Wireshark – Analyze Network Performance

Name Filter Description
Connection Reset tcp.flags.reset==1 Unexpected TCP resets could suggest a network failure or timeout.
Bad TCP packets tcp.analysis.flags && !tcp.analysis.window_update Issues in TCP flow, excluding sliding windows updates.
Slow RTT tcp.analysis.ack_rtt > 0.1 A high RTT or an increase over time might indicate network congestion.
TCP Waiting for App tcp.time_delta > 0.1 Indicative of potential application problems, not strictly a network issue.
Slow DNS dns.time > 1 Slow name resolution could negatively impact every command.
TCP Dup ACK tcp.analysis.duplicate_ack Repeated acknowledgements could signify packet loss.
TCP Retransmission tcp.analysis.retransmission Excessive retransmissions could indicate packet loss or network congestion.
High HTTP Response Time http.time > 1 Slow HTTP response times could impact web application performance.
Excessive ARP Broadcast arp.isgratuitous == 1 Excessive gratuitous ARP could indicate IP conflicts or other network issues.
ICMP Redirects icmp.type==5 and icmp.code==1 Could indicate suboptimal routing or other network configuration issues.
Application Dependencies http.host == “www.espn.com” For example, to load a site like www.espn.com, you must visit many hosts supplying content. This filter helps identify those hosts.
TCP Zero Window tcp.window_size == 0 and !tcp.flags.reset Indicates that the receiving application is unable to process the data as fast as it’s being sent, leading to network slowdown.
TCP Window Full tcp.window_size_value == tcp.window_size and tcp.window_size > 0 Indicates the receiver’s buffer is full. Can lead to slowdown or dropped packets if not managed properly.
Recovery Events tcp.stream eq ${tcp.stream} and (tcp.analysis.window_update or tcp.analysis.zero_window) To analyze TCP window zeroing and recovery events.
Slow DNS Responses dns.flags.rcode eq 0 and dns.time gt .1 To identify slow DNS responses to check if the delay is due to your local DNS resolver or due to recursion.
Removing Irrelevant Data !(eth.dst == ff:ff:ff:ff:ff:ff or arp or stp) To remove irrelevant data (like broadcasts and layer 2 protocols) from your analysis.
Incident Response Snapshot tcp.flags.syn==1 or tcp.flags.fin==1 or tcp.flags.reset==1 or dns or tls.handshake.type==1 or tls.handshake.type==2 or tcp.port==3389 or tcp.port==22 or tcp.port==445 To get a quick snapshot of the most important events in an incident response situation.
Video Traffic QoS ip and (ip[1] & 0xfc) >> 2 == 0x20 || ip and (ip[1] & 0xfc) >> 2 == 0x22 To capture traffic with the Assured Forwarding flag set to ensure QoS is correctly applied to video traffic.
Specific Device Identification wlan.addr_resolved contains Nintendo or eth.addr_resolved contains Sony To identify specific devices in your network using the OUI name instead of MAC address.
Duplicate IP Identification arp.duplicate-address-frame To identify duplicate IP addresses in your network.
Syn/FIN/RST Packets tcp.flags&7 || (tcp.seq==1 && tcp.ack==1 && tcp.len==0) || tcp.len>1 To view all SYN/FIN/RST packets, the final ACK of the 3-way-handshake, and all data packets.
Traffic Types eth.ig==1, not eth.ig==1, eth.addr==ff:ff:ff:ff:ff:ff, and not eth.addr==ff:ff:ff:ff:ff:ff To filter out specific types of traffic, like multicast, broadcast, or unicast frames.
Diagnosing TCP Issues tcp.port==12345 AND icmp To diagnose problems with an application running over a specific TCP port, by setting up pings between the two end points and waiting for the problem to occur.