture.
2) Why pcapng? Multi-interface, comments, name-res records, better metadata than pcap.
3) When use ring buffer? Long/continuous captures where storage is limited.
4) SYN retransmissions vs scans? Scans show SYNs to many ports/hosts without ACKs; retransmissions target the same 5-tuple with increasing RTO.
5) How to follow a single flow? Use tcp.stream == N or Follow Stream features.
6) Diagnose slow HTTP? Measure request→first byte delta, check TCP loss/zero-window, server processing time, and upstream DNS/DB delays.
7) TLS decryption options? Client key log (SSLKEYLOGFILE), RSA private keys (older ciphers), or session secrets from endpoint.
8) QUIC visibility? Mostly encrypted; rely on SNI/ALPN/metadata unless you have secrets.
9) Out-of-order vs retransmission? OOO arrives with seq ahead of expected; retrans has same seq as earlier segment.
10) Zero-window meaning? Receiver buffer full; sender pauses and probes until window opens.
11) DNS timeouts? Look for high dns.time, truncated flags, UDP→TCP retries, SERVFAIL/NXDOMAIN spikes.
12) Wi-Fi deauth attacks? Lots of deauth frames; clients drop; correlate with RSSI/SNR.
13) Why no server responses? Routing/ACL, asymmetric paths (capturing on wrong side), or server drop (e.g., firewall).
14) TCP handshake anomalies? No SYN/ACK → server/ACL issue; multiple SYN/ACKs → retrans or load balancer oddities.
15) Packet loss indicators? Retransmissions, dup ACKs, SACK blocks; rising RTT and reduced cwnd.
16) JA3/JA4 use? Client TLS fingerprinting to spot unusual clients/malware families.
17) Why disable name resolution? Avoid latency and misleading names during analysis; re-enable for reporting.
18) Exporting files safely? Validate hashes, handle legal/PII, and store securely with access controls.
19) Time synchronization importance? Needed for multi-host trace alignment and accurate latency attribution.
20) When use tshark? Headless environments, automation, CI pipelines, and batch field exports.