Wireshark – For those who choose to do more with less

The philosophy of doing more with less sounds good, but it is not always practical. It takes effort and lots of practice to get to this methodology. I used to carry a “multi-tool” with me. It was like having a mini toolkit I could fold it up and carry in my pocket. It was great, but over time I started to think it was a little heavy and opted to leave it in my actual tool bag and went back to carrying a small Swiss Army knife. It was smaller and lighter. I learned to get the most out of it and found that I didn’t miss the larger, heavier multi-tool as much as I originally thought. In fact I learned a few tricks over the years that I probably would not have discovered if I hadn’t forced myself to do more with less.

This is the philosophy I try to adhere to for troubleshooting communications issues – whether it be a network, application, or hardware based issue. I see a lot of techs load up their laptops with lots of assorted and expensive software that I have learned over time that I really don’t need. I was never a big fan of “point and click” or “proprietary configuration wizards”. If the “application” can leverage the operating system to produce a desired result – maybe I can too without all the bells and whistles….and costly licensing fees. Usually I can find a simpler solution right from the command line. Windows, Linux, and Unix all have great shells to work with. If I can use Bash, Netsh, or Powershell, I will. There are some exceptions to this rule that I make when it comes to a tool as close to a Swiss Army Knife as Wireshark.

I used to rely on tcpdump, but Wireshark, and Tshark are just too good to not to have available for troubleshooting networking problems.

Wireshark continues to get handier as its development team continues to improve and evolve the software. As with anything I really like, I still have to work at learning how to use Wireshark, and the best way for me to improve my skillset is to practice, practice, practice. I read all I can, listen to all the experts, and most importantly – I use it. You can get a lot of useful info at Wireshark.org, so I won’t try to rehash any of that. The resources from the Wireshark community are incredible.

Whenever a new revision of Wireshark is released – It makes my day. I play around with the development releases, but the official release candidate is always the big deal for me. The stable release is very practical, but I usually download and start using the new release as soon as I can.

The latest current release is usually available for Windows before many of the Linux repositories, but most repositories will have their “ stable” release – which isn’t always the same across the board for all distros. Today the Ubuntu and Arch repositories are one version apart. Ubuntu’s latest stable PPA is available also, but it’s not the same as the Windows latest version. I usually run both Windows and Arch, mainly because I prefer to work with Linux, so I usually run the latest available version for LINUX.

This latest 2.4 release however has the TRANSUM plugin already built into the main release, where I have to manually install TRANSUM in 2.2.8 or 2.2.7 for Linux. It’s not too difficult, but I like having it already built in. If you’re not familiar with the TRANSUM plugin I suggest you visit the LoveMyTool.com site and read the “Wireshark Transum Quickstart” by Tony Fortunato, or the Community.tribelab.com resource pages. It’s a very cool plugin if your interested in performance analysis. I ran into a few problems getting the TRANSUM protocol to show up at first because I didnt have the protocol eneabled. You’ll find that under your Analyze tab “Enabled Protocols”. Once I enabled the Transum protocol I was able to see the ADPU Response, Service Time, Request Spread, and Response Spread times all under the Transum packet details located right below TCP. UDP is supported as well.

The bottom line is as always – do the work, practice, practice, practice. Learn to do more with less, and get to the point where you can make the hard stuff look effortless. I know you can use the trace function in Windows to capture packets, and yes you can open ETL files in Microsoft’s old Network Monitor 3.4 or the new Message Analyzer, but I prefer to use Wireshark and Tshark. This is mainly because I prefer to use LINUX…….and yes I know Wireshark will work on Mac’s OSX. Which by the way I really like because of the UNIX lineage. Mac is a whole other topic. I should probobly use the Mac version more because it is more of a daily driver for a lot of techs, but I tend to rely on Linux. I use Windows because I have to, I use Linux because I want to. Luckily Wireshark is available for all three main Operating Systems that I use. I must admit though that Windows 10 pro works very well with Wireshark in my experience. I really like Windows 10 Pro, but there’s still a lot of hesitation in some areas to leave Windows 7. Fortunatlly Wireshark seems to have no issues that I have seen running on Win7. So if I can only add one application to a very basic “troubleshooting laptop” build – it will be Wireshark.

Wireshark display and capture filters

Wireshark Filters: Display vs Capture

A common thought by beginners when it comes to Wireshark filters is that display and capture filters do the same thing. Well, they don’t; they may seem to be doing the same thing to you but the difference is when the packets get filtered.

Display filters don’t stop Wireshark from capturing any packets, you still capture all packets but it only displays you the packets you asked for. While capture filters when used make it so Wireshark won’t capture any packets that you have specified not to.

Wireshark Filters



Wireshark Basic Overview

What is Wireshark?

Wireshark is open source software for Windows and UNIX/Linux, open source meaning that anyone can download it for free and can if they want alter the source code however they please. It’s considered the best network packet analyzer you can use today.

But, What is a network packet analyzer?

A network packet analyzer captures network packets on a specified network and would then display very detailed data about the network protocols of each packet.

Typical users are:

Network administrators- who can use it to troubleshoot network issues

Cyber Security Engineers- Can watch and see any attempted attacks on a network

Developers- to Debug protocols

Wireshark Logo


For more information check out




Check out our post on display filters and capture filters