Quicklinks: Wireshark: Statistics | Network Troubleshooting
If you open Wireshark and start capturing, you will see ALL of the traffic your machine sees. Looking for packets without a filter is like trying to find your friend’s place by driving around with a picture of his house. If you know what you’re looking for (like a street address), then Wireshark can help you find traffic faster. When you start your capture journey, you should know what you are looking for, generally speaking.
You also need to understand the operations of relevant protocols. If you don’t understand how protocols work, you won’t understand why they break. If you are analyzing an Monitor-Mode pcap, make sure you understand 802.11 association.
When in doubt, consult relevant RFCs, protocol documentation, and product manuals.
While analysis will depend on your domain experience, there are general classes of problems that you can identify with Wireshark. They are detailed below.
Traffic in this category is the most common type of problem.
Examples:
Software implementations of protocols like DHCP have timers. If the response for a Discover or Request takes too long, the software implementation may assume it failed and move onto getting an IP address with APIPA.
If you are writing a software implementation of a protocol or think that your device may be violating one, you can use Wireshark to analyze the packets. You can then compare the actual bytes that you see transmitted to the RFC or spec on the subject.
Feel free to make a pull request if there’s something I’m missing.