This chapter covers packet capture and analysis using Wireshark, a critical skill for network troubleshooting and security analysis. On the N10-009 exam, approximately 5-8% of questions relate to network troubleshooting tools, including packet capture. You will learn how to capture packets, apply filters, interpret common protocols, and use Wireshark to diagnose connectivity and performance issues. Mastery of Wireshark is essential for the Network Troubleshooting domain (Objective 5.6) and directly supports real-world problem-solving.
Jump to a section
Think of Wireshark as a digital video recorder (DVR) for your network. A DVR continuously records video from security cameras onto a hard drive, allowing you to pause, rewind, and analyze specific moments. Similarly, Wireshark captures every packet that traverses a network interface, storing them in a file (like a .pcapng) for later analysis. Just as a DVR lets you zoom in on a particular frame to see details like a license plate, Wireshark lets you drill into a packet to examine its Ethernet frame, IP header, TCP segment, and application payload. The capture filter is like setting the DVR to only record when motion is detected—you can tell Wireshark to capture only packets matching certain criteria (e.g., only HTTP traffic) to reduce noise. The display filter is like searching the recorded video for specific events—you can hide irrelevant packets after capture without deleting them. Wireshark's colorization rules are similar to DVR motion markers that highlight important events in the timeline. And just as a DVR's timestamp helps you correlate video with other logs, Wireshark's timestamps (with microsecond precision) allow you to reconstruct the exact sequence of network events during a fault.
What is Wireshark and Why It Exists
Wireshark is a free, open-source packet analyzer used for network troubleshooting, analysis, software and protocol development, and education. Originally called Ethereal, it was renamed in 2006. Wireshark captures packets in real-time from a network interface and displays them in a human-readable format. It uses the libpcap (Linux/macOS) or WinPcap/Npcap (Windows) library to access raw network data. The N10-009 exam expects you to understand how to use Wireshark to capture traffic, apply filters, and identify common issues like retransmissions, duplicate ACKs, and protocol errors.
How Wireshark Captures Packets
Wireshark places the network interface into promiscuous mode by default, allowing it to capture all packets visible to that interface, not just those addressed to its MAC address. On a switched network, this typically means only unicast traffic to/from the host and broadcast/multicast traffic. To capture traffic between other hosts, you need a SPAN port (port mirroring) on the switch or a network TAP.
Capture Process: 1. Select the interface (e.g., eth0, en0, Wi-Fi). 2. Optionally set a capture filter (BPF syntax) to reduce the volume. 3. Start capture; packets are written to a temporary buffer. 4. Stop capture; packets are displayed in the main window. 5. Save the capture to a file (default .pcapng format).
Key Components of the Wireshark Interface
Packet List Pane: Shows a summary of each packet with columns: No., Time, Source, Destination, Protocol, Length, Info.
Packet Details Pane: Displays the selected packet's protocol tree, expandable from physical layer to application layer.
Packet Bytes Pane: Shows the raw hexadecimal and ASCII dump of the packet.
Filter Toolbar: For entering display filters (not capture filters).
Status Bar: Shows capture statistics, profile, and expert information.
Capture Filters vs. Display Filters
This is a major exam point. Capture filters use Berkeley Packet Filter (BPF) syntax and are applied before capture, reducing the amount of data stored. Display filters use Wireshark's own filter syntax and are applied after capture to hide packets from view without deleting them.
Capture Filter Examples (BPF):
- host 192.168.1.1 – capture only traffic to/from that IP.
- port 80 – capture only HTTP traffic.
- tcp – capture only TCP packets.
- not arp – exclude ARP traffic.
- tcp port 80 and host 10.0.0.1 – combine conditions.
Display Filter Examples:
- ip.addr == 192.168.1.1 – show packets with that IP.
- tcp.port == 80 – show HTTP packets.
- http – show HTTP protocol packets.
- tcp.analysis.retransmission – show retransmissions.
- !arp – hide ARP packets.
- dns – show DNS queries/responses.
- tcp.stream eq 0 – show packets belonging to a specific TCP stream.
Analysing TCP Performance with Wireshark
The exam often tests your ability to identify TCP issues using Wireshark's expert analysis and statistics. Key metrics:
Round-Trip Time (RTT): In a TCP capture, the time between a data segment and its ACK. Wireshark calculates this under Statistics > TCP Stream Graph > Round Trip Time Graph.
Retransmissions: Indicate packet loss. Wireshark marks them with a black background and [TCP Retransmission] in the Info column. Look for duplicate ACKs preceding a retransmission (fast retransmit) or timeout-based retransmissions.
Duplicate ACKs: Three or more duplicate ACKs trigger fast retransmit. Filter: tcp.analysis.duplicate_ack.
Window Scaling: Wireshark shows the calculated window size (scaled) in the TCP header. Filter: tcp.window_size_scalefactor.
Zero Window: When a receiver advertises a window of 0, it means the sender must stop transmitting. Filter: tcp.window_size == 0.
TCP Handshake: SYN, SYN-ACK, ACK. The initial sequence numbers (ISN) are random. Wireshark shows the relative sequence numbers (starting at 0) by default.
Common Protocols and Their Wireshark Fields
ARP: arp.opcode (1=request, 2=reply). arp.src.proto_ipv4, arp.dst.proto_ipv4.
DNS: dns.flags.response (0=query, 1=response). dns.qry.name, dns.resp.name.
DHCP: dhcp.option.dhcp (1=discover, 2=offer, 3=request, 4=ack). dhcp.option.hostname.
HTTP: http.request.method (GET, POST), http.response.code (200, 404), http.host.
ICMP: icmp.type (8=echo request, 0=echo reply). icmp.seq (sequence number).
Wireshark Statistics and Tools
Statistics > Summary: Basic capture statistics (packets, time, average pps).
Statistics > Protocol Hierarchy: Shows the percentage of packets per protocol.
Statistics > Conversations: Lists all conversations (Layer 2, 3, 4) with packet/byte counts.
Statistics > Endpoints: Lists all endpoints (MAC, IP, port) with traffic stats.
Statistics > IO Graph: Graphs packet rate over time; useful for identifying bursts.
Statistics > TCP Stream Graph: Time-Sequence Graph (Stevens), Throughput Graph, etc.
Telephony > VoIP Calls: For SIP/RTP analysis (not heavily tested).
Following TCP Streams
Wireshark can reassemble the application-layer data of a TCP connection. Right-click a packet and select "Follow > TCP Stream". This shows the entire conversation in ASCII or hex, useful for extracting files or seeing HTTP requests/responses. The filter tcp.stream eq N is automatically applied.
Expert Information
The Expert Info dialog (lower left corner or Analyze > Expert Info) categorizes anomalies: - Errors: Malformed packets, bad checksums. - Warnings: Retransmissions, duplicate ACKs, zero windows. - Notes: TCP keep-alives, window updates. - Chat: Normal protocol messages like SYN, FIN.
Colouring Rules
Wireshark uses default colouring to quickly identify packet types:
Light purple: TCP traffic.
Light blue: UDP traffic.
Light green: HTTP traffic.
Light yellow: DNS traffic.
Red/black: TCP retransmissions.
Dark green: TCP SYN/FIN.
You can customize these under View > Coloring Rules.
Performance Considerations
Capturing on a busy link (e.g., 1 Gbps) can drop packets if the capture buffer or disk I/O is insufficient. Wireshark shows "captured" vs. "displayed" packets; if they differ significantly, packet loss occurred. Use capture filters to reduce volume. On Linux, tcpdump is often used for remote capture and the file is then opened in Wireshark. Wireshark also supports remote capture via SSH (using rpcapd on Windows or dumpcap with SSH).
Security and Privacy
Wireshark can capture sensitive data (passwords, emails). Always obtain authorization before capturing on a network. In a lab environment, use sanitized captures.
Command-Line Tools
tshark: Command-line version of Wireshark. Example: tshark -i eth0 -w capture.pcap.
dumpcap: Lightweight capture tool; used by Wireshark internally.
capinfos: Displays statistics about a capture file.
editcap: Modifies capture files (e.g., split, truncate).
mergecap: Merges multiple capture files.
Interaction with Other Technologies
Wireshark is often used alongside: - NetFlow/sFlow: For flow-level visibility; Wireshark provides deep packet inspection. - SNMP: For device-level statistics; Wireshark captures SNMP traps and queries. - Syslog: Wireshark can capture syslog messages (UDP 514) for correlation. - Traceroute: Wireshark can capture ICMP time-exceeded messages to map paths.
Default Values and Timers
TCP window scale factor: Negotiated during handshake; default 0 (no scaling) up to 14 (scale factor 16384).
TCP initial RTO: 1 second (RFC 6298).
TCP minimum RTO: 200 ms (commonly).
TCP maximum RTO: 120 seconds.
DNS default timeout: 5 seconds (client side).
DHCP lease time: Default 86400 seconds (24 hours).
Exam-Relevant Command Syntax
While the exam does not require memorizing all Wireshark menu paths, you should know:
How to start a capture: Capture > Start or click the shark fin icon.
How to stop: Capture > Stop or red square.
How to apply a display filter: Type in the filter bar and press Enter.
How to save a capture: File > Save As.
How to open a capture: File > Open.
How to follow a TCP stream: Right-click > Follow > TCP Stream.
Common Mistakes on the Exam
Confusing capture filters with display filters. Capture filters use BPF, not Wireshark syntax.
Thinking Wireshark can capture all traffic on a switched network without port mirroring.
Assuming a retransmission always means packet loss; it can also be due to out-of-order delivery.
Misinterpreting duplicate ACKs: Three or more trigger fast retransmit, but a single duplicate ACK is normal.
Forgetting that Wireshark shows relative sequence numbers by default; absolute numbers can be enabled.
Select Capture Interface
Open Wireshark and select the correct network interface from the welcome screen or Capture > Options. On a typical host, you'll see interfaces like Ethernet, Wi-Fi, and Loopback. Choose the one connected to the network you want to analyse. For wireless captures, you may need to enable monitor mode (if supported). The interface must support promiscuous mode to see all packets. Wireshark shows a line graph of live traffic on each interface to help identify active ones. If you capture on the wrong interface, you'll see no relevant packets.
Set Capture Filter (Optional)
Before starting, you can enter a capture filter using BPF syntax in the Capture Filter field. For example, to capture only HTTP traffic, type `port 80`. This reduces the volume of captured data and disk usage. Capture filters are applied in kernel space, so they are more efficient than display filters. However, they permanently discard non-matching packets. If you are unsure what to capture, leave the filter blank and use display filters later. Common exam scenario: capture only traffic to a specific server IP using `host 192.168.1.10`.
Start Capture and Generate Traffic
Click the green shark fin icon or select Capture > Start. Wireshark immediately begins capturing all packets that match the capture filter (if any). To troubleshoot, generate the relevant traffic: e.g., ping a remote host, browse a website, or reproduce the issue. The packet list pane populates in real-time. Watch the status bar for packet count and elapsed time. If you see no packets, check the interface selection or capture filter. Stop the capture by clicking the red square icon once the desired traffic has been captured.
Apply Display Filters to Isolate Traffic
After capture, use the display filter bar to focus on specific packets. For example, type `ip.addr == 10.0.0.1` to see only packets involving that IP. Display filters are case-sensitive and support comparisons (`==`, `!=`, `>`, `<`). Combine conditions with `and`, `or`, `not`. Use parentheses for grouping. Wireshark syntax highlight: green means valid, red means invalid. Common exam filters: `tcp.port == 443`, `icmp`, `arp`, `dns`. Display filters do not delete packets; they only hide them.
Analyze Packets Using Expert Info
Open Analyze > Expert Info to see a summary of errors, warnings, and notes in the capture. This is a quick way to identify retransmissions, duplicate ACKs, and malformed packets. For example, if you see many TCP Retransmission warnings, it indicates packet loss. Click on an item to jump to the relevant packet. Expert Info categorizes issues by severity: Error (red), Warning (yellow), Note (blue), Chat (green). The exam tests your ability to use this feature to diagnose network problems efficiently.
Scenario 1: Diagnosing Slow Web Page Loading
A user reports that a web application is slow. As a network engineer, you set up Wireshark on the user's machine or use a SPAN port on the switch to capture traffic to the web server. Start a capture, then have the user load the page. After stopping, apply a display filter http or tcp.port == 80. Look for TCP retransmissions (filter: tcp.analysis.retransmission) and duplicate ACKs (tcp.analysis.duplicate_ack). If you see many retransmissions, there is likely packet loss on the path. Use Statistics > TCP Stream Graph > Time-Sequence Graph to visualize the retransmission pattern. Common fix: check for duplex mismatches or high link utilization. If no retransmissions but high latency, look at the TCP handshake RTT: the time between SYN and SYN-ACK. A high RTT suggests geographic distance or congestion.
Scenario 2: Troubleshooting DHCP Issues
A new device cannot obtain an IP address. Connect the device to a SPAN port or use a hub to capture traffic. Start Wireshark with a capture filter port 67 or port 68 (DHCP uses UDP 67/68). When the device boots, you should see DHCP Discover, Offer, Request, and Ack (DORA). If you see only Discover packets, the DHCP server is not responding. Check if the server is reachable (ping) and if the DHCP relay (if any) is configured. If you see Offer but no Request, the client may be ignoring the offer (e.g., wrong subnet). Wireshark's DHCP filter dhcp shows the options, including the offered IP address and lease time. This scenario is common on the exam: you must identify which DORA step failed.
Scenario 3: Detecting Malicious DNS Traffic
A security analyst suspects a host is communicating with a command-and-control server. Capture all traffic from the host using a SPAN port. Apply a display filter dns to see all DNS queries. Look for queries to unusual domains or high-frequency queries. Wireshark can also detect DNS tunneling by examining the size and entropy of query names. Use Statistics > DNS to see query types and response codes. A high number of NXDOMAIN responses may indicate a domain generation algorithm (DGA). This scenario tests your ability to use Wireshark for basic security analysis, a skill valued in the exam's security domain.
The N10-009 exam tests Wireshark in Objective 5.6: "Given a scenario, use appropriate network troubleshooting tools." Expect 2-4 questions that require interpreting Wireshark output. Key focus areas:
Capture vs. Display Filters: The most common trap. A question might show a BPF filter like host 10.0.0.1 and ask what it does. Candidates often confuse it with display filter syntax. Remember: capture filters use host, port, net; display filters use ip.addr, tcp.port.
Identifying TCP Issues: Questions may show a packet list with retransmissions or duplicate ACKs. The wrong answer often says "retransmission indicates congestion" — while true, the exam wants the specific trigger: three duplicate ACKs or a timeout. Know the difference between fast retransmit (triggered by 3 dup ACKs) and timeout retransmit (triggered by RTO expiry).
DHCP DORA Process: A typical question: "A client sends a DHCP Discover but receives no Offer. What is the likely cause?" Wrong answer: "The client is not on the same subnet." Reality: The DHCP server may be unreachable, or the relay agent is misconfigured. Wireshark would show only Discover packets.
ARP and ICMP: Questions may show an ARP request without a reply, leading to an ICMP Destination Unreachable. Common wrong answer: "The host is down." Reality: ARP failure means the target MAC is unknown; the sender may be on a different subnet requiring a gateway.
Wireshark Statistics: Know that Statistics > Protocol Hierarchy shows protocol percentages, Statistics > Conversations shows traffic between endpoints. A question might ask: "Which Wireshark feature shows the percentage of HTTP traffic?" Answer: Protocol Hierarchy.
Following TCP Stream: Used to extract application data. Wrong answer: "It shows the raw packet bytes." Reality: It reassembles the application-layer payload.
Expert Info: The exam expects you to know that Expert Info categorizes issues as Errors, Warnings, Notes, and Chat. A question might show a Warning icon and ask what it indicates (e.g., retransmission).
Common Numbers: TCP window scale factor range (0-14), default initial RTO (1 second), minimum RTO (200 ms). These may appear in performance analysis questions.
Edge Cases: Wireshark on a wireless interface may not capture all packets if monitor mode is not enabled. Also, captured packets may have incorrect checksums if the NIC hardware offloading is enabled (Wireshark can validate checksums, but the NIC may have already fixed them).
Elimination Strategy: When you see a Wireshark question, first identify the tool (Wireshark) and the problem (e.g., retransmission). Eliminate answers that mention unrelated tools like ping, traceroute, or nslookup. Focus on the packet-level evidence.
Wireshark captures packets using libpcap/Npcap; the default file format is .pcapng.
Capture filters use BPF syntax (e.g., `host`, `port`, `net`); display filters use Wireshark syntax (e.g., `ip.addr`, `tcp.port`).
TCP retransmissions are triggered by three duplicate ACKs (fast retransmit) or RTO expiry (timeout retransmit).
DHCP uses UDP ports 67 (server) and 68 (client); the DORA process consists of Discover, Offer, Request, Ack.
Wireshark's Expert Info categorizes anomalies as Errors, Warnings, Notes, and Chat.
To see all traffic between two hosts on a switch, configure a SPAN port or use a TAP.
Wireshark's Follow TCP Stream reassembles the application-layer payload of a TCP connection.
Default TCP initial RTO is 1 second; minimum RTO is often 200 ms.
Statistics > Protocol Hierarchy shows the percentage of packets for each protocol.
Colorization rules: light purple for TCP, light blue for UDP, red/black for retransmissions.
These come up on the exam all the time. Here's how to tell them apart.
Wireshark
Graphical user interface with packet list, details, and bytes panes.
Supports rich display filters with autocomplete and syntax highlighting.
Provides protocol dissectors for hundreds of protocols.
Offers advanced analysis tools like IO graphs, TCP stream graphs, and expert info.
Requires a GUI environment; not ideal for remote/headless captures.
tcpdump
Command-line tool; runs on any system with libpcap.
Uses BPF capture filters only; no display filter capability (but can filter with grep/awk).
Output is text-based; requires pipelining to other tools for analysis.
Lightweight and efficient; suitable for remote captures via SSH.
Can be scripted; often used in automated monitoring systems.
Mistake
Wireshark can capture all traffic on a switched network without additional configuration.
Correct
On a switched network, Wireshark only sees unicast traffic to/from its own MAC address, plus broadcast/multicast. To capture traffic between other hosts, you must configure a SPAN port (port mirroring) on the switch or use a network TAP.
Mistake
A single duplicate ACK always indicates packet loss.
Correct
A single duplicate ACK is normal and can be caused by out-of-order delivery. Three or more duplicate ACKs trigger fast retransmit, indicating probable packet loss.
Mistake
Capture filters and display filters use the same syntax.
Correct
Capture filters use Berkeley Packet Filter (BPF) syntax (e.g., `host 10.0.0.1`, `port 80`). Display filters use Wireshark's own syntax (e.g., `ip.addr == 10.0.0.1`, `tcp.port == 80`). They are not interchangeable.
Mistake
Wireshark can decrypt all encrypted traffic if you have the private key.
Correct
Wireshark can decrypt TLS traffic only if you have the server's private key and the cipher suite uses RSA key exchange. With perfect forward secrecy (e.g., ECDHE), decryption is not possible without the session keys. Also, Wireshark cannot decrypt IPsec without the appropriate keys.
Mistake
A TCP retransmission always means the packet was lost.
Correct
A retransmission can also occur if the ACK was lost or delayed, causing the sender to timeout. Wireshark marks a packet as retransmission if the sequence number is less than the next expected sequence number, which can also happen due to out-of-order delivery.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use a capture filter `port 80` before starting the capture, or capture all traffic and then apply a display filter `http` or `tcp.port == 80`. The capture filter reduces the volume of data stored; the display filter hides non-HTTP packets after capture. Both are effective, but the capture filter is more efficient.
Wireshark marks retransmitted packets with a black background in the packet list and the Info column shows `[TCP Retransmission]`. The sequence number of the retransmitted packet is the same as the original (or earlier) packet. You can filter using `tcp.analysis.retransmission`.
Right-click any HTTP packet and select Follow > TCP Stream. Wireshark will reassemble the entire TCP conversation and display the HTTP request and response in a separate window. The filter `tcp.stream eq N` is automatically applied to show only that stream.
Wireless interfaces often require monitor mode to capture all packets, including those not addressed to your host. Without monitor mode, you only see packets to/from your own MAC. Additionally, some wireless drivers do not support promiscuous mode. Check adapter settings or use a wired interface if possible.
Apply a display filter `dhcp`. Look for DHCP Offer or Ack packets. The source IP of these packets is the DHCP server's address. You can also check the DHCP option "Server Identifier" (option 54) in the packet details pane.
A capture filter is applied before capture using BPF syntax and permanently discards non-matching packets. A display filter is applied after capture using Wireshark syntax and only hides packets from view; they remain in the capture file. Capture filters are more efficient but less flexible.
Look for TCP retransmissions (filter: `tcp.analysis.retransmission`) and duplicate ACKs (filter: `tcp.analysis.duplicate_ack`). Many retransmissions indicate packet loss. Also check the IO graph for dips in throughput or use Statistics > TCP Stream Graph > Throughput Graph.
You've just covered Packet Capture with Wireshark — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?