Wireshark packet capture triage guide

Good For

• packet capture review
• DNS failures
• TLS handshake triage
• SMB/RDP path checks
• network escalation evidence

How to Use It

1. Define the question before capturing: DNS answer, TCP handshake, TLS negotiation, DHCP lease, SMB failure, RDP reset, or retransmission pattern.
2. Capture from the endpoint and, when possible, the nearest network device so path asymmetry is visible.
3. Use capture or display filters that match the symptom instead of collecting broad traffic for long periods.
4. Stop captures quickly and record exact client, server, time window, interface, and test action.
5. Review DNS response codes, TCP SYN/SYN-ACK/RESET behavior, TLS alerts, retransmissions, and application ports.
6. Sanitize or restrict packet files before sharing because captures can include hostnames, usernames, tokens, cookies, and payload data.

Execution Modes

• local

Inputs and Outputs

Inputs

• interface
• client IP
• server IP or hostname
• test window
• display filter

Outputs

• operator-notes
• log-file

Command Starter

Example pattern only. Adjust for your environment before running.

tshark -D
tshark -i 1 -a duration:60 -w C:\Temp\triage-capture.pcapng
tshark -r C:\Temp\triage-capture.pcapng -Y "dns or tcp.analysis.retransmission or tls"

Validation

• The capture includes the exact test window and endpoint pair.
• The finding maps to a visible packet pattern such as NXDOMAIN, timeout, reset, TLS alert, retransmission, or refused connection.
• Shared evidence is scoped or sanitized for sensitive data.

Reporting

• attach filtered screenshots or packet summaries to escalation tickets
• record capture filter, display filter, host pair, and timestamp
• promote repeated use into a network escalation evidence pack

Safety Notes

• Packet captures can contain sensitive data and should be stored and shared carefully.
• Get approval before capturing on shared or regulated networks.
• Keep capture windows short and focused.