• networking
• l2
• topic-pack
• wireshark
• linux-networking --- Portal | Level: L2: Operations | Topics: Wireshark & Packet Analysis, Linux Networking Tools | Domain: Networking

Wireshark & Packet Analysis - Primer

Why This Matters

When logs say "connection timed out" and metrics show packet loss, you need to see what is actually on the wire. Wireshark (GUI) and tshark (CLI) let you capture and analyze network traffic at the packet level. This is the definitive debugging tool for TLS handshake failures, DNS resolution issues, TCP retransmissions, application protocol errors, and MTU problems. Most network issues that survive initial triage — the ones that are not obvious from logs or metrics — require packet analysis to resolve. Understanding capture filters (what to record), display filters (what to examine), and protocol dissectors (how to interpret) is essential for any operations engineer responsible for production networking.

Fun fact: Wireshark was originally called Ethereal, created by Gerald Combs in 1998. It was renamed to Wireshark in 2006 due to trademark issues when Combs changed employers. It is the world's most widely used network protocol analyzer, with dissectors for over 3,000 protocols. The CLI equivalent tshark is invaluable for server-side captures where a GUI is unavailable.

Remember: The two filter syntaxes: Capture filters use BPF (Berkeley Packet Filter) syntax and are applied during capture (-f 'port 443'). Display filters use Wireshark's own syntax and are applied after capture (tcp.port == 443). You cannot use display filter syntax as capture filters — this is the most common Wireshark mistake. Mnemonic: "BPF to capture, Wireshark to display."

Core Concepts

1. Capture Filters (BPF Syntax)

Capture filters use Berkeley Packet Filter syntax and are applied during capture. They reduce the volume of data recorded.

# Capture only traffic on port 443
tcpdump -i eth0 -w capture.pcap 'port 443'
tshark -i eth0 -w capture.pcap -f 'port 443'

# Capture traffic to/from a specific host
tshark -i eth0 -w capture.pcap -f 'host 10.0.1.50'

# Capture DNS traffic only
tshark -i eth0 -w capture.pcap -f 'port 53'

# Capture traffic between two hosts
tshark -i eth0 -w capture.pcap -f 'host 10.0.1.50 and host 10.0.1.100'

# Exclude SSH (so your capture session doesn't capture itself)
tshark -i eth0 -w capture.pcap -f 'not port 22'

# Capture only TCP SYN packets (connection attempts)
tshark -i eth0 -w capture.pcap -f 'tcp[tcpflags] & (tcp-syn) != 0'

# Capture ICMP (ping, traceroute)
tshark -i eth0 -w capture.pcap -f 'icmp'

# Limit capture size (first 96 bytes of each packet — headers only)
tshark -i eth0 -w capture.pcap -s 96 -f 'port 80'

2. Display Filters (Wireshark Syntax)

Display filters are applied after capture to focus on specific packets. They use Wireshark's own syntax (not BPF).

# Filter by protocol
http
dns
tls
tcp
arp

# Filter by IP
ip.addr == 10.0.1.50
ip.src == 10.0.1.50
ip.dst == 10.0.1.100

# Filter by port
tcp.port == 443
tcp.dstport == 8080
udp.port == 53

# Filter by TCP flags
tcp.flags.syn == 1                    # SYN packets
tcp.flags.rst == 1                    # RST packets (connection rejected)
tcp.flags.fin == 1                    # FIN packets (connection closing)
tcp.analysis.retransmission           # retransmitted packets
tcp.analysis.duplicate_ack            # duplicate ACKs (possible packet loss)
tcp.analysis.zero_window              # zero window (receiver buffer full)

# HTTP-specific
http.request.method == "POST"
http.response.code >= 400
http.host contains "api.example.com"

# TLS-specific
tls.handshake.type == 1               # ClientHello
tls.handshake.type == 2               # ServerHello
tls.handshake.extensions_server_name  # SNI hostname

# DNS-specific
dns.qry.name == "example.com"
dns.flags.rcode != 0                  # DNS errors (NXDOMAIN, SERVFAIL, etc.)

# Combine filters
ip.addr == 10.0.1.50 and tcp.port == 443
http.response.code >= 500 or tcp.flags.rst == 1
not arp and not dns                   # exclude noisy protocols

3. tshark CLI (Headless Wireshark)

tshark is Wireshark without the GUI — essential for remote servers.

# Live capture with display filter
tshark -i eth0 -Y 'http.request.method == "GET"'

# Read a pcap file with display filter
tshark -r capture.pcap -Y 'tcp.analysis.retransmission'

# Print specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host

# Statistics: conversation list
tshark -r capture.pcap -z conv,tcp

# Statistics: HTTP request/response codes
tshark -r capture.pcap -z http,stat,1

# Statistics: DNS queries
tshark -r capture.pcap -z dns,tree

# Follow a TCP stream (reconstruct the conversation)
tshark -r capture.pcap -z follow,tcp,ascii,0

# Ring buffer capture (rotate files, limit disk usage)
tshark -i eth0 -b filesize:100000 -b files:10 -w /captures/rolling.pcap
# Creates rolling_00001.pcap through rolling_00010.pcap, 100MB each

# Capture for a specific duration
tshark -i eth0 -a duration:60 -w capture.pcap

# Count packets matching a filter
tshark -r capture.pcap -Y 'tcp.flags.rst == 1' | wc -l

# Export as JSON
tshark -r capture.pcap -T json -Y 'http' > http_packets.json

4. Protocol Analysis Patterns

TLS handshake analysis:

# View TLS handshake details
tshark -r capture.pcap -Y 'tls.handshake' -T fields \
  -e frame.number -e ip.src -e ip.dst \
  -e tls.handshake.type -e tls.handshake.extensions_server_name \
  -e tls.handshake.ciphersuite

# Check TLS version negotiated
tshark -r capture.pcap -Y 'tls.handshake.type == 2' -T fields \
  -e tls.handshake.version

# Find certificate issues
tshark -r capture.pcap -Y 'tls.alert_message'

TCP performance analysis:

# Find retransmissions (indicates packet loss)
tshark -r capture.pcap -Y 'tcp.analysis.retransmission' -T fields \
  -e frame.time_relative -e ip.src -e ip.dst -e tcp.stream

# Find zero windows (receiver overwhelmed)
tshark -r capture.pcap -Y 'tcp.analysis.zero_window'

# TCP connection setup time
tshark -r capture.pcap -Y 'tcp.flags.syn == 1 and tcp.flags.ack == 0' -T fields \
  -e frame.time_relative -e ip.src -e ip.dst -e tcp.dstport

# Round-trip time statistics
tshark -r capture.pcap -z rtt,tcp

DNS troubleshooting:

# All DNS queries and responses
tshark -r capture.pcap -Y 'dns' -T fields \
  -e frame.time_relative -e dns.qry.name -e dns.a -e dns.flags.rcode

# Find slow DNS responses (> 500ms)
tshark -r capture.pcap -Y 'dns.time > 0.5' -T fields \
  -e dns.qry.name -e dns.time

# NXDOMAIN responses
tshark -r capture.pcap -Y 'dns.flags.rcode == 3'

5. Common Diagnostic Patterns

Connection refused (RST on SYN):

Filter: tcp.flags.rst == 1 and tcp.flags.ack == 1
Meaning: Service not listening on that port, or firewall actively rejecting

Connection timeout (SYN retransmissions):

Filter: tcp.analysis.retransmission and tcp.flags.syn == 1
Meaning: Packet dropped by firewall (no RST, no response), or host unreachable

MTU/fragmentation issues:

Filter: icmp.type == 3 and icmp.code == 4
Meaning: ICMP "fragmentation needed" — MTU mismatch on the path

Slow responses:

Filter: tcp.time_delta > 1
Meaning: Large gaps between packets in a stream — server processing slowly

6. Remote Capture

# Capture on remote server, analyze locally
ssh server "sudo tcpdump -i eth0 -w - 'port 443'" | wireshark -k -i -

# Capture with tshark on remote, copy later
ssh server "sudo tshark -i eth0 -w /tmp/capture.pcap -a duration:60 -f 'port 8080'"
scp server:/tmp/capture.pcap .

# Using dumpcap (lighter than tshark, capture-only)
dumpcap -i eth0 -w capture.pcap -a duration:30

Quick Reference

# Capture
tshark -i eth0 -w file.pcap                      # capture all
tshark -i eth0 -w file.pcap -f 'port 443'        # with capture filter
tshark -i eth0 -a duration:60 -w file.pcap        # time-limited

# Analyze
tshark -r file.pcap -Y '<display filter>'         # filter packets
tshark -r file.pcap -z conv,tcp                    # TCP conversations
tshark -r file.pcap -z io,stat,1                   # packets per second

# Essential display filters
tcp.analysis.retransmission       # packet loss indicator
tcp.flags.rst == 1                # connection resets
dns.flags.rcode != 0              # DNS errors
tls.alert_message                 # TLS errors
http.response.code >= 500         # HTTP server errors

# List interfaces
tshark -D

---

Wiki Navigation

Prerequisites

• Networking Deep Dive (Topic Pack, L1)

Related Content

• Case Study: API Latency Spike — BGP Route Leak, Fix Is Network ACL (Case Study, L2) — Linux Networking Tools
• Case Study: ARP Flux Duplicate IP (Case Study, L2) — Linux Networking Tools
• Case Study: DHCP Relay Broken (Case Study, L1) — Linux Networking Tools
• Case Study: Duplex Mismatch Symptoms (Case Study, L1) — Linux Networking Tools
• Case Study: IPTables Blocking Unexpected (Case Study, L2) — Linux Networking Tools
• Case Study: Jumbo Frames Partial (Case Study, L2) — Linux Networking Tools
• Case Study: Service Mesh 503s — Envoy Misconfigured, RBAC Policy (Case Study, L2) — Linux Networking Tools
• Case Study: Source Routing Policy Miss (Case Study, L2) — Linux Networking Tools
• Case Study: Stuck NFS Mount (Case Study, L2) — Linux Networking Tools
• Deep Dive: AWS VPC Internals (deep_dive, L2) — Linux Networking Tools

Pages that link here

• Anti-Primer: Wireshark
• Linux Network Packet Flow
• Symptoms
• Wireshark