DNS Troubleshooting Infographic

 

Wireshark and Passive Network Discovery

 

Someone asked me if you can use Wireshark to discover devices.

The answer is kind of no in the sense that Wireshark doesn’t actively go out and ping or scan your network to find hosts.  But you can use Wireshark to listen or ‘passively’ discover devices on your network.

As always, I will keep it short and just say that everything you need to know is in the video.

Capture Packets Using Python And Pyshark Using Less Than 5 Lines Of Code

 

Now for something completely different…

I think network professionals should be ‘aware’ of coding.  Not necessarily a programmer, but at least be familiar with what can be done.

So I thought why not combine 2 of my favorite things; python and capturing packets.

All you have to do is install python, where you can get from https://www.python.org . Then go to the command prompt and type the following command

pip install pyshark

Use your favorite text editor and create a text file with the extension py and enter the following text.

import pyshark

capture = pyshark.LiveCapture(interface='eth0')

capture.sniff(timeout=1)

capture

The code is supposed to capture packets for 1 second and stop, but the real purpose of this program is to cause an error so I can get a list of interfaces.  I know its crude, but its effective.

Type python program.py

Find the line that describes your network interface and copy the text above it.

For example, here is the output from my script ,

\Device\NPF_{82C048B7-BF6D-4B92-BDFA-872CFC8F7077}

Killer

You need to put \\Device\\NPF_{82C048B7-BF6D-4B92-BDFA-872CFC8F7077}

In my script and make sure you have 2 \\’s

Here is my new code that will capture 100 packets and save it in a test.pcapng

import pyshark

capture = pyshark.LiveCapture(interface='\\Device\\NPF_{82C048B7-BF6D-4B92-BDFA-872CFC8F7077}',output_file='./test.pcapng')

# capture for 5 seconds and stop

# capture.sniff(timeout=5)

#capture 100 packets and stop

capture.sniff(packet_count=100)

capture

Have fun you future coders  😉

Using Wireshark to Confirm GeoIP Firewall Rules Are Working

 When configuring network security features like GeoIP blocking on a router (https://www.networkdatapedia.com/post/mastering-edgerouter-security-why-command-line-and-geoip-blocking-are-game-changers) , it's essential to verify that your setup is functioning as intended. This is where Wireshark (https://www.wireshark.org/)  becomes an invaluable tool. Wireshark is a free, open-source packet analyzer that captures and displays traffic on your network in real time. With its deep inspection capabilities, you can see exactly which connections are being made, from where, and to where — offering a clear window into your network's behavior.

In this video, I use Wireshark to observe my Ubiquiti router's GeoIP-based firewall settings in action. GeoIP blocking is designed to prevent traffic from specific geographic regions, and while the configuration may seem straightforward on the router interface, real-world validation is critical. By capturing packets and inspecting the source IP addresses, I’m able to confirm that traffic from blocked regions is not getting through, while allowed traffic proceeds normally. This hands-on verification helps ensure that my firewall rules are not only active but also effective.

Using Wireshark for tasks like this provides more than just peace of mind — it enhances your troubleshooting skills and deepens your understanding of how your network equipment operates. Instead of relying solely on status lights or log summaries, Wireshark lets you drill down into the raw data, identify any misconfigurations, and proactively monitor for unexpected behavior. Whether you're a seasoned network engineer or an enthusiastic home user, incorporating Wireshark into your toolkit adds a powerful layer of transparency and control to your network management.

Streamlining Troubleshooting with an Auto-Capturing Wireshark Desktop Shortcut

 Creating a Windows desktop shortcut for Wireshark that starts capturing packets automatically offers significant time-saving benefits for network administrators and IT professionals. By configuring the shortcut to launch Wireshark with predefined capture settings, users can bypass repetitive manual steps, such as selecting the correct network adapter and initiating the capture process. This streamlined approach is particularly valuable during urgent troubleshooting scenarios, where every second counts. Instead of navigating through Wireshark’s interface to set up a capture session, a single double-click on the shortcut instantly begins packet analysis, enabling faster diagnosis of network issues. Another key advantage is the reduction of human error, particularly in selecting the correct network adapter. In environments with multiple network interfaces, choosing the wrong adapter can lead to wasted time and inaccurate data, potentially delaying issue resolution.

By embedding the adapter selection in the shortcut’s command-line parameters (e.g., `wireshark.exe -i <interface> -k`), users ensure that Wireshark consistently captures from the intended interface. This is especially helpful for those who repeatedly monitor the same network segment, as it eliminates the need to verify adapter settings with each session, ensuring reliable and consistent results. Additionally, this automation enhances workflow efficiency for recurring tasks. For example, network engineers who regularly monitor specific traffic patterns or perform routine diagnostics can rely on the shortcut to maintain consistency across sessions.

By saving capture filters or display settings in the shortcut’s configuration, users can tailor Wireshark’s behavior to their specific needs without reconfiguring it each time. This not only boosts productivity but also allows less experienced users to perform complex captures with minimal training, making it an invaluable tool for teams handling frequent network troubleshooting.