{"id":4457,"date":"2025-08-09T14:17:22","date_gmt":"2025-08-09T14:17:22","guid":{"rendered":"https:\/\/uplatz.com\/blog\/?p=4457"},"modified":"2025-08-09T14:17:22","modified_gmt":"2025-08-09T14:17:22","slug":"wireshark-pocket-book","status":"publish","type":"post","link":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/","title":{"rendered":"Wireshark Pocket Book"},"content":{"rendered":"<p><!-- Wireshark Pocket Book \u2014 Uplatz (50 Cards, Wide Layout, Readable Code, Scoped Styles) --><\/p>\n<div style=\"margin:16px 0;\">\n<style>\n    .wp-wireshark-pb { font-family: Arial, sans-serif; max-width: 1320px; margin:0 auto; }\n    .wp-wireshark-pb .heading{\n      background: linear-gradient(135deg, #e0f2fe, #ecfdf5); \/* light blue -> light green *\/\n      color:#0f172a; padding:22px 24px; border-radius:14px;\n      text-align:center; margin-bottom:18px; box-shadow:0 8px 20px rgba(0,0,0,.08);\n      border:1px solid #cbd5e1;\n    }\n    .wp-wireshark-pb .heading h2{ margin:0; font-size:2.1rem; letter-spacing:.2px; }\n    .wp-wireshark-pb .heading p{ margin:6px 0 0; font-size:1.02rem; opacity:.9; }<\/p>\n<p>    \/* Wide, dense grid *\/\n    .wp-wireshark-pb .grid{\n      display:grid; gap:14px;\n      grid-template-columns: repeat(auto-fill, minmax(400px, 1fr));\n    }\n    @media (min-width:1200px){\n      .wp-wireshark-pb .grid{ grid-template-columns: repeat(3, 1fr); }\n    }<\/p>\n<p>    .wp-wireshark-pb .section-title{\n      grid-column:1\/-1; background:#f8fafc; border-left:8px solid #0ea5e9; \/* blue *\/\n      padding:12px 16px; border-radius:10px; font-weight:700; color:#0f172a; font-size:1.08rem;\n      box-shadow:0 2px 8px rgba(0,0,0,.05); border:1px solid #e2e8f0;\n    }\n    .wp-wireshark-pb .card{\n      background:#ffffff; border-left:6px solid #0ea5e9;\n      padding:18px; border-radius:12px;\n      box-shadow:0 6px 14px rgba(0,0,0,.06);\n      transition:transform .12s ease, box-shadow .12s ease;\n      border:1px solid #e5e7eb;\n    }\n    .wp-wireshark-pb .card:hover{ transform: translateY(-3px); box-shadow:0 10px 22px rgba(0,0,0,.08); }\n    .wp-wireshark-pb .card h3{ margin:0 0 10px; font-size:1.12rem; color:#0f172a; }\n    .wp-wireshark-pb .card p{ margin:0; font-size:.96rem; color:#334155; line-height:1.62; }<\/p>\n<p>    \/* Color helpers *\/\n    .bg-blue { border-left-color:#0ea5e9 !important; background:#eef6ff !important; }\n    .bg-green{ border-left-color:#10b981 !important; background:#f0fdf4 !important; }\n    .bg-amber{ border-left-color:#f59e0b !important; background:#fffbeb !important; }\n    .bg-violet{ border-left-color:#8b5cf6 !important; background:#f5f3ff !important; }\n    .bg-rose{ border-left-color:#ef4444 !important; background:#fff1f2 !important; }\n    .bg-cyan{ border-left-color:#06b6d4 !important; background:#ecfeff !important; }\n    .bg-lime{ border-left-color:#22c55e !important; background:#ecfdf5 !important; }\n    .bg-orange{ border-left-color:#f97316 !important; background:#fff7ed !important; }\n    .bg-indigo{ border-left-color:#6366f1 !important; background:#eef2ff !important; }\n    .bg-emerald{ border-left-color:#059669 !important; background:#ecfdf5 !important; }\n    .bg-slate{ border-left-color:#334155 !important; background:#f8fafc !important; }<\/p>\n<p>    \/* Utilities & code *\/\n    .tight ul{ margin:0; padding-left:18px; }\n    .tight li{ margin:4px 0; }\n    .mono{ font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace; }\n    .wp-wireshark-pb code{ background:#f1f5f9; padding:0 4px; border-radius:4px; border:1px solid #e2e8f0; }\n    .wp-wireshark-pb pre{\n      background:#f5f5f5; color:#111827; border:1px solid #e5e7eb;\n      padding:12px; border-radius:8px; overflow:auto; font-size:.92rem; line-height:1.55;\n    }\n    .q{font-weight:700;}\n    .qa p{ margin:8px 0; }\n  <\/style>\n<div class=\"wp-wireshark-pb\">\n<div class=\"heading\">\n<h2>Wireshark Pocket Book \u2014 Uplatz<\/h2>\n<p>50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included<\/p>\n<\/p><\/div>\n<div class=\"grid\">\n      <!-- ===================== SECTION 1: FOUNDATIONS (1\u201310) ===================== --><\/p>\n<div class=\"section-title\">Section 1 \u2014 Foundations<\/div>\n<div class=\"card bg-blue\">\n<h3>1) What is Wireshark?<\/h3>\n<p>Wireshark is a GUI network protocol analyzer that captures and dissects packets across hundreds of protocols. Use it for troubleshooting, performance, security investigations, and protocol learning. CLI siblings: <code>tshark<\/code> (analyze) and <code>dumpcap<\/code> (capture).<\/p>\n<pre><code class=\"mono\"># Basic CLI capture (tshark)\r\ntshark -i eth0 -a duration:60 -w capture.pcapng<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>2) Capture vs Display Filters<\/h3>\n<p><b>Capture filters<\/b> (libpcap syntax) limit what\u2019s saved; set before capture. <b>Display filters<\/b> (Wireshark syntax) refine what you view post-capture. Prefer display filters for flexibility; use capture filters under heavy load.<\/p>\n<pre><code class=\"mono\"># Capture filter (only TCP port 443)\r\ntcp port 443\r\n# Display filter (show only failed HTTP)\r\nhttp.response.code &gt;= 400<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>3) pcap vs pcapng<\/h3>\n<p><code>pcap<\/code> is legacy (no comments\/multi-interface). <code>pcapng<\/code> supports interfaces, comments, name resolution, and more metadata. Prefer <code>pcapng<\/code> for modern workflows.<\/p>\n<pre><code class=\"mono\">dumpcap -i eth0 -w out.pcapng<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>4) Promiscuous &#038; Monitor Modes<\/h3>\n<p><b>Promiscuous<\/b> mode captures frames not destined to your NIC (same L2 segment). <b>Monitor<\/b> mode (Wi-Fi) captures 802.11 management\/control frames. Hardware\/driver must support it.<\/p>\n<pre><code class=\"mono\"># Linux enabling monitor mode (example)\r\nsudo ip link set wlan0 down\r\nsudo iw dev wlan0 set type monitor\r\nsudo ip link set wlan0 up<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>5) Ring Buffers &#038; Long Captures<\/h3>\n<p>For long-running captures, use ring buffers to rotate files, preventing disk exhaustion. Great for servers and incident windows.<\/p>\n<pre><code class=\"mono\">dumpcap -i any -b filesize:200000 -b files:10 -w \/var\/log\/caps\/session.pcapng<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>6) Name Resolution<\/h3>\n<p>Wireshark can resolve MAC, IP, and port names. Disable during analysis if it slows you down or introduces confusion. Use local <code>hosts<\/code> for custom names.<\/p>\n<pre><code class=\"mono\"># Toggle in UI: View \u2192 Name Resolution\r\ntshark -n  # disable name resolution<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>7) Profiles<\/h3>\n<p>Profiles store columns, coloring rules, filters, and layout. Create protocol-specific profiles (HTTP, VoIP, TLS) for faster context switching.<\/p>\n<pre><code class=\"mono\">Help \u2192 About Wireshark \u2192 Folders \u2192 Personal configuration<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>8) Columns that Matter<\/h3>\n<p>Add custom columns for <code>tcp.stream<\/code>, <code>http.request.method<\/code>, <code>dns.qry.name<\/code>, <code>tls.record.content_type<\/code>. Sorting by these accelerates triage.<\/p>\n<pre><code class=\"mono\">Right-click field \u2192 Apply as Column<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>9) Coloring Rules<\/h3>\n<p>Use coloring to spot problems quickly (e.g., TCP retransmissions, HTTP errors). Keep schemes simple and high contrast.<\/p>\n<pre><code class=\"mono\">View \u2192 Coloring Rules \u2192 + (display filter, fg\/bg colors)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>10) Q&amp;A \u2014 \u201cWhen do I use capture filters?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> When traffic volume is too high to store everything or you need specific protocols only (e.g., <code>port 53<\/code>). Otherwise capture broadly and refine with display filters for flexibility.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 2: FILTERS, FIELDS & FOLLOW (11\u201320) ===================== --><\/p>\n<div class=\"section-title\">Section 2 \u2014 Filters, Field Mastery &#038; Flow Analysis<\/div>\n<div class=\"card bg-blue\">\n<h3>11) Display Filter Basics<\/h3>\n<p>Filters are field-centric (<code>ip.src==10.0.0.5<\/code>, <code>tcp.flags.syn==1<\/code>). Combine with <code>and<\/code>, <code>or<\/code>, <code>not<\/code>. Use <code>contains<\/code>, <code>matches<\/code> (regex) for payload searches.<\/p>\n<pre><code class=\"mono\">ip.addr == 10.1.2.3 and tcp.port == 443 and frame.len &gt; 1000<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>12) Filter Shortcuts<\/h3>\n<p>Right-click any field \u2192 \u201cApply as Filter\u201d (selected\/not selected\/and\/or). Middle-click to toggle expression builder. Keep a library of saved filters per profile.<\/p>\n<pre><code class=\"mono\">tcp.analysis.flags || tcp.retries || tcp.dup_ack<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>13) Follow Streams<\/h3>\n<p>\u201cFollow TCP\/UDP\/HTTP2 Stream\u201d reconstructs bidirectional conversations. Use it to view requests\/responses in order, export payloads, and isolate a single <code>tcp.stream<\/code>.<\/p>\n<pre><code class=\"mono\">Right-click packet \u2192 Follow \u2192 TCP Stream\r\nDisplay filter auto-set: tcp.stream == N<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>14) Conversations &#038; Endpoints<\/h3>\n<p>Statistics \u2192 Conversations\/Endpoints summarize flows by bytes, packets, and duration\u2014handy to find top talkers, scans, or noisy hosts.<\/p>\n<pre><code class=\"mono\">Statistics \u2192 Conversations \u2192 TCP\/UDP tabs<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>15) Reassembly<\/h3>\n<p>Wireshark reassembles fragmented IP and segmented TCP streams. If application payloads look truncated, check \u201cReassemble\u201d settings under each protocol\u2019s preferences.<\/p>\n<pre><code class=\"mono\">Edit \u2192 Preferences \u2192 Protocols \u2192 TCP \u2192 Allow subdissector to reassemble TCP streams<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>16) Time Display &#038; Deltas<\/h3>\n<p>Switch between absolute, relative, or delta time to measure gaps, latency, and jitter. \u201cTime since previous displayed packet\u201d is great for pinpointing stalls.<\/p>\n<pre><code class=\"mono\">View \u2192 Time Display Format \u2192 Seconds Since Previous Displayed Packet<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>17) Expert Information<\/h3>\n<p>Wireshark flags anomalies (warnings, notes, chats). Use it as a triage panel for retransmissions, zero-window, malformed packets, and protocol violations.<\/p>\n<pre><code class=\"mono\">Analyze \u2192 Expert Information<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>18) I\/O Graphs<\/h3>\n<p>Graph throughput, packet rate, or filter-based series (e.g., <code>tcp.analysis.retransmission<\/code>). Overlay multiple series to correlate spikes with errors.<\/p>\n<pre><code class=\"mono\">Statistics \u2192 I\/O Graphs \u2192 Add Graphs w\/ display filters<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>19) Field Extracts with tshark<\/h3>\n<p>Extract structured data to CSV\/JSON for scripting and dashboards. Combine with display filters to export just what you need.<\/p>\n<pre><code class=\"mono\">tshark -r cap.pcapng -Y \"http && http.request\" -T fields -e frame.time -e ip.src -e http.host -E header=y -E separator=,<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>20) Q&amp;A \u2014 \u201cDisplay filter vs search?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Display filters hide non-matching packets and enable field logic; \u201cFind Packet\u201d is a text\/hex search that jumps to the next occurrence but doesn\u2019t filter the view.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 3: PROTOCOLS & USE CASES (21\u201330) ===================== --><\/p>\n<div class=\"section-title\">Section 3 \u2014 Protocol Deep Dives &#038; Troubleshooting<\/div>\n<div class=\"card bg-blue\">\n<h3>21) ARP &#038; Neighbor Discovery<\/h3>\n<p>Look for ARP who-has\/ is-at storms (loops or scans). Duplicate IP detection and gratuitous ARP help diagnose IP conflicts.<\/p>\n<pre><code class=\"mono\">arp.opcode == 1 || arp.opcode == 2<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>22) DNS Diagnostics<\/h3>\n<p>High RTTs or NXDOMAIN spikes can reveal DNS issues. Filter by query name\/type, check truncation (TC) and retry behavior (UDP\u2192TCP fallback).<\/p>\n<pre><code class=\"mono\">dns && dns.flags.response == 1 && dns.time &gt; 0.2<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>23) TCP Handshake &#038; Flags<\/h3>\n<p>Validate SYN\u2192SYN\/ACK\u2192ACK, MSS\/WS options, and SACK permitted. Analyze <code>tcp.analysis<\/code> flags for retransmissions, fast retransmits, zero window, and out-of-order packets.<\/p>\n<pre><code class=\"mono\">tcp.flags.syn==1 || tcp.analysis.retransmission || tcp.analysis.zero_window<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>24) HTTP\/1.1\u20132\u20133<\/h3>\n<p>HTTP1.1: headers and status codes; HTTP2: streams\/frames over TLS\/ALPN; HTTP3: QUIC over UDP. Use \u201cFollow HTTP2 Stream\u201d and check :authority, :path pseudo-headers.<\/p>\n<pre><code class=\"mono\">http.response.code &gt;= 400 || http2 || quic<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>25) TLS Decryption<\/h3>\n<p>If you have the client-side key log (NSS\/Chrome\/Firefox env var), Wireshark can decrypt TLS. Add key log file under TLS protocol prefs. Works for (most) TLS 1.2\/1.3 with appropriate secrets.<\/p>\n<pre><code class=\"mono\"># Set before launching browser\r\nexport SSLKEYLOGFILE=\/tmp\/keys.log\r\n# Wireshark: Preferences \u2192 Protocols \u2192 TLS \u2192 (Pre)-Master-Secret log filename<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>26) QUIC\/HTTP3 Hints<\/h3>\n<p>QUIC is encrypted early; SNI may be visible via TLS ClientHello (if prior handshake). Use server_name, ALPN, and connection IDs to group flows. Decrypt only with secrets.<\/p>\n<pre><code class=\"mono\">quic && udp.port == 443<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>27) DHCP &#038; IPAM Issues<\/h3>\n<p>Watch DHCP Discover\/Offer\/Request\/Ack sequences. Repeated Discover without Offer indicates scope exhaustion or relay issues.<\/p>\n<pre><code class=\"mono\">bootp || dhcp<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>28) VoIP: SIP\/RTP\/RTCP<\/h3>\n<p>Decode SIP call setup, then analyze RTP streams (MOS, jitter, packet loss). Use Telephony menus for call flows and audio export if payload not encrypted.<\/p>\n<pre><code class=\"mono\">Telephony \u2192 VoIP Calls \u2192 Flow Sequence \/ RTP Streams<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>29) SMB &#038; File Transfers<\/h3>\n<p>Slow SMB often correlates with small window sizes or excessive chattiness. Filter auth vs data ops; check dialect negotiation and signing.<\/p>\n<pre><code class=\"mono\">smb2 && !(smb2.cmd == 5)  # exclude session setup to see I\/O<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>30) Q&amp;A \u2014 \u201cHow do I find the slow hop?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Measure server vs client deltas. If server response is quick but ACKs arrive late, it\u2019s path\/receiver side. Use TCP timestamps and delta times, plus IO Graphs for RTT trends.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 4: CAPTURE CRAFT & AUTOMATION (31\u201340) ===================== --><\/p>\n<div class=\"section-title\">Section 4 \u2014 Capture Craft, Extcap, CLI &#038; Automation<\/div>\n<div class=\"card bg-blue\">\n<h3>31) dumpcap for Reliability<\/h3>\n<p><code>dumpcap<\/code> is the robust capture engine. Use it for unattended\/privileged captures while analyzing later in Wireshark or with <code>tshark<\/code>.<\/p>\n<pre><code class=\"mono\">sudo dumpcap -i any -b duration:300 -b files:20 -w \/var\/log\/caps\/rot.pcapng<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>32) Remote Capture<\/h3>\n<p>Capture from remote hosts via SSH pipe or extcap connectors. Keep time synchronized (NTP) across devices to compare traces.<\/p>\n<pre><code class=\"mono\">ssh user@host \"sudo tcpdump -i eth0 -U -w - 'not port 22'\" | wireshark -k -i -<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>33) Capture Filters Cheats<\/h3>\n<p>Common BPF snippets: host, net, port, proto, and boolean combos. Protect your capture host by excluding its own SSH\/management ports.<\/p>\n<pre><code class=\"mono\">host 10.0.0.5 and tcp and not (port 22 or port 3389)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>34) Export Objects<\/h3>\n<p>Extract files from protocols (HTTP, SMB, DICOM, TFTP) via \u201cExport Objects.\u201d Validate hashes and handle legal\/PII concerns.<\/p>\n<pre><code class=\"mono\">File \u2192 Export Objects \u2192 HTTP\/SMB\/\u2026<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>35) Packet Comments &#038; Annotations<\/h3>\n<p>Add per-packet comments for collaboration; pcapng preserves them. Useful in incident timelines and for hand-offs.<\/p>\n<pre><code class=\"mono\">Right-click packet \u2192 Packet Comment<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>36) Lua Dissectors<\/h3>\n<p>Write lightweight Lua dissectors for proprietary protocols or quick field extraction when built-in dissectors don\u2019t exist.<\/p>\n<pre><code class=\"mono\">-- Minimal Lua dissector skeleton placed in plugins\/\r\nlocal p = Proto(\"demo\",\"DemoProto\")\r\nfunction p.dissector(buf,pinfo,tree) pinfo.cols.protocol=\"DEMO\"; tree:add(p, buf(0):string()) end\r\nDissectorTable.get(\"tcp.port\"):add(5555,p)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>37) Decrypt Wi-Fi (WPA-PSK)<\/h3>\n<p>Provide SSID and PSK in 802.11 prefs; capture the 4-way handshake. Wireshark derives keys to decrypt frames (not enterprise EAP-TLS without secrets).<\/p>\n<pre><code class=\"mono\">Preferences \u2192 Protocols \u2192 IEEE 802.11 \u2192 Decryption Keys \u2192 wpa-psk:SSID:passphrase<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>38) GeoIP &#038; Name Datasets<\/h3>\n<p>Integrate GeoIP databases to map IPs to geo\/ASN for quick triage. Keep datasets updated for accuracy.<\/p>\n<pre><code class=\"mono\">Preferences \u2192 Name Resolution \u2192 MaxMind database paths<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>39) Batch Pipelines<\/h3>\n<p>Automate log enrichment by exporting fields and joining with SIEM\/BQ tables. Great for recurring reports and anomaly hunts.<\/p>\n<pre><code class=\"mono\">tshark -r cap.pcapng -Y \"tcp\" -T json &gt; tcp.json<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>40) Q&amp;A \u2014 \u201cWhy dumpcap over Wireshark for capture?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> <code>dumpcap<\/code> is minimal and stable under load, runs without the GUI, supports ring buffers and privileges separation\u2014ideal for long, unattended captures.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 5: CHECKLISTS, CHEATS & INTERVIEW Q&A (41\u201350) ===================== --><\/p>\n<div class=\"section-title\">Section 5 \u2014 Checklists, Cheats &#038; Interview Q&amp;A<\/div>\n<div class=\"card bg-blue\">\n<h3>41) Performance Checklist<\/h3>\n<p>Confirm full-duplex visibility (SPAN\/tap), disable name resolution, use display filters, profile with IO Graphs, inspect TCP windows\/SACK, confirm MSS\/path MTU, and check queueing delays.<\/p>\n<pre><code class=\"mono\">tcp.analysis.bytes_in_flight &gt; 100000 || tcp.window_size_value &lt; 4096<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>42) Security Triage Checklist<\/h3>\n<p>Look for port scans (many SYNs, no ACKs), beaconing (periodic small UDP\/TCP), DNS anomalies (exfil, long TXT), TLS JA3\/JA4 outliers, suspicious SNI, and data to unexpected ASNs.<\/p>\n<pre><code class=\"mono\">tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.seq==0<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>43) HTTP Troubleshooting Cheats<\/h3>\n<p>Filter by host\/method\/status, follow streams, examine latency between request and first byte, and check TCP retransmissions around stalls.<\/p>\n<pre><code class=\"mono\">http.host contains \"api\" && (http.response.code &gt;= 400 || http.request.method == \"POST\")<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>44) TLS\/Cert Cheats<\/h3>\n<p>Check version, cipher suite, SNI, certificate CN\/SAN, and OCSP stapling. Mismatches or legacy ciphers can break clients or policies.<\/p>\n<pre><code class=\"mono\">tls && tls.handshake.type == 11  # Certificate<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>45) Wi-Fi Cheats<\/h3>\n<p>Identify deauth floods, channel overlap, and low SNR. In monitor mode, watch management frames for roaming issues and 802.11k\/v\/r support.<\/p>\n<pre><code class=\"mono\">wlan.fc.type_subtype == 0x0c  # deauthentication<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>46) Exporting Reports<\/h3>\n<p>Use \u201cFile \u2192 Export Packet Dissections\u201d (CSV\/JSON) or <code>tshark<\/code> for headless exports. Add custom columns first to include them in CSV.<\/p>\n<pre><code class=\"mono\">tshark -r cap.pcapng -T fields -E header=y -e frame.time -e ip.src -e ip.dst -e tcp.len<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>47) Common Pitfalls<\/h3>\n<p>Capturing at the wrong point in the path, assuming name resolution is accurate, filtering out too much at capture time, ignoring time sync, and misreading retransmissions vs out-of-order.<\/p>\n<pre><code class=\"mono\">tcp.analysis.out_of_order && !tcp.analysis.retransmission<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>48) Production Hygiene<\/h3>\n<p>Get approvals, scrub PII, time-box captures, encrypt artifacts at rest, rotate ring buffers, and document filters, interfaces, and environment.<\/p>\n<pre><code class=\"mono\">dumpcap -i eth0 -b duration:120 -b files:15 -w secure\/rot_%F_%H-%M.pcapng<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>49) Quick Reference Filters<\/h3>\n<p>Go-to snippets for speed: SYN-only, HTTP errors, slow DNS, TLS ClientHello, QUIC, DHCP failures, ARP storms, SMB signing, SIP errors.<\/p>\n<pre><code class=\"mono\">tcp.flags == 0x002  # SYN only\r\nhttp.response.code &gt;= 500\r\ndns.time &gt; 0.2\r\ntls.handshake.type == 1  # ClientHello\r\nquic\r\nbootp.option.dhcp == 5 && dhcp  # ACK\r\narp.duplicate-address-detected == 1\r\nsmb2.flags.signed == 0\r\nsip.Status-Code &gt;= 400<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald qa\">\n<h3>50) Interview Q&amp;A \u2014 20 Practical Questions (Expanded)<\/h3>\n<p><b>1) Capture vs display filter?<\/b> Capture filters (BPF) restrict what gets saved; display filters refine view post-capture.<\/p>\n<p><b>2) Why pcapng?<\/b> Multi-interface, comments, name-res records, better metadata than pcap.<\/p>\n<p><b>3) When use ring buffer?<\/b> Long\/continuous captures where storage is limited.<\/p>\n<p><b>4) SYN retransmissions vs scans?<\/b> Scans show SYNs to many ports\/hosts without ACKs; retransmissions target the same 5-tuple with increasing RTO.<\/p>\n<p><b>5) How to follow a single flow?<\/b> Use <code>tcp.stream == N<\/code> or Follow Stream features.<\/p>\n<p><b>6) Diagnose slow HTTP?<\/b> Measure request\u2192first byte delta, check TCP loss\/zero-window, server processing time, and upstream DNS\/DB delays.<\/p>\n<p><b>7) TLS decryption options?<\/b> Client key log (SSLKEYLOGFILE), RSA private keys (older ciphers), or session secrets from endpoint.<\/p>\n<p><b>8) QUIC visibility?<\/b> Mostly encrypted; rely on SNI\/ALPN\/metadata unless you have secrets.<\/p>\n<p><b>9) Out-of-order vs retransmission?<\/b> OOO arrives with seq ahead of expected; retrans has same seq as earlier segment.<\/p>\n<p><b>10) Zero-window meaning?<\/b> Receiver buffer full; sender pauses and probes until window opens.<\/p>\n<p><b>11) DNS timeouts?<\/b> Look for high <code>dns.time<\/code>, truncated flags, UDP\u2192TCP retries, SERVFAIL\/NXDOMAIN spikes.<\/p>\n<p><b>12) Wi-Fi deauth attacks?<\/b> Lots of deauth frames; clients drop; correlate with RSSI\/SNR.<\/p>\n<p><b>13) Why no server responses?<\/b> Routing\/ACL, asymmetric paths (capturing on wrong side), or server drop (e.g., firewall).<\/p>\n<p><b>14) TCP handshake anomalies?<\/b> No SYN\/ACK \u2192 server\/ACL issue; multiple SYN\/ACKs \u2192 retrans or load balancer oddities.<\/p>\n<p><b>15) Packet loss indicators?<\/b> Retransmissions, dup ACKs, SACK blocks; rising RTT and reduced cwnd.<\/p>\n<p><b>16) JA3\/JA4 use?<\/b> Client TLS fingerprinting to spot unusual clients\/malware families.<\/p>\n<p><b>17) Why disable name resolution?<\/b> Avoid latency and misleading names during analysis; re-enable for reporting.<\/p>\n<p><b>18) Exporting files safely?<\/b> Validate hashes, handle legal\/PII, and store securely with access controls.<\/p>\n<p><b>19) Time synchronization importance?<\/b> Needed for multi-host trace alignment and accurate latency attribution.<\/p>\n<p><b>20) When use tshark?<\/b> Headless environments, automation, CI pipelines, and batch field exports.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Wireshark Pocket Book \u2014 Uplatz 50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included Section 1 \u2014 Foundations 1) What is Wireshark? Wireshark is a <span class=\"readmore\"><a href=\"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/\">Read More &#8230;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2462,2474],"tags":[],"class_list":["post-4457","post","type-post","status-publish","format-standard","hentry","category-pocket-book","category-wireshark"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Wireshark Pocket Book | Uplatz Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Wireshark Pocket Book | Uplatz Blog\" \/>\n<meta property=\"og:description\" content=\"Wireshark Pocket Book \u2014 Uplatz 50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included Section 1 \u2014 Foundations 1) What is Wireshark? Wireshark is a Read More ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/\" \/>\n<meta property=\"og:site_name\" content=\"Uplatz Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-09T14:17:22+00:00\" \/>\n<meta name=\"author\" content=\"uplatzblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:site\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"uplatzblog\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/\"},\"author\":{\"name\":\"uplatzblog\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\"},\"headline\":\"Wireshark Pocket Book\",\"datePublished\":\"2025-08-09T14:17:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/\"},\"wordCount\":1546,\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"articleSection\":[\"Pocket Book\",\"Wireshark\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/\",\"name\":\"Wireshark Pocket Book | Uplatz Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\"},\"datePublished\":\"2025-08-09T14:17:22+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wireshark-pocket-book\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Wireshark Pocket Book\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"name\":\"Uplatz Blog\",\"description\":\"Uplatz is a global IT Training &amp; Consulting company\",\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\",\"name\":\"uplatz.com\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"contentUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"width\":1280,\"height\":800,\"caption\":\"uplatz.com\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Uplatz-1077816825610769\\\/\",\"https:\\\/\\\/x.com\\\/uplatz_global\",\"https:\\\/\\\/www.instagram.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\",\"name\":\"uplatzblog\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"caption\":\"uplatzblog\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Wireshark Pocket Book | Uplatz Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/","og_locale":"en_US","og_type":"article","og_title":"Wireshark Pocket Book | Uplatz Blog","og_description":"Wireshark Pocket Book \u2014 Uplatz 50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included Section 1 \u2014 Foundations 1) What is Wireshark? Wireshark is a Read More ...","og_url":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/","og_site_name":"Uplatz Blog","article_publisher":"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","article_published_time":"2025-08-09T14:17:22+00:00","author":"uplatzblog","twitter_card":"summary_large_image","twitter_creator":"@uplatz_global","twitter_site":"@uplatz_global","twitter_misc":{"Written by":"uplatzblog"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/#article","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/"},"author":{"name":"uplatzblog","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e"},"headline":"Wireshark Pocket Book","datePublished":"2025-08-09T14:17:22+00:00","mainEntityOfPage":{"@id":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/"},"wordCount":1546,"publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"articleSection":["Pocket Book","Wireshark"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/","url":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/","name":"Wireshark Pocket Book | Uplatz Blog","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/#website"},"datePublished":"2025-08-09T14:17:22+00:00","breadcrumb":{"@id":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/uplatz.com\/blog\/wireshark-pocket-book\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/uplatz.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Wireshark Pocket Book"}]},{"@type":"WebSite","@id":"https:\/\/uplatz.com\/blog\/#website","url":"https:\/\/uplatz.com\/blog\/","name":"Uplatz Blog","description":"Uplatz is a global IT Training &amp; Consulting company","publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/uplatz.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/uplatz.com\/blog\/#organization","name":"uplatz.com","url":"https:\/\/uplatz.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","contentUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","width":1280,"height":800,"caption":"uplatz.com"},"image":{"@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","https:\/\/x.com\/uplatz_global","https:\/\/www.instagram.com\/","https:\/\/www.linkedin.com\/company\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz"]},{"@type":"Person","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e","name":"uplatzblog","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","caption":"uplatzblog"}}]}},"_links":{"self":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/comments?post=4457"}],"version-history":[{"count":1,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4457\/revisions"}],"predecessor-version":[{"id":4458,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4457\/revisions\/4458"}],"wp:attachment":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/media?parent=4457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/categories?post=4457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/tags?post=4457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}