• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 113
  • Last Modified:


I know Wireshark is an excellent tool for its purpose. As I am studying it, I have difficulty to figure out which type of problems is this tool designed to solve? In what scenario would I turn to Wireshark to start the trouble shooting?

[So far seems its designed to identify virus or overlook traffic for monitoring purposes]

Please help
Abraham Deutsch
Abraham Deutsch
6 Solutions
Dave BaldwinFixer of ProblemsCommented:
That's basically it.  It monitors and records network traffic on the computer it's running on.  Then you can examine the data to see what is being sent and received and determine if it is correct or not.
Rob LeaverSr. Network & Server EngineerCommented:
You've pretty much stated its use, its to monitor or "sniff" network traffic.
For clear text protocols (FTP, HTTP, SMTP) it could be handy (though happens less and less, as those protocols are now more and more encrypted).
Instead of digging through log files, you just fire up Wireshark, filter on the port, then start the FTP, HTTP or SMTP, and just read it back in Wireshark. Within no time, you'll have figured out why it didn't work (you can read the FTP/SMTP error code etc etc).
For DNS requests, it's also still useable (virusses usually do quite a lot of weird requests).
Rebuilding VOIP voice data is useful to hear the actually call quality (if you're not onsite, but have to work from remote).
Then there's the network stats for IP endpoints (to find the offending heavy downloader).
And for the things you sometimes cannot really solve but only observe with tears in your eyes are the ACK/RE-ACK/Resend/Retransmissions/Duplicatepackets issues between specific hosts. You can only see why the connection isn't working, but the solution might not be within your reach (routing/firewall issues).
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

when i did load balancing a lot, it came in handy for the following:

1) identify windowing/buffering issues.  meaning, you have a large download and it goes slower than you want.  it helps you identify how fast/much each side is sending, when the acks come thru for more data to be sent.  you can also see when buffers get overrun on receiving side in turn.  that was one case, the app was designed to take data off tcp buffer too slowly causing performance issue.  It was also good with respect to the windowing because you could tune it to better match the buffer settings to optimize throughput better.

2) identify if a server or client is adding to latency.  you can see in teh 3 way handshake how long it takes from receive to respond and you can tell if the client or server might have an app issue

3) You can see if there are performance issues due to "dirty" lines by looking at retransmissions.

4) You can drill into the data by reconstructing packets or filter very easily so that you can correlate all of the network traffic and where an issue might be arising.  For example, one use I did at my home was finding out that my IPv6 tunnel had dropped and hadn't established (it had been so solid I forgot about it).  So the capture showed me that dns was getting A and AAAA and trying IPv6 first before failing over to IPv4.

those are just a few of the items i used wireshark for most commonly.  you can think of it as a swiss army knife for analyzing traffic captures.  you don't have to actually sniff the traffic either.  so long as the data is in a format wireshark understands you can take captures from other places as well and analyze with wireshark in turn.
It's function is for monitoring network traffic. Now exactly HOW you use that data is where things can vary.

It might be for troubleshooting an issue with connection quality such as VoIP, you might be checking for a machine that is flooding the network, could even be for a computer that keeps dropping off the network at random intervals. Wireshark can provide a wide range of data, it's on you to determine which part of that data you want to filter for and analyze.
I'm going to disagree hopefully to provide clarity.  Wireshark's "monitoring" is merely a feature.  At its core it is a protocol analyzer.  That is what it is meant for.  The monitoring piece is just a way to collect the data so you can use it for what it was built for.  If it was meant for "monitoring" like ntop or other tools are then it wouldn't be such an optional feature to its function.

however, i'm thinking the difference here is semantics so I'm merely posting this so that clarity can be given as to what precisely wireshark is used for.
Abraham DeutschIT professionalAuthor Commented:
Thank you all for clarify the functionality of wirkshark.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now