Wireshark

Q.1 What is Wireshark?
Wireshark is a popular open-source network protocol analyzer used to capture and inspect packets in real-time for troubleshooting, analysis, and security monitoring.
Q.2 How does Wireshark capture packets?
Wireshark captures packets by placing the network interface in promiscuous mode, allowing it to inspect all traffic passing through the network.
Q.3 What are the key features of Wireshark?
Wireshark supports live traffic capture, filtering, protocol analysis, color coding, and the ability to read and export data in multiple formats.
Q.4 Which operating systems support Wireshark?
Wireshark runs on Windows, macOS, Linux, and UNIX-based systems.
Q.5 What is a capture filter in Wireshark?
A capture filter is applied before packet collection to limit the type of traffic captured, improving performance and focusing on relevant data.
Q.6 What is a display filter in Wireshark?
A display filter is used after packets are captured to refine the view and focus on specific traffic, such as filtering HTTP or TCP packets.
Q.7 How can you filter only HTTP traffic in Wireshark?
Use the display filter: http.
Q.8 What is the difference between TCP and UDP in Wireshark?
TCP is connection-oriented, ensuring reliable delivery, while UDP is connectionless and used for speed-sensitive applications like streaming.
Q.9 How can you identify network latency using Wireshark?
By analyzing TCP timestamps, RTT (Round Trip Time), and packet retransmissions to spot delays.
Q.10 How do you detect packet loss in Wireshark?
Look for TCP retransmissions, duplicate ACKs, or use the "Expert Information" panel for warnings.
Q.11 What is deep packet inspection (DPI) in Wireshark?
DPI analyzes the contents of packets beyond headers, helping to detect anomalies, malware, and policy violations.
Q.12 How can you detect network congestion in Wireshark?
By monitoring high latency, duplicate ACKs, and TCP retransmissions, which indicate congestion issues.
Q.13 What does a "Malformed Packet" error in Wireshark indicate?
It suggests packet corruption due to transmission errors, improper formatting, or security attacks.
Q.14 How can you analyze encrypted traffic in Wireshark?
By importing decryption keys or using SSL/TLS decryption if you have access to the private keys.
Q.15 What command-line tool complements Wireshark for packet capture?
tshark, a command-line version of Wireshark, is useful for automated packet analysis.
Q.16 How do you capture only TCP packets in Wireshark?
Use the capture filter: tcp.
Q.17 How can you filter packets from a specific IP address?
Use the display filter: ip.addr == 192.168.1.1.
Q.18 What is the difference between capture filters and display filters?
Capture filters are applied before data collection to limit traffic capture, while display filters refine already captured packets for analysis.
Q.19 How do you detect an ARP spoofing attack in Wireshark?
Look for multiple devices responding to ARP requests with the same MAC address. Use the filter: arp.
Q.20 What does a high number of retransmissions indicate?
It may indicate packet loss, network congestion, or poor network performance.
Q.21 How do you find the handshake process of a TCP connection?
Filter using tcp.flags.syn == 1 to see SYN packets, tcp.flags.syn == 1 && tcp.flags.ack == 1 for SYN-ACK, and tcp.flags.ack == 1 for the final ACK.
Q.22 How can you filter only DNS traffic in Wireshark?
Use the display filter: dns.
Q.23 What does an ICMP packet indicate in Wireshark?
ICMP packets are used for network diagnostics, such as ping requests (icmp.type == 8) and replies (icmp.type == 0).
Q.24 How do you detect slow network performance using Wireshark?
Check for high latency, large delays between packets, and packet retransmissions using TCP analysis tools in Wireshark.
Q.25 How can you save a specific packet capture session in Wireshark?
Use File → Save As, then select a .pcap or .pcapng format to store the capture for later analysis.
Q.26 How can you detect a brute-force attack in Wireshark?
Look for multiple failed login attempts within a short period using the filter: http.request.method == "POST" (for web logins) or ftp.response.code == 530 (for FTP failures).
Q.27 How do you identify a DDoS attack using Wireshark?
Check for an unusually high number of requests from multiple IP addresses to a single target using filters like ip.dst == .
Q.28 How can you spot unauthorized data exfiltration?
Monitor for large amounts of outbound data, especially over non-standard ports, using frame.len > 1000 and tcp.flags.push == 1.
Q.29 What filter would you use to detect malware-related DNS queries?
Use dns.qry.name contains "suspicious-domain.com" to find queries to known malicious domains.
Q.30 How can you detect packet sniffing activity on your network?
Look for machines with high ARP traffic, sending multiple ARP requests without expected replies (arp.opcode == 1).
Q.31 How do you identify a TCP connection reset issue?
Use the filter tcp.flags.reset == 1 to find packets where a connection was forcibly closed.
Q.32 How can you detect network latency problems?
Check for high Round Trip Time (RTT) values in TCP conversations and large TCP segment delays using the TCP stream graph (Statistics → TCP Stream Graph → Round Trip Time).
Q.33 What does a high number of duplicate ACKs indicate?
It suggests packet loss or network congestion, causing the sender to retransmit missing packets.
Q.34 How can you analyze VoIP (Voice over IP) traffic in Wireshark?
Use rtp as a filter to capture Real-time Transport Protocol (RTP) packets and check for jitter, latency, and packet loss in VoIP calls.
Q.35 How do you filter all traffic except ARP in Wireshark?
Use the filter: !(arp).
Q.36 How do you analyze TLS/SSL traffic in Wireshark?
Use the filter tls or ssl to inspect encrypted traffic. If you have the private key, you can decrypt SSL/TLS packets under Edit → Preferences → Protocols → TLS → (Pre-Master Secret Log File).
Q.37 How can you detect a Man-in-the-Middle (MITM) attack in Wireshark?
Look for duplicate ARP responses (arp.duplicate-address.detected) or suspicious SSL/TLS certificates in tls.handshake.
Q.38 What is the significance of TCP Zero Window in Wireshark?
A Zero Window (tcp.analysis.zero_window) means the receiver’s buffer is full, causing slow data transfer and potential performance issues.
Q.39 How can you identify DNS tunneling in Wireshark?
Look for unusually long DNS queries or high-frequency DNS requests to a single domain using dns && frame.len > 100.
Q.40 What does excessive TCP retransmission indicate in network traffic?
It can indicate packet loss, congestion, or a failing network device causing unstable communication.
Q.41 How do you use Wireshark to analyze network congestion?
Monitor for high latency, duplicate ACKs, TCP retransmissions, and excessive TCP window size changes. Use Statistics → TCP Stream Graphs → Throughput.
Q.42 What is the difference between TCP fast retransmit and spurious retransmission?
Fast Retransmit: Happens when three duplicate ACKs are received, triggering an immediate retransmission.
Spurious Retransmission: Happens when a packet is retransmitted unnecessarily due to incorrect congestion control.
Q.43 How do you identify asymmetric routing in Wireshark?
Check for inconsistent source/destination IPs in a TCP stream and use the Follow TCP Stream feature to analyze packet sequences.
Q.44 What is a TCP Keep-Alive packet, and how do you filter for it?
TCP Keep-Alive packets (tcp.analysis.keep_alive) are used to prevent idle connections from timing out. Filter using tcp.flags.ack == 1 && tcp.len == 0.
Q.45 How do you troubleshoot high-latency applications using Wireshark?
Use tcp.analysis.initial_rtt to measure initial Round Trip Time (RTT) and look for large gaps between packets in IO graphs (Statistics → IO Graphs).
Q.46 Scenario: Your company suspects a data breach. How would you use Wireshark to identify unauthorized data transfers?
Solution: Use the filter tcp.dstport == 21 || tcp.dstport == 22 || tcp.dstport == 443 to check for FTP, SSH, or HTTPS data transfers. Also, monitor for large outbound packets (frame.len > 1000) to unknown IPs.
Q.47 Scenario: A user reports that their internet connection is extremely slow. How do you troubleshoot?
Solution: Check for high TCP retransmissions (tcp.analysis.retransmission), packet loss, or network congestion using the TCP Stream Graph (Statistics → TCP Stream Graph → Round Trip Time).
Q.48 Scenario: Your network is under a DDoS attack. How can Wireshark help?
Solution: Filter for high ICMP traffic (icmp), SYN flood (tcp.flags.syn == 1 && tcp.flags.ack == 0), or repeated DNS requests (dns.qry.name from many IPs) to find the attack source.
Q.49 Scenario: Users are experiencing frequent SSL connection failures. How do you debug?
Solution: Use the filter tls.handshake.type == 2 to inspect TLS handshake failures. Look for certificate mismatches or tls.alert_message.
Q.50 Scenario: You suspect an ARP spoofing attack. How do you verify this in Wireshark?
Solution: Use the filter arp.duplicate-address.detected to check for multiple ARP replies with different MAC addresses for the same IP.
Q.51 Scenario: A website loads slowly for a user, but others report normal speed. How do you analyze?
Solution: Use http filter and check response times in the "Time" column. If slow server response, it's a backend issue; if high latency, it's a network issue.
Q.52 Scenario: A VoIP call has poor audio quality. What steps do you take in Wireshark?
Solution: Use rtp filter to analyze RTP packets. Check for high jitter (rtp.timestamp variations) and packet loss (rtp.seq gaps).
Q.53 Scenario: A database server is slow to respond. How do you analyze database performance in Wireshark?
Solution: Filter SQL traffic using tcp.port == 1433 (MSSQL) or tcp.port == 3306 (MySQL). Look for high round-trip times (tcp.analysis.initial_rtt) and retransmissions (tcp.analysis.retransmission).
Q.54 Scenario: A client application keeps getting disconnected from the server. How do you debug this?
Solution: Use tcp.flags.reset == 1 to find TCP RST packets, which indicate forced disconnections. Look for timeout issues (tcp.analysis.lost_segment).
Q.55 Scenario: Two devices are unable to communicate despite being on the same network. How do you troubleshoot?
Solution: Use arp filter to check if both devices are resolving MAC addresses properly. If ARP is missing, a switch or VLAN misconfiguration might be blocking traffic.
Q.56 Case Study: A financial institution suspects insider data exfiltration. How would you use Wireshark to investigate?
Solution: Filter for large outbound file transfers (frame.len > 1000), unusual FTP/SFTP activity (ftp-data || ssh), and connections to unauthorized external IPs (ip.dst != ).
Q.57 Case Study: A company’s web application is experiencing intermittent login failures. How do you use Wireshark to diagnose the issue?
Solution: Use http.request.uri contains "login" to monitor login requests. Look for HTTP 401 (Unauthorized) or 403 (Forbidden) responses, slow server responses, or SSL/TLS handshake failures (tls.alert_message).
Q.58 Case Study: A network administrator suspects a ransomware attack. How would you confirm this in Wireshark?
Solution: Look for suspicious encrypted traffic to unknown IPs (ip.geoip.country != "Your Country"), SMB protocol activity (smb2) for mass file modifications, or rapid DNS requests to random domains (dns.qry.name contains "random-string").
Q.59 Case Study: Your SOC (Security Operations Center) detects excessive ARP traffic. What steps do you take in Wireshark?
Solution: Use arp.duplicate-address.detected to find MAC address conflicts, suggesting ARP poisoning. Look for ARP requests with changing MAC addresses targeting the same IP.
Q.60 Case Study: A company suspects an employee is accessing restricted sites. How do you investigate using Wireshark?
Solution: Use http.host contains "" or tls.handshake.extensions_server_name contains "" to find requests to unauthorized domains.
Q.61 Case Study: A corporate VPN connection drops frequently. How do you troubleshoot using Wireshark?
Solution: Filter for VPN protocols like ipsec or openvpn. Check for high latency (tcp.analysis.initial_rtt), retransmissions (tcp.analysis.retransmission), or unexpected connection resets (tcp.flags.reset == 1).
Q.62 Case Study: Users complain about slow database queries. How do you analyze the network’s role?
Solution: Filter by database protocol (e.g., tcp.port == 3306 for MySQL, 1433 for MSSQL). Look for high RTT, packet retransmissions, and slow response times from the server.
Q.63 Case Study: A customer reports VoIP call drops and poor audio quality. How do you diagnose?
Solution: Use the rtp filter to analyze packet loss, jitter (rtp.timestamp inconsistencies), and out-of-sequence packets (rtp.seq gaps).
Q.64 Case Study: A web server is experiencing slow loading times. How do you pinpoint the issue?
Solution: Use http.response.code to find high response times. Check if the delay is server-side (http.time > X ms) or network-related (tcp.analysis.lost_segment).
Q.65 Case Study: Two departments on the same network cannot communicate. What steps do you take?
Solution: Use arp to check MAC resolution. If ARP fails, check for VLAN misconfigurations using vlan.id. Also, analyze ICMP failures (icmp.type == 3 && icmp.code == 1) for blocked traffic.
Q.66 Scenario: You are performing a penetration test on a company network. How can you use Wireshark to discover active hosts?
Solution: Use arp and icmp filters to detect active hosts responding to ARP and ICMP Echo requests. Additionally, apply ip.src == to track responses to your scans.
Q.67 Scenario: How can you identify open ports on a target system using Wireshark?
Solution: Perform an Nmap scan (nmap -sS ), then filter with tcp.flags.syn == 1 && tcp.flags.ack == 1 to identify open ports responding with SYN-ACK packets.
Q.68 Scenario: You suspect a hidden backdoor in a compromised system. How do you detect it using Wireshark?
Solution: Look for unusual connections to uncommon ports (tcp.port != 80 && tcp.port != 443) or persistent connections to external IPs (ip.dst != ).
Q.69 Scenario: You want to intercept HTTP credentials during a red team assessment. How can you do this?
Solution: Use the filter http.request.method == "POST" and look for login form data in the request payload. Note: This works only if traffic is unencrypted (non-HTTPS).
Q.70 Scenario: You need to analyze Wi-Fi traffic to detect unauthorized devices. What steps do you take?
Solution: Capture packets using a Wi-Fi adapter in monitor mode, then filter for wlan.ssid to list all active networks and wlan.addr to track unauthorized MAC addresses.
Q.71 Scenario: A malware infection is suspected in the network. How do you use Wireshark to confirm it?
Solution: Check for suspicious DNS requests (dns.qry.name contains "random-string") and unusual outbound traffic (tcp.dstport > 10000). Look for C2 (Command & Control) connections using long, persistent TCP sessions.
Q.72 Scenario: A phishing attack is suspected. How can you confirm credential theft?
Solution: Use http and search for form submissions (http.request.method == "POST" && http.request.uri contains "login"). If credentials are sent in plaintext, they may have been stolen.
Q.73 Scenario: You suspect an attacker is performing MITM (Man-in-the-Middle) on HTTPS traffic. How do you detect this?
Solution: Look for suspicious SSL/TLS certificates (tls.handshake.extensions_server_name != "expected-website.com") and unexpected ARP traffic (arp.duplicate-address.detected).
Q.74 Scenario: You need to detect unauthorized SSH brute-force attempts. What filters do you use?
Solution: Use tcp.port == 22 && tcp.flags.push == 1 to see excessive login attempts. High-frequency login failures indicate brute-force activity.
Q.75 Scenario: How can you confirm that exfiltrated data is being sent through a covert channel?
Solution: Check for high outbound traffic volume on non-standard ports (frame.len > 1000 && tcp.port != 80 && tcp.port != 443). Also, inspect DNS tunneling by analyzing long DNS query strings (dns.qry.name contains "suspicious-long-string").
Q.76 Scenario: A company's confidential files were leaked. How do you use Wireshark to trace the source?
Solution: Filter for large file transfers (tcp.len > 1000) and check for unauthorized FTP/SFTP usage (ftp || sftp). Analyze connections to external IPs (ip.dst != ).
Q.77 Scenario: An employee is suspected of using an unauthorized proxy to bypass security restrictions. How do you detect this?
Solution: Filter for connections to known proxy servers (http.host contains "proxy" or tls.handshake.extensions_server_name contains "vpn"). Also, check for SSH tunneling (tcp.port == 22 && frame.len > 1000).
Q.78 Scenario: A server experienced a DoS attack. How do you identify the attack pattern?
Solution: Use ip.dst == and check for high-volume SYN packets (tcp.flags.syn == 1 && tcp.flags.ack == 0) from multiple IPs, indicating a SYN flood attack.
Q.79 Scenario: A suspicious external IP address has been communicating with internal systems. How do you analyze the traffic?
Solution: Use ip.addr == and analyze the protocols used (HTTP, SSH, DNS). Check if sensitive data is being transmitted.
Q.80 Scenario: A USB device was connected to a system, and data was transferred. How do you find network traces of this event?
Solution: Look for USB over IP traffic (usb filter) or file transfers (smb2 || ftp || nfs) to external storage services.
Q.81 Scenario: A ransomware attack encrypted files on multiple machines. How do you analyze it in Wireshark?
Solution: Look for sudden SMB activity (smb2.write && frame.len > 1000) and connections to C2 servers (dns.qry.name contains "random-strings").
Q.82 Scenario: A hacker is suspected of using DNS tunneling to bypass security filters. How do you confirm this?
Solution: Filter for long DNS queries (dns.qry.name length > 50) and look for unusual DNS request patterns (dns.qry.type == TXT), which may indicate data exfiltration.
Q.83 Scenario: A phishing attack led to unauthorized access to an employee's account. How do you find the phishing site?
Solution: Use http.request.uri contains "login" and inspect the domain (http.host). Compare it to the legitimate site’s SSL certificate (tls.handshake).
Q.84 Scenario: A system administrator reports unauthorized remote access to a critical server. How do you track the attack?
Solution: Filter SSH and RDP traffic (tcp.port == 22 || tcp.port == 3389) and check for unexpected login attempts from unknown IPs (ip.src != ).
Q.85 Scenario: A malware outbreak is spreading across the network. How do you isolate the source?
Solution: Look for high outbound connections from a single machine (ip.src == && frame.len > 1000), unusual SMB traffic (smb2 && file.ext == "exe"), and malicious domain queries (dns.qry.name contains "suspicious-site").
Get Govt. Certified Take Test
 For Support