Wireshark Interface and Wireshark Troubleshooting scenarios..
Wireshark Interface
Wireshark has three main panes:
1. Packet List Pane (Top)
Shows a summary of every captured packet.
Typical columns:
- No.
- Time
- Source
- Destination
- Protocol
- Length
- Info
Example:
| No | Source | Destination | Protocol | Info |
|---|---|---|---|---|
| 15 | 192.168.1.10 | 8.8.8.8 | DNS | Standard Query |
| 16 | 8.8.8.8 | 192.168.1.10 | DNS | Standard Query Response |
2. Packet Details Pane (Middle) ✅ Parsed Data
This is the parsed (decoded) information.
For a TCP packet you might see:
Frame
Ethernet II
Internet Protocol Version 4
Transmission Control Protocol
Hypertext Transfer Protocol
Click the arrow beside each protocol to expand it.
Example:
Ethernet II
Destination: 00:11:22:33:44:55
Source: aa:bb:cc:dd:ee:ff
IPv4
Source: 192.168.1.10
Destination: 142.250.183.78
TCP
Source Port: 52341
Destination Port: 443
Sequence Number: 1050
Acknowledgment Number: 2500
TLS
Client Hello
3. Packet Bytes Pane (Bottom)
Shows the raw hexadecimal bytes.
Example:
45 00 00 3c 1c 46 40 00
40 06 b1 e6 c0 a8 01 0a
When you click a parsed field above, Wireshark highlights the corresponding bytes below.
Example: Reading a Ping Packet
Filter:
icmp
Parsed data:
Frame
Ethernet II
Internet Protocol Version 4
Source: 192.168.1.100
Destination: 8.8.8.8
Internet Control Message Protocol
Type: 8 (Echo Request)
Code: 0
Meaning:
- Device 192.168.1.100 is sending a ping.
- Destination is 8.8.8.8.
- ICMP Type 8 = Echo Request.
Example: Reading a TCP 3-Way Handshake
Filter:
tcp
Packet 1:
SYN
Packet 2:
SYN, ACK
Packet 3:
ACK
Info column:
52341 → 443 SYN
443 → 52341 SYN, ACK
52341 → 443 ACK
This indicates a successful TCP connection establishment.
Useful Wireshark Filters
ip.addr == 192.168.1.10
tcp
udp
icmp
dns
http
tls
arp
ospf
What to Look for During Troubleshooting
DNS Issues
- DNS Query
- DNS Response
- Response Code
Filter:
dns
TCP Issues
- SYN retransmissions
- Duplicate ACKs
- TCP Reset (RST)
Filter:
tcp
OSPF Issues
- Hello packets
- Database Description (DBD)
- Link State Updates
Filter:
ospf
ARP Issues
- Who has 192.168.1.1?
- ARP Reply
Filter:
arp
-----------------------------------------------------------------------------For a Network Operations Center (NOC) or Network Engineer role, Wireshark is one of the most valuable troubleshooting tools. It captures packets and lets you inspect exactly what is happening on the network.
1. DNS Resolution Issues
Problem:
- User cannot open
google.com.Wireshark Filter:
dnsCheck:
- DNS Query
- DNS Response
- Error codes (e.g., NXDOMAIN)
Example:
Client → DNS Query → google.com
DNS Server → Response → 142.x.x.x
2. TCP 3-Way Handshake Failure
Problem:
- Website is not loading.
Filter:
tcpCheck:
- SYN
- SYN-ACK
- ACK
If only SYN packets are seen repeatedly:
- Server may be down
- Firewall may be blocking traffic
- Routing issue
3. Slow Network Performance
Symptoms:
- Slow internet
- Slow application response
Check:
- TCP Retransmissions
- Duplicate ACKs
- Packet Loss
- High latency
Useful filter:
tcp.analysis.flags
4. OSPF Neighbor Stuck in ExStart
Filter:
ospfCheck:
- Hello packets
- Database Description (DBD)
- Link State Request
- Link State Update
Common cause:
- MTU mismatch
5. DHCP Not Assigning IP Address
Filter:
bootpVerify:
- DHCP Discover
- DHCP Offer
- DHCP Request
- DHCP ACK
Missing Offer usually indicates a DHCP server or relay issue.
6. ARP Problems
Filter:
arpLook for:
Who has 192.168.1.1?
Tell 192.168.1.10If there is no ARP reply:
- Device may be offline
- Wrong VLAN
- Cabling issue
7. Switching Loop / Broadcast Storm
Symptoms:
- Network slowdown
- High CPU usage
- Broadcast storm
Check:
- Excessive ARP traffic
- Excessive broadcasts
- Repeated packets
Filter:
arpor
eth
8. HTTP/HTTPS Problems
Filter:
httpor
tlsVerify:
- HTTP GET
- HTTP Response
- TLS Handshake
- Server responses
9. SSL/TLS Handshake Failure
Filter:
tlsCheck:
- Client Hello
- Server Hello
- Certificate exchange
- Handshake failures
10. Email Issues
SMTP:
smtpPOP3:
popIMAP:
imapVerify:
- Authentication
- Mail transfer
- Server responses
11. VoIP Call Quality Issues
Filter:
sipor
rtpCheck:
- Packet loss
- Jitter
- Delay
- SIP registration
12. Packet Loss Investigation
Look for:
- TCP Retransmissions
- Duplicate ACKs
- Lost packets
Useful filter:
tcp.analysis.retransmission
13. Firewall Blocking Traffic
Check:
- SYN sent
- No SYN-ACK received
- TCP RST packets
- ICMP unreachable messages
14. Malware or Suspicious Traffic
Look for:
- Unknown IPs
- Unusual DNS requests
- Unexpected outbound connections
- Excessive traffic to a single destination
15. VLAN Misconfiguration
Symptoms:
- Devices cannot communicate
- Hosts in same subnet unreachable
Check:
- VLAN tags (802.1Q)
- MAC addresses
- ARP requests
Frequently Asked Interview Scenario
Q: A user says, "I can't access a website." How would you troubleshoot using Wireshark?
Answer:
- Start packet capture.
- Check for DNS queries and responses (
dns).- Verify the TCP three-way handshake (
tcp).- Check for TLS handshake issues (
tls) if using HTTPS.- Look for retransmissions, resets, or ICMP errors.
- Identify whether the issue is DNS, routing, firewall, or server related.
Common Wireshark Filters to Remember for Interviews
Scenario Filter DNS dnsTCP tcpUDP udpICMP (Ping) icmpARP arpOSPF ospfHTTP httpHTTPS/TLS tlsDHCP bootpSIP sipRTP rtpRetransmissions tcp.analysis.retransmissionSpecific IP ip.addr == 192.168.1.10
Comments
Post a Comment