MRI Is to Medical Diagnosis as Wireshark Is to Network Traffic Analysis and Troubleshooting

I really enjoy watching the TV show House. Not for Hugh Laurie’s award-winning sarcasm – which I find formulaic and annoying – but, rather, to watch the diagnostic process unfold. House is truly unique because the real star of the show might turn out to be leishmaniasis or schistosomiasis rather than Brad Pitt or George Clooney. I watch the team meetings and brainstorming with great interest, the whiteboard filling with symptoms, while the team postulates the cause. I like the non-invasive diagnostics but ultimately the invasive procedures that eventually force the culprit to reveal itself – maybe surgery or a controversial drug regime –  are the real heart of the show. I also like that every so often a patient doesn’t make it. I like all of this because it aligns so closely with the way that I have approached network traffic analysis and troubleshooting for the last three decades.


MRI Is to Medical Diagnosis as …

And, speaking of the correlations between medical diagnosis and network traffic analysis and troubleshooting, what is the ultimate general purpose tool for taking a diagnostic look into the human body? Can we agree that tool is magnetic resonance imaging, or MRI? If so, that would mean that MRI is to medical diagnosis as Wireshark is to network traffic analysis and troubleshooting. Wireshark is a software tool that provides a look into a network’s health and operation in much the same way that the MRI reveals the secrets of the human body. And, just like an MRI, a lay person can look at the Wireshark screen and gain some understanding but to a trained network engineer protocol interactions become clear and complexities are revealed. And, just like a doctor with an MRI, each use of Wireshark also strengthens the engineers’ intuitive understanding and sharpens their protocol skills.


Originally making its debut in 1998 as Ethereal, Wireshark is the answer to expensive commercial protocol analyzers and can be downloadable at no cost by anyone. Since we are pondering the comparison of Wireshark and MRI, imagine, for just a moment, the impact on health care if MRI systems were downloadable free from the Internet. What would life be like if someone could run their own MRI or run MRIs on their patients for a fee that only covered time and not the tab for the MRI machine, software, maintenance and other costs. It would be what many might call “a game changer”, which is exactly what Wireshark is in the networking arena.

As in a good teaching hospital that integrates the MRI into their classes many Eogogics training programs also integrate Wireshark into our courses or are expanding their use due to very positive learner feedback.

Theory and Practice

Most training is predominantly theory. This leaves the task of figuring out how to apply the knowledge presented in class to a learner’s specific situation up to the learner when they return to their job after training. Increasingly, however, companies are viewing training as an investment – of their money and the time of their personnel – and want to see a return on their investment, and the sooner the better. The result? Theory is being taught less and practice is being emphasized. While I am not suggesting abandoning theory entirely (because you never know when someone might need to think through a new problem or situation that was not presented as a practical hands-on exercise) practice is being emphasized more and more. This is where Wireshark comes into play: Wireshark is the embodiment of “network practice” itself because everything viewed on the screen has come from a real network transaction and is being interpreted and presented through the filter of thousands of hours of software development by over 500 protocol experts. The trick is to integrate Wireshark into training in a meaningful way.

Integrating WireShark into Training

The obvious use of Wireshark in a training environment is lab exercises. Learners can capture their own traffic from PCs, bridges, switches and routers or they can use previously captured traffic from the instructor, the Wireshark Wiki or other sources such as The labs can be highly structured, of the PHD (or Push Here Dummy) variety, or less structured labs which lead learners to discover details and relationships amongst the data. But lab exercises are only one facet.

Experience over the last several years has shown that integrating Wireshark into lectures increases learner understanding and engagement, stimulates questions and enhances learner comprehension during exercises. It is also possible to kick this up a notch when class size allows learners to follow-along with the instructor in instructor-led tours of protocols using Wireshark as opposed to traditional lecture. A growing number of Eogogics classes integrate Wireshark to accomplish these important learning tasks and increase the set or demonstrable skills with which Eogogics students return to their jobs.

For those who wish to master Wireshark for advanced network analysis, troubleshooting, and security reviews, Eogogics also offers a 5-day stand-alone workshop on Wireshark that can be customized  to your organization’s network analysis requirements.


MRI is to medical diagnosis as Wireshark is to network traffic analysis and troubleshooting. If you are not using Wireshark it is time to start. If you are using this powerful tool it is time to use it more. And, in either case, it is time to begin choosing training which integrates Wireshark to enhance the learning experience and give you and your organization a better return on training investment.

Wireshark “Understands” the Structure of Various Networking Protocols


Wireshark is software that “understands” the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the types of networks that pcap supports.


Wireshark Capabilities

  • Data can be captured “from the wire” from a live network connection or read from a file that recorded already-captured packets.
  • Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
  •  Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.
  • Captured files can be programmatically edited or converted via command-line switches to the “editcap” program.
  • Data display can be refined using a display filter.
  • Plug-ins can be created for dissecting new protocols.
  • VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played.
  • Raw USB traffic can be captured with Wireshark.[13] This feature is currently available only under Linux.
  • Wireless connections can also be filtered as long as they traverse the monitored Ethernet.
  • Various settings, timers, and filters can be set to provide the facility of filtering the output of the captured traffic.

Wireshark’s native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchange files of captured network traces with other applications using the same format, including tcpdump and CA NetMaster. It can also read captures from other network analyzers, such as snoop, Network General’s Sniffer, and Microsoft Network Monitor.

Source: Wikipedia