Posted on 2016-10-27
Last Modified: 2016-10-30
I know Wireshark is an excellent tool for its purpose. As I am studying it, I have difficulty to figure out which type of problems is this tool designed to solve? In what scenario would I turn to Wireshark to start the trouble shooting?

[So far seems its designed to identify virus or overlook traffic for monitoring purposes]

Please help
Question by:Abraham Deutsch
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 41862293
That's basically it.  It monitors and records network traffic on the computer it's running on.  Then you can examine the data to see what is being sent and received and determine if it is correct or not.

Assisted Solution

by:Rob Leaver
Rob Leaver earned 100 total points
ID: 41862344
You've pretty much stated its use, its to monitor or "sniff" network traffic.
LVL 35

Assisted Solution

Kimputer earned 100 total points
ID: 41862347
For clear text protocols (FTP, HTTP, SMTP) it could be handy (though happens less and less, as those protocols are now more and more encrypted).
Instead of digging through log files, you just fire up Wireshark, filter on the port, then start the FTP, HTTP or SMTP, and just read it back in Wireshark. Within no time, you'll have figured out why it didn't work (you can read the FTP/SMTP error code etc etc).
For DNS requests, it's also still useable (virusses usually do quite a lot of weird requests).
Rebuilding VOIP voice data is useful to hear the actually call quality (if you're not onsite, but have to work from remote).
Then there's the network stats for IP endpoints (to find the offending heavy downloader).
And for the things you sometimes cannot really solve but only observe with tears in your eyes are the ACK/RE-ACK/Resend/Retransmissions/Duplicatepackets issues between specific hosts. You can only see why the connection isn't working, but the solution might not be within your reach (routing/firewall issues).
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

LVL 25

Assisted Solution

Cyclops3590 earned 100 total points
ID: 41862436
when i did load balancing a lot, it came in handy for the following:

1) identify windowing/buffering issues.  meaning, you have a large download and it goes slower than you want.  it helps you identify how fast/much each side is sending, when the acks come thru for more data to be sent.  you can also see when buffers get overrun on receiving side in turn.  that was one case, the app was designed to take data off tcp buffer too slowly causing performance issue.  It was also good with respect to the windowing because you could tune it to better match the buffer settings to optimize throughput better.

2) identify if a server or client is adding to latency.  you can see in teh 3 way handshake how long it takes from receive to respond and you can tell if the client or server might have an app issue

3) You can see if there are performance issues due to "dirty" lines by looking at retransmissions.

4) You can drill into the data by reconstructing packets or filter very easily so that you can correlate all of the network traffic and where an issue might be arising.  For example, one use I did at my home was finding out that my IPv6 tunnel had dropped and hadn't established (it had been so solid I forgot about it).  So the capture showed me that dns was getting A and AAAA and trying IPv6 first before failing over to IPv4.

those are just a few of the items i used wireshark for most commonly.  you can think of it as a swiss army knife for analyzing traffic captures.  you don't have to actually sniff the traffic either.  so long as the data is in a format wireshark understands you can take captures from other places as well and analyze with wireshark in turn.
LVL 28

Assisted Solution

masnrock earned 100 total points
ID: 41862463
It's function is for monitoring network traffic. Now exactly HOW you use that data is where things can vary.

It might be for troubleshooting an issue with connection quality such as VoIP, you might be checking for a machine that is flooding the network, could even be for a computer that keeps dropping off the network at random intervals. Wireshark can provide a wide range of data, it's on you to determine which part of that data you want to filter for and analyze.
LVL 25

Accepted Solution

Cyclops3590 earned 100 total points
ID: 41862472
I'm going to disagree hopefully to provide clarity.  Wireshark's "monitoring" is merely a feature.  At its core it is a protocol analyzer.  That is what it is meant for.  The monitoring piece is just a way to collect the data so you can use it for what it was built for.  If it was meant for "monitoring" like ntop or other tools are then it wouldn't be such an optional feature to its function.

however, i'm thinking the difference here is semantics so I'm merely posting this so that clarity can be given as to what precisely wireshark is used for.

Author Closing Comment

by:Abraham Deutsch
ID: 41866046
Thank you all for clarify the functionality of wirkshark.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question