Wireshark Interface and Wireshark Troubleshooting scenarios..

 

Wireshark Interface

Wireshark has three main panes:

1. Packet List Pane (Top)

Shows a summary of every captured packet.

Typical columns:

  • No.
  • Time
  • Source
  • Destination
  • Protocol
  • Length
  • Info

Example:

NoSourceDestinationProtocolInfo
15192.168.1.108.8.8.8DNSStandard Query
168.8.8.8192.168.1.10DNSStandard Query Response

2. Packet Details Pane (Middle) ✅ Parsed Data

This is the parsed (decoded) information.

For a TCP packet you might see:

Frame
Ethernet II
Internet Protocol Version 4
Transmission Control Protocol
Hypertext Transfer Protocol

Click the arrow beside each protocol to expand it.

Example:

Ethernet II
Destination: 00:11:22:33:44:55
Source: aa:bb:cc:dd:ee:ff

IPv4
Source: 192.168.1.10
Destination: 142.250.183.78

TCP
Source Port: 52341
Destination Port: 443
Sequence Number: 1050
Acknowledgment Number: 2500

TLS
Client Hello

3. Packet Bytes Pane (Bottom)

Shows the raw hexadecimal bytes.

Example:

45 00 00 3c 1c 46 40 00
40 06 b1 e6 c0 a8 01 0a

When you click a parsed field above, Wireshark highlights the corresponding bytes below.


Example: Reading a Ping Packet

Filter:

icmp

Parsed data:

Frame

Ethernet II

Internet Protocol Version 4
Source: 192.168.1.100
Destination: 8.8.8.8

Internet Control Message Protocol
Type: 8 (Echo Request)
Code: 0

Meaning:

  • Device 192.168.1.100 is sending a ping.
  • Destination is 8.8.8.8.
  • ICMP Type 8 = Echo Request.

Example: Reading a TCP 3-Way Handshake

Filter:

tcp

Packet 1:

SYN

Packet 2:

SYN, ACK

Packet 3:

ACK

Info column:

52341 → 443 SYN

443 → 52341 SYN, ACK

52341 → 443 ACK

This indicates a successful TCP connection establishment.


Useful Wireshark Filters

ip.addr == 192.168.1.10

tcp

udp

icmp

dns

http

tls

arp

ospf

What to Look for During Troubleshooting

DNS Issues

  • DNS Query
  • DNS Response
  • Response Code

Filter:

dns

TCP Issues

  • SYN retransmissions
  • Duplicate ACKs
  • TCP Reset (RST)

Filter:

tcp

OSPF Issues

  • Hello packets
  • Database Description (DBD)
  • Link State Updates

Filter:

ospf

ARP Issues

  • Who has 192.168.1.1?
  • ARP Reply

Filter:

arp


-----------------------------------------------------------------------------


For a Network Operations Center (NOC) or Network Engineer role, Wireshark is one of the most valuable troubleshooting tools. It captures packets and lets you inspect exactly what is happening on the network.

1. DNS Resolution Issues

Problem:

  • User cannot open google.com.

Wireshark Filter:

dns

Check:

  • DNS Query
  • DNS Response
  • Error codes (e.g., NXDOMAIN)

Example:

Client → DNS Query → google.com
DNS Server → Response → 142.x.x.x

2. TCP 3-Way Handshake Failure

Problem:

  • Website is not loading.

Filter:

tcp

Check:

  • SYN
  • SYN-ACK
  • ACK

If only SYN packets are seen repeatedly:

  • Server may be down
  • Firewall may be blocking traffic
  • Routing issue

3. Slow Network Performance

Symptoms:

  • Slow internet
  • Slow application response

Check:

  • TCP Retransmissions
  • Duplicate ACKs
  • Packet Loss
  • High latency

Useful filter:

tcp.analysis.flags

4. OSPF Neighbor Stuck in ExStart

Filter:

ospf

Check:

  • Hello packets
  • Database Description (DBD)
  • Link State Request
  • Link State Update

Common cause:

  • MTU mismatch

5. DHCP Not Assigning IP Address

Filter:

bootp

Verify:

  • DHCP Discover
  • DHCP Offer
  • DHCP Request
  • DHCP ACK

Missing Offer usually indicates a DHCP server or relay issue.


6. ARP Problems

Filter:

arp

Look for:

Who has 192.168.1.1?
Tell 192.168.1.10

If there is no ARP reply:

  • Device may be offline
  • Wrong VLAN
  • Cabling issue

7. Switching Loop / Broadcast Storm

Symptoms:

  • Network slowdown
  • High CPU usage
  • Broadcast storm

Check:

  • Excessive ARP traffic
  • Excessive broadcasts
  • Repeated packets

Filter:

arp

or

eth

8. HTTP/HTTPS Problems

Filter:

http

or

tls

Verify:

  • HTTP GET
  • HTTP Response
  • TLS Handshake
  • Server responses

9. SSL/TLS Handshake Failure

Filter:

tls

Check:

  • Client Hello
  • Server Hello
  • Certificate exchange
  • Handshake failures

10. Email Issues

SMTP:

smtp

POP3:

pop

IMAP:

imap

Verify:

  • Authentication
  • Mail transfer
  • Server responses

11. VoIP Call Quality Issues

Filter:

sip

or

rtp

Check:

  • Packet loss
  • Jitter
  • Delay
  • SIP registration

12. Packet Loss Investigation

Look for:

  • TCP Retransmissions
  • Duplicate ACKs
  • Lost packets

Useful filter:

tcp.analysis.retransmission

13. Firewall Blocking Traffic

Check:

  • SYN sent
  • No SYN-ACK received
  • TCP RST packets
  • ICMP unreachable messages

14. Malware or Suspicious Traffic

Look for:

  • Unknown IPs
  • Unusual DNS requests
  • Unexpected outbound connections
  • Excessive traffic to a single destination

15. VLAN Misconfiguration

Symptoms:

  • Devices cannot communicate
  • Hosts in same subnet unreachable

Check:

  • VLAN tags (802.1Q)
  • MAC addresses
  • ARP requests

Frequently Asked Interview Scenario

Q: A user says, "I can't access a website." How would you troubleshoot using Wireshark?

Answer:

  1. Start packet capture.
  2. Check for DNS queries and responses (dns).
  3. Verify the TCP three-way handshake (tcp).
  4. Check for TLS handshake issues (tls) if using HTTPS.
  5. Look for retransmissions, resets, or ICMP errors.
  6. Identify whether the issue is DNS, routing, firewall, or server related.

Common Wireshark Filters to Remember for Interviews

ScenarioFilter
DNS           dns
TCP           tcp
UDP           udp
ICMP (Ping)           icmp
ARP           arp
OSPF           ospf
HTTP               http
HTTPS/TLS           tls
DHCP           bootp
SIP           sip
RTP           rtp
Retransmissions           tcp.analysis.retransmission
Specific IP           ip.addr == 192.168.1.10

Comments

Popular posts from this blog

🖧 VLAN (Virtual Local Area Network)

🌐 NAT (Network Address Translation)

🛰️ OSPF (Open Shortest Path First)