Cli Wireshark¶
10 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard
🟢 Easy (3)¶
1. What is the difference between capture filters and display filters in Wireshark?
Show answer
Capture filters (BPF syntax) are applied during packet capture and determine which packets are saved to the pcap file -- they reduce file size but cannot be changed after capture. Display filters (Wireshark syntax) are applied after capture to show/hide packets in the UI. Use capture filters for high-traffic interfaces; use display filters for analysis.2. How do you capture packets with tcpdump and save them for Wireshark analysis?
Show answer
Use "tcpdump -i eth0 -w capture.pcap" to capture all traffic on eth0 to a pcap file. Add BPF filters to narrow scope: "tcpdump -i eth0 -w capture.pcap port 443" for HTTPS only. Use -s 0 to capture full packets (not truncated). Then open capture.pcap in Wireshark or analyze with "tshark -r capture.pcap".3. What display filter shows only DNS query errors or HTTP 5xx server errors?
Show answer
For DNS errors: "dns.flags.rcode != 0" shows all non-success responses (NXDOMAIN, SERVFAIL, etc.). More specific: "dns.flags.rcode == 3" for NXDOMAIN only. For HTTP 5xx errors: "http.response.code >= 500" or "http.response.code == 503" for specific codes. Combine both: "(dns.flags.rcode != 0) || (http.response.code >= 500)" for a unified error view.🟡 Medium (4)¶
1. What is tshark and how does it differ from tcpdump?
Show answer
tshark is Wireshark's command-line equivalent -- it captures packets and applies Wireshark's full protocol dissectors and display filters. Unlike tcpdump (which shows raw packet headers), tshark decodes application-layer protocols (HTTP/2, gRPC, TLS) with the same depth as the Wireshark GUI. Use "tshark -i eth0 -Y 'http.request'" for filtered captures.2. What are common Wireshark display filters for HTTP, DNS, and TLS traffic?
Show answer
HTTP: "http.request.method == GET", "http.response.code == 500", "http2" (for HTTP/2). DNS: "dns", "dns.qry.name contains example.com", "dns.flags.rcode != 0" (errors). TLS: "tls.handshake", "tls.handshake.type == 1" (Client Hello), "tls.record.version". Combine with && (and), || (or), and ! (not).3. How do you follow a TCP stream in Wireshark and why is it useful?
Show answer
Right-click a packet and select "Follow > TCP Stream" (or use filter "tcp.stream eq N"). This reconstructs the entire conversation between two endpoints in order, showing application-layer data as a continuous dialog. It is essential for debugging HTTP request/response pairs, analyzing TLS handshakes, or understanding application protocol exchanges.4. How do you extract specific fields from a pcap using tshark?
Show answer
Use tshark's -T fields with -e to extract specific protocol fields: "tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e http.request.uri -Y http.request". The -E separator=, flag outputs CSV. This is powerful for scripting: extract all DNS queries, HTTP URLs, or TLS SNI values from a capture for automated analysis.🔴 Hard (3)¶
1. How do you identify TCP retransmissions in Wireshark and what do they indicate?
Show answer
Use the display filter "tcp.analysis.retransmission" to show retransmitted packets. Retransmissions indicate packet loss, network congestion, or receiver-side delays. Wireshark's TCP analysis also flags "tcp.analysis.duplicate_ack" (3 duplicate ACKs trigger fast retransmit) and "tcp.analysis.fast_retransmission". High retransmission rates (>1%) signal network issues requiring investigation.2. What is BPF syntax and what are common capture filter expressions?
Show answer
BPF (Berkeley Packet Filter) is the syntax for capture filters in tcpdump, tshark, and Wireshark. Common expressions: "host 10.0.0.1" (specific host), "port 80" (specific port), "tcp" (protocol), "src net 192.168.0.0/16" (source network), "port 53 and udp" (DNS). Combine with "and", "or", "not". BPF is compiled to bytecode and runs in the kernel for high-speed filtering.3. How can you decrypt TLS traffic in Wireshark?