Packet, Protocol, and Wi-Fi Analyzers
Key Takeaways
- Packet captures reveal actual traffic and are useful when logs or symptoms are not enough.
- Protocol analyzers decode conversations such as DNS, DHCP, TCP, TLS, HTTP, and wireless management frames.
- A capture point must be chosen carefully because switched networks, VLANs, tunnels, and encryption affect visibility.
- Wi-Fi analyzers help evaluate SSIDs, channels, signal strength, noise, interference, roaming, and authentication symptoms.
- Captured traffic can include sensitive data, so access, storage, and sharing must be controlled.
Packet, Protocol, and Wireless Analysis
When counters, logs, and command-line tests are not enough, look at the traffic. Packet and protocol analyzers show what was actually sent and received. Wi-Fi analyzers show radio conditions and wireless network behavior that wired tools cannot see.
Packet Capture Basics
| Concept | Meaning |
|---|---|
| Packet capture | Recorded network frames or packets from an interface, tap, SPAN port, or sensor |
| Protocol analyzer | Tool that decodes captured traffic into protocols and fields |
| Capture filter | Limits what is collected |
| Display filter | Limits what is shown after capture |
| TAP | Hardware device that provides a copy of traffic |
| SPAN or mirror port | Switch feature that copies selected traffic to an analyzer port |
Capture placement matters. A laptop connected to one switch port normally sees its own traffic, broadcasts, multicasts, and traffic sent to that port. It will not automatically see all traffic on a switched network. To inspect server traffic, capture on the server, use a SPAN port, place a TAP in the path, or capture from a device already in the path such as a firewall.
What Captures Can Prove
| Symptom | Capture evidence |
|---|---|
| DHCP failure | Discover messages leave client, but no offer returns |
| DNS problem | Query returns NXDOMAIN, wrong record, timeout, or unexpected resolver |
| TCP service failure | SYN sent with no SYN-ACK, reset returned, or handshake completes then application fails |
| MTU issue | Fragmentation needed messages, retransmissions, or black-holed large packets |
| TLS issue | Handshake alert, certificate name mismatch, unsupported version, or cipher mismatch |
| Intermittent loss | Retransmissions, duplicate ACKs, gaps, or path-specific drops |
Packet captures can show whether a packet left the client, reached the server, and received a response. Capturing from both ends can distinguish client-side, network-path, and server-side problems.
Encryption Limits
Encryption protects confidentiality, but it limits what an analyzer can read. A capture may show IP addresses, ports, packet sizes, timing, TLS handshake metadata, DNS if not encrypted, and connection resets. It may not show encrypted application payload. Do not assume a packet capture will reveal the contents of HTTPS, SSH, or VPN traffic.
Wi-Fi Analysis
Wi-Fi analyzers and spectrum tools help troubleshoot RF and wireless behavior.
| Wireless issue | Analyzer evidence |
|---|---|
| Co-channel congestion | Many APs or clients sharing the same channel |
| Adjacent-channel interference | Overlapping channels causing contention and errors |
| Weak signal | Low RSSI or poor SNR near the client |
| Authentication failure | Failed association, 802.1X, or WPA handshake events |
| Roaming problem | Client sticks to distant AP or roams too frequently |
| Hidden interference | Non-Wi-Fi RF energy from equipment, shown by spectrum analysis |
A Wi-Fi analyzer can show SSID, BSSID, channel, channel width, signal strength, encryption type, and neighboring APs. A spectrum analyzer can reveal non-Wi-Fi interference that normal Wi-Fi scans may not classify.
Capture Safety
Packet captures may include credentials, session cookies, internal IP addresses, hostnames, email, file data, or personal information. Treat captures as sensitive. Store them in approved locations, limit access, and follow evidence procedures when the capture relates to a suspected incident.
Common Traps
- Capturing from the wrong switch port can miss the traffic entirely.
- A display filter does not reduce what was collected; it only hides what is shown.
- Encrypted traffic can still reveal timing and endpoint metadata, but not clear application content.
- A Wi-Fi analyzer is not the same as a cable certifier.
- High signal strength alone does not prove good Wi-Fi if noise or channel contention is high.
A technician needs to inspect traffic between a server and firewall on a switched network. Capturing from an unrelated access port shows nothing useful. What should be done?
Which problems can a packet or protocol analyzer help identify? Select three.
Select all that apply
Users report poor wireless performance even though they are near an access point. Which tool best checks channel contention, signal, and noise?