Basic Analysis


The ultimate authority must always rest with the individual's own reason and critical analysis. – Dalai Lama
2 min |  Ross Jacobs |  March 3, 2019

Table of Contents

Quicklinks: Wireshark: Statistics | Network Troubleshooting

If you open Wireshark and start capturing, you will see ALL of the traffic your machine sees. Looking for packets without a filter is like trying to find your friend’s place by driving around with a picture of his house. If you know what you’re looking for (like a street address), then Wireshark can help you find traffic faster. When you start your capture journey, you should know what you are looking for, generally speaking.

You also need to understand the operations of relevant protocols. If you don’t understand how protocols work, you won’t understand why they break. If you are analyzing an Monitor-Mode pcap, make sure you understand 802.11 association.

What to look for

When in doubt, consult relevant RFCs, protocol documentation, and product manuals.

While analysis will depend on your domain experience, there are general classes of problems that you can identify with Wireshark. They are detailed below.

1. Traffic that should be in a capture is not

Traffic in this category is the most common type of problem.

  • Any stateful protocol that does not receive a response
  • Apple’s Rapid DHCP, which may skip Discover+Offer of DHCP
  • Expected routing updates not seen

2. Traffic that is in the capture that should not be


  • Duplicate IP address with different MAC addresses
  • Traffic on the wrong subnet
  • DHCP requests in an environment with static IP addresses

3. Traffic is delayed or out of order

Software implementations of protocols like DHCP have timers. If the response for a Discover or Request takes too long, the software implementation may assume it failed and move onto getting an IP address with APIPA.

4. Traffic violates protocol expectations

If you are writing a software implementation of a protocol or think that your device may be violating one, you can use Wireshark to analyze the packets. You can then compare the actual bytes that you see transmitted to the RFC or spec on the subject.

5+ Many others

Feel free to make a pull request if there’s something I’m missing.

Further Reading (Wireshark)