Wireshark becomes much more useful when packet inspection follows a question. I usually begin by asking whether I am validating availability, tracing suspicious behavior, or comparing normal and abnormal flows.
A practical workflow
- Reduce noise with display filters.
- Follow a stream to confirm request and response order.
- Compare flags, retransmissions, and timing anomalies.
- Correlate packet evidence with host or service logs.
tcp.flags.syn == 1 && tcp.flags.ack == 0
This type of filtering is especially useful when studying scanning, connection establishment, or incomplete handshakes.