# Packet Analysis ## What is Packet Analysis Packet analysis, also called packet sniffing or network analysis, is the process of capturing, inspecting, and interpreting network packets to understand network behavior, diagnose problems, verify security, and analyze application performance. Packet analysis provides the deepest level of visibility into what is actually happening on a network because it examines the actual data being transmitted rather than relying on summaries or statistics. ## Why Packet Analysis is Used Network administrators use packet analysis to troubleshoot connectivity problems and performance issues. By examining actual packets they can see exactly what is being sent and received, identify retransmissions indicating packet loss, measure actual response times, and observe protocol errors. Security professionals use packet analysis to investigate incidents, detect malware communication, and analyze suspicious traffic. Developers use it to debug networked applications and verify that applications are sending and receiving the expected data. ## Packet Analysis Process The first step is packet capture using tools like Wireshark or tcpdump. The capture can be filtered to collect only relevant traffic. After capture the analyst examines the packets to find patterns relevant to the problem being investigated. For performance problems the analyst looks for retransmissions, high latency, and TCP window size issues. For connectivity problems the analyst looks for failed connection attempts, ICMP unreachable messages, and DNS failures. For security investigations the analyst looks for suspicious traffic patterns and unexpected connections. ## Protocol Dissection Packet analysis involves understanding the structure of protocol headers. An Ethernet frame contains the destination MAC address, source MAC address, and type field. An IP packet inside the frame contains the source IP, destination IP, TTL, and protocol fields. A TCP segment inside the IP packet contains source port, destination port, sequence number, and flags. By examining these fields at each layer the analyst understands exactly what the communication is doing. ## TCP Stream Analysis Wireshark provides the ability to follow a TCP stream, which reconstructs the entire conversation between client and server and displays it as readable data. This is very useful for analyzing HTTP conversations, seeing exactly what requests were made and what responses were received, and identifying application-level errors. ## Common Issues Found Through Packet Analysis TCP retransmissions indicate packet loss somewhere in the network path. Zero window conditions indicate the receiver's buffer is full and the sender must pause. Duplicate ACKs indicate that a segment was lost and the receiver is waiting for retransmission. RST packets indicate abrupt connection terminations. DNS failures show as queries without corresponding replies. TLS handshake failures appear as alert messages.