Getty Images
It’s straightforward to capture network traffic with tools such as Wireshark and tcpdump. Many administrators run into trouble when they try to understand what they’ve captured.
This article explains the primary components of captured data and relates this information to the TCP/IP model. The article doesn’t cover how to use Wireshark or its features and options. I provide only the basic steps to capture packets — enough for you to grab a packet and apply the interpretive information provided throughout.
Take the following steps to initiate a capture in Wireshark:
Wireshark captures an immense amount of data quickly if you don’t use a filter. While this might be what you want, be sure to set an effective filter if you know the protocols for the service you’re troubleshooting. Don’t run the capture any longer than you must. Wireshark has various search and filter options, but a targeted capture is much easier to work with.
I use Wireshark in this article because it’s common, has a relatively simple GUI and is flexible. But many other powerful protocol analyzers are available, such as tcpdump. You can analyze the content you capture with those tools with the information below.
Wireshark is powerful and has many options beyond this article’s scope, such as network analysis and performance information. Also, Wireshark v3 organizes the output into three vertically stacked window panes. Wireshark v4 uses the same three panes, but the Packet Details pane is in the lower-left corner — it was the middle pane in v3 — and the Packet Bytes pane is in the lower-right corner.
In the new Wireshark interface, the top pane summarizes the capture. It displays one or more frames, along with the packet number, time, source, destination, protocol, length and info fields.
Use the protocols, source and destination addresses, and ports columns to help you decide which frame to examine. Click on a frame to select it, and then look at the two lower panes for details.
The sample capture for these screenshots is a simple Whois query to www.iana.org. This example generates DNS and other traffic that is handy for the explanations below.
Before I examine the various headers and contents, let’s review the TCP/IP model to explain the results in the lower-left Packet Details pane.
Below are the TCP/IP model layers and their associated protocols:
Wireshark displays this output from the bottom of the TCP/IP model upward. Frame information — the bottom of the TCP/IP model — resides at the top of the pane in the lower left of the Wireshark screen.
How is this information helpful? Relating the headers in the captured frames to the TCP/IP model helps troubleshooters visualize the layers at which problems might occur, which helps identify possible culprits. The following sections address the various layers in more detail.
This frame section provides Ethernet information, such as frame size, time of capture and the physical interface on which the frame was captured.
Administrators can use this information to examine frame size, for example. Certain devices might have issues accepting frames that exceed the standard size. Troubleshooters can also verify the interface on which the data was captured to ensure information flows through the proper connection.
Next is Ethernet II content, including source and destination MAC addresses. Depending on the frame’s direction of travel, the local MAC address is either the source or destination address, and the next network device’s MAC address is the other.
Confirm the MAC addresses are correct to combat security issues, such as Address Resolution Protocol poisoning or spoofing. Troubleshooters might also confirm which local interface is in use with the MAC address.
Next is the IP section, with source and destination IP addresses and port numbers. For most networks, the address structure is IPv4. Time-to-live information exists here, as does fragmentation instructions. Finally, a field defines whether the packet uses TCP or UDP at the transport layer.
Network technicians can verify the IP addresses are valid and expected. Remember, an address beginning with 169.254.x.x is not valid on the network and indicates a possible Dynamic Host Configuration Protocol problem. Techs can also confirm the source and destination IP addresses are as expected to reduce issues of DNS poisoning or incorrect name resolution settings.
Next is a section containing transport layer information. You should see either TCP or UDP here, depending on the type of datagram captured. Remember, TCP uses the three-way handshake to enumerate the data exchange, which ensures the source device resends any lost data.
This section displays the source and destination ports, too. If the packet originates from the client computer, the destination port is the service port number. For example, if the destination system is a web server, the destination port number is 80 or 443 (HTTP or HTTPS). The client’s port number is a randomly generated number between 1,024 and 65,535 — this range varies by OS. Both port numbers appear in this header.
Confirm the client and server use the correct service port number. If you captured packets on the server, this is the destination port number on inbound packets. This is especially important with any nonstandard port numbers for custom applications or odd firewall rules in place.
The application layer information is at the bottom of the Packet Details pane but at the top of the TCP/IP model. This information varies by service and protocol. For example, when using HTTP, the pane includes instructions such as GET or the contents of the requested webpage. For capture targeting, you see information with SMTP, Post Office Protocol 3 or Internet Message Access Protocol. The same goes for services such as SSH, network file sharing, DNS, etc.
Applications are preconfigured for specific ports, so there probably isn’t much room for misconfiguration here. You could use this information to ensure the destination services are running on the server.
Wireshark can display data exactly as you’d expect to find it in the TCP/IP model.
Can you relate the content of the captured packet to the seven layers of the OSI model? Each layer is represented in the captured information.
The header information in the capture helps confirm that addresses, ports and other settings meet expectations. Such captures tell what is happening on the network, rather than what should be happening.
The Packet Bytes pane in the lower-right corner of Wireshark displays the payload. This content can be the end-user data security professionals worry about. Unencrypted protocols, such as HTTP, Telnet, SMTP and others, don’t protect the confidentiality of their payload, so the data is shown in this window. I frequently demonstrated this in my tech courses using Telnet — the password was displayed in this pane.
Can you find the Whois query in the content example below?
The payload information demonstrates the importance of HTTPS, SSH and other protocols that encrypt data — or the use of IPsec, which can encrypt protocols that don’t offer built-in encryption themselves.
You probably aren’t too interested in the payload as part of network troubleshooting. Instead, you’re likely concerned with questions of connectivity, and that kind of troubleshooting involves source and destination addresses and port numbers.
Once you understand how Wireshark displays information and how that information relates to the TCP/IP model, consider how you can apply it. Below are a few basic troubleshooting scenarios where examining network headers could be helpful:
Packet sniffers, such as Wireshark and tcpdump, are often known as security tools, but they certainly have their place in a troubleshooter’s toolbox. By viewing individual packets, administrators can better understand exactly what traffic moves on the network and how that traffic is addressed and recognized. Relating the theoretical TCP/IP model layers to the practical packet headers is useful.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.
Ways to troubleshoot using Wireshark and tcpdump
Part of: The possibilities of Wireshark for networking and security
Wireshark continues to be a critical tool for security practitioners. Learning how to use it to scan network traffic should be on every security pro’s to-do list.
Wireshark display filters enable users to narrow the scope of a network traffic scan. Use this tutorial to apply and edit display filters to make detailed network sniffing easier.
Protocol analyzer tools, such as Wireshark and tcpdump, can help network administrators identify protocols in the network, analyze network performance and discover network devices.
Wireshark is a useful tool for capturing network traffic data. Network pros can make the most of the tool by analyzing captured packets to see what that data means for troubleshooting.
Learn why using Wireshark OUI lookup for tracking devices by their network interface’s organizationally unique identifier is such an important tool for security pros.
Wireshark OUI lookup helps cyber defenders, pen testers and red teams identify and target network endpoints — and it can be accessed from any browser.
The CPaaS market, as it relates to customer engagement, is competitive and volatile. See how vendors cater to business customers …
Most enterprises lack sufficient collaboration security strategies. Instead, companies are disabling features to improve security…
Compare the latest architecture developments, as well as advanced communications and collaboration UC platform features, offered …
A circular economy addresses environmental impact at every stage of the mobile device lifecycle, from sustainable procurement to …
Troubleshooting mobile hotspots on Android devices requires IT to put in the documentation, training and best practices to help …
Despite their reputation for security, iPhones are not immune from malware attacks. IT and users should learn the signs of mobile…
Intel decides its limited resources would be better spent on Falcon Shores’ successor, Jaguar Shores.
Numerous KVM-derived hypervisors are competing to claim the title of VMware alternative among enterprise customers, but actual …
Quantum computing development can benefit data centers. Potential quantum computing uses include improving supply chains, …
Expect IT service providers to use AI to improve service delivery and automate customers’ business processes this year, among …
The ability to build industry offerings on Amazon Nova, easier online selling and accelerated application modernization intrigued…
Seemingly saturated, the massive partner networks of the top cloud vendors still attract service providers and often serve as …
All Rights Reserved, Copyright 2000 – 2025, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
About The Author
More Stories
India’s 2025 Cricket Schedule: Full Fixtures for South Africa Series & Upcoming Tours – MSN
Academic-Program Cuts Piled Up This Summer. Here’s a Rundown. – The Chronicle of Higher Education
South Africa News: Pilot Dies After Plane Crashes At Air Show In South Africa – NDTV