Wireshark Deep Dive: Capturing and Analysing Real Traffic

Wireshark is more than just a packet viewer—it's a powerful diagnostic tool that can solve complex network problems when you know how to use it properly. While basic packet capture is straightforward, effective network troubleshooting requires understanding advanced techniques like proper filtering, stream analysis, and protocol-specific investigation.

Capture Filters vs Display Filters

Understanding the difference between capture and display filters is crucial for efficient analysis. Capture filters determine what traffic Wireshark collects, while display filters control what you see from already captured data.

Use capture filters to limit data collection and reduce file sizes:

host 192.168.1.1
tcp port 80 or tcp port 443
not broadcast and not multicast

Display filters help you focus on specific traffic patterns after capture:

tcp.flags.reset == 1
ip.addr == 10.0.0.0/24 && http
ospf.hello

The key difference: capture filters use BPF syntax and can't be changed after starting capture, while display filters use Wireshark's syntax and can be modified anytime during analysis.

Following TCP Streams

TCP stream analysis reveals the complete conversation between two hosts. Right-click any TCP packet and select Follow > TCP Stream to see the entire data exchange in a readable format.

This technique is invaluable for:

• Analyzing HTTP requests and responses
• Examining file transfers
• Debugging application protocols
• Identifying connection issues

Look for patterns like repeated retransmissions, window scaling problems, or application-level errors that might not be obvious in individual packet analysis.

Protocol-Specific Analysis

OSPF Hello Analysis

OSPF neighbor relationships depend on consistent hello packets. Filter for OSPF hellos and examine key parameters:

ospf.hello

Check for mismatched hello intervals, area IDs, or network masks. Inconsistent timers will prevent neighbor adjacencies from forming properly.

Spanning Tree Topology Changes

STP topology changes can cause network instability. Use this filter to identify BPDU activity:

stp

Look for frequent topology change notifications, which might indicate a flapping link or misconfigured port. Pay attention to root bridge elections and port state changes.

Application Performance Troubleshooting

Slow applications often reveal themselves through packet timing analysis. Use Wireshark's statistics features:

• IO Graphs: Visualize traffic patterns over time
• Flow Graphs: See the sequence of packet exchanges
• Round Trip Time: Identify network latency issues

Look for TCP window scaling issues, which appear as small window sizes in the TCP header. Also watch for duplicate ACKs and fast retransmissions—indicators of packet loss.

Practical Troubleshooting Workflow

Start with broad capture filters, then narrow your focus:

1. Capture relevant traffic using appropriate capture filters
2. Apply display filters to isolate suspicious patterns
3. Use statistics and graphs to identify trends
4. Follow streams for detailed protocol analysis
5. Correlate findings with network topology and configuration

Remember that effective packet analysis requires understanding both the protocols involved and the network infrastructure. A TCP reset might indicate an application problem, a firewall rule, or a routing issue.

What's Next

Now that you understand advanced Wireshark techniques, the next step is learning how to automate packet analysis using tools like tshark and Python libraries. This allows you to process large capture files and create custom analysis scripts for recurring troubleshooting scenarios.