Packet capture is the process of recording network traffic for analysis, security investigation, and troubleshooting. CompTIA Network+ N10-009 tests packet capture tools, methodologies, and how to interpret captured data. Wireshark is the dominant tool, and understanding how to position a capture, filter results, and interpret what you see is directly tested in the Operations and Troubleshooting domains.
Practice this topic
Wireshark: the most widely used open-source packet analyzer. Captures all frames visible to the network interface, displaying protocol details decoded from raw bytes. Filters: capture filters (applied during capture, BPF syntax) limit what is captured. Display filters (applied after capture) control what is shown — 'ip.addr == 192.168.1.1' shows only traffic to/from that IP, 'tcp.port == 443' shows HTTPS traffic.
tcpdump: command-line packet capture for Linux/Unix/macOS. Used in environments without GUI access. Same underlying library as Wireshark (libpcap). Output can be saved to pcap files and opened in Wireshark. Syntax: 'tcpdump -i eth0 host 10.0.0.1 and port 80 -w capture.pcap'.
Port mirroring (SPAN — Switched Port Analyzer): copies traffic from one or more switch ports to a monitoring port where a capture device is connected. Without SPAN, a device connected to a switched network only sees its own traffic (and broadcasts). SPAN allows capturing traffic between other devices. Network TAP (Test Access Point): a passive hardware device that creates a copy of all traffic on a link without affecting the traffic — more reliable than SPAN for high-speed links.
TCP three-way handshake in a capture: SYN → SYN-ACK → ACK. Successful connection establishment. TCP RST (Reset): abrupt connection termination — indicates a rejected connection (firewall blocking, no service listening on port, or host down). TCP FIN: normal graceful connection close.
ICMP in captures: echo request (type 8) and echo reply (type 0) = ping. ICMP destination unreachable (type 3) with code 13 = administratively prohibited (firewall). TTL exceeded (type 11) = traceroute. Analyzing ICMP helps diagnose connectivity and routing issues.
Protocol hierarchy: Wireshark shows the breakdown of protocols in a capture — what percentage of traffic is TCP, UDP, HTTP, DNS, etc. Helps identify unexpected protocols or traffic patterns that indicate security issues or misconfiguration.
Wireshark can see all traffic on a switched network
Wireshark on a switch port only captures traffic to/from its own MAC and broadcast/multicast traffic. To capture traffic between other devices, use port mirroring (SPAN) or a network TAP on the link of interest
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A network administrator needs to capture traffic between two servers connected to a managed switch to diagnose an application issue. Which configuration is required?
Explanation: Port mirroring (SPAN) is required on a switched network to capture traffic between specific ports. The switch copies traffic from the source ports (server ports) to the destination port (capture port). Without SPAN, the capture laptop only sees its own traffic and broadcasts. Using a hub would work for small captures but introduces a collision domain and degrades performance.
SPAN (port mirroring): software feature on a managed switch that copies traffic to a monitoring port. Can miss packets at high utilization when the switch is overloaded. SPAN only sees traffic the switch processes; traffic in hardware-accelerated paths may be missed. Network TAP: a passive hardware device inserted inline on a link — it physically splits the signal and creates a copy without the traffic flowing through a processor. TAPs never drop packets and are more reliable for critical captures.
Try free Packet Capture practice questions with explanations, topic links and progress tracking.