Wireshark – Where to start?

I’ve been asked to share more tips and tricks on my packet analysis methodology, so here you go.

“What do you do, or where do you start when you get a trace file?”, Samantha D

Not to sound like a consultant but it depends what you are looking for and how you configured your protocol analyzer for your capture (slicing, filters, etc).

Let’s take the worst case scenario (that is more common than I would like to admit). I receive a trace file that was captured without a capture filter with no documentation outlining the device MAC or IP address. Capturing without a capture filter is a fairly standard practice so you don’t miss anything but later you are faced with a lot of packets to work with. All I know is that they said they wanted to take my advice and perform a ‘boot up baseline on an ATA.

I always recommend that you start with a ‘clean slate’ with respect to your protocol analyzer. For example, disable your packet details and Packet Bytes (if possible), turn off any coloring rules and any other items that might distract you. The goal is to see as much of your packets as possible. With a ‘clean slate’ you might also spot other things in addition to the original request.

As you will see in the video, there are many different ways to locate the ATA adapter, but the general idea is that you should be familiar with the application or protocols to assist in locating your target.