Scribd
Upload
178 views5 pages

Wireshark Troubleshooting With Commands

The Wireshark Troubleshooting Guide outlines a systematic approach to diagnosing network issues, including defining the problem, setting up capture filters, and analyzing packet data. It provides specific commands and filters for capturing and interpreting network traffic, as well as tips for identifying security issues and exporting findings. Additionally, it includes real-world examples and pro tips for enhancing troubleshooting efficiency.

Uploaded by

sagar akim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
178 views5 pages

Wireshark Troubleshooting With Commands

The Wireshark Troubleshooting Guide outlines a systematic approach to diagnosing network issues, including defining the problem, setting up capture filters, and analyzing packet data. It provides specific commands and filters for capturing and interpreting network traffic, as well as tips for identifying security issues and exporting findings. Additionally, it includes real-world examples and pro tips for enhancing troubleshooting efficiency.

Uploaded by

sagar akim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Wireshark Troubleshooting Guide with Commands

1. Define the Problem Clearly

Understand the symptoms and impact:

- Is the issue related to latency, packet loss, application timeout, etc.?

- Affected users: One, many, or all?

- Time of the issue? Intermittent or constant?

Document before starting:

- Source/Destination IPs

- Expected protocols and ports (e.g., HTTP on port 80, DNS on port 53)

2. Capture Setup and Filters

Choose correct location: client, server, router, or firewall.

Use capture filters (set before starting capture) to reduce noise:

Examples:

- Capture from a specific host:

host 192.168.1.10

- Capture only TCP traffic:

tcp

- Capture only DNS (UDP port 53):

udp port 53

- Capture only HTTPS:

port 443

Enable promiscuous mode: Settings > Preferences > Capture

3. Start Capturing and Replicate Issue

- Start Wireshark.

- Begin capturing on the relevant network interface.


- Reproduce the problem (e.g., ping, load website, access service).

- Stop capture immediately after reproduction.

Note the timestamp of issue occurrence for later filtering.

4. Analyze the Capture

Use display filters to analyze:

TCP 3-way handshake:

tcp.flags.syn == 1

Check for completion with SYN, SYN-ACK, ACK

Follow TCP stream:

Right-click a packet > Follow > TCP Stream

Retransmissions:

tcp.analysis.retransmission

Duplicate ACKs:

tcp.analysis.duplicate_ack

Application layer inspection:

- HTTP:

http.request or http.response.code == 200

- DNS:

dns and ip.addr == 8.8.8.8

Filter by IP and port:

ip.addr == 192.168.1.10 and tcp.port == 443

5. Timing & Latency Analysis

Round Trip Time (RTT) Graph:


- Go to Statistics > TCP Stream Graph > Round Trip Time

TCP Zero Window (receiver buffer full):

tcp.analysis.zero_window

Measure delay between request and response using timestamps in the packet list.

Use 'tcp.time_delta' to measure time gaps between packets.

6. Security Checks

Suspicious traffic indicators:

- Unusual destination IPs (e.g., external IPs)

- Frequent SYN packets without ACK (scan attempts)

tcp.flags.syn == 1 and tcp.flags.ack == 0

Malicious indicators:

- DNS tunneling:

dns.qry.name contains suspicious or long domains

- Unencrypted sensitive data:

http and contains "password"

7. Use Wireshark Tools

Tools to summarize data:

Protocol hierarchy:

Statistics > Protocol Hierarchy

Conversation statistics:

Statistics > Conversations

Endpoints view:

Statistics > Endpoints


Expert info (errors, warnings, malformed packets):

Analyze > Expert Information

8. Export and Share Insights

- Select packets of interest

- File > Export Specified Packets > Save as .pcapng

- Share with support or vendor for further analysis

You can also annotate and add comments in Wireshark.

9. Interpret and Recommend

Interpret findings into human-readable diagnostics.

Examples:

- "High latency due to DNS resolution timeout"

- "Multiple TCP retransmissions indicate possible packet loss"

- "SYNs without ACKs suggest firewall blocking"

Recommendations:

- Update DNS server

- Check physical connection or switch ports

- Tune firewall or QoS policy

10. Real-World Examples

| Issue | Command/Filter | Insight |

|---------------|-------------------------------------|----------------------------------|

| DNS Failure | dns and dns.flags.rcode != 0 | DNS query failed |

| Packet Loss | tcp.analysis.retransmission | Network-level retransmission |

| High Latency | Statistics > RTT Graph | Identify response time delays |

| TLS Failure | ssl.handshake.type == 1 | Check client/server hello |

| App Slowness | tcp.analysis.zero_window | Receiver overloaded |


Pro Tips

- Use profiles for HTTP, DNS, VoIP to switch quickly.

- Customize color rules (View > Coloring Rules) to highlight errors.

- Use tshark (CLI version of Wireshark) for automation.

Example:

tshark -i eth0 -f "tcp port 443" -w capture.pcap

You might also like