NetworkingNetwork+

Packet Capture and Protocol Analysis for CompTIA Network+ N10-009

Packet capture is the process of recording network traffic for analysis, security investigation, and troubleshooting. CompTIA Network+ N10-009 tests packet capture tools, methodologies, and how to interpret captured data. Wireshark is the dominant tool, and understanding how to position a capture, filter results, and interpret what you see is directly tested in the Operations and Troubleshooting domains.

7 min

2 sections · 7 exam key points

1 practice questions

Packet Capture Tools and Methods

Wireshark: the most widely used open-source packet analyzer. Captures all frames visible to the network interface, displaying protocol details decoded from raw bytes. Filters: capture filters (applied during capture, BPF syntax) limit what is captured. Display filters (applied after capture) control what is shown — 'ip.addr == 192.168.1.1' shows only traffic to/from that IP, 'tcp.port == 443' shows HTTPS traffic.

tcpdump: command-line packet capture for Linux/Unix/macOS. Used in environments without GUI access. Same underlying library as Wireshark (libpcap). Output can be saved to pcap files and opened in Wireshark. Syntax: 'tcpdump -i eth0 host 10.0.0.1 and port 80 -w capture.pcap'.

Port mirroring (SPAN — Switched Port Analyzer): copies traffic from one or more switch ports to a monitoring port where a capture device is connected. Without SPAN, a device connected to a switched network only sees its own traffic (and broadcasts). SPAN allows capturing traffic between other devices. Network TAP (Test Access Point): a passive hardware device that creates a copy of all traffic on a link without affecting the traffic — more reliable than SPAN for high-speed links.

Interpreting Captures

TCP three-way handshake in a capture: SYN → SYN-ACK → ACK. Successful connection establishment. TCP RST (Reset): abrupt connection termination — indicates a rejected connection (firewall blocking, no service listening on port, or host down). TCP FIN: normal graceful connection close.

ICMP in captures: echo request (type 8) and echo reply (type 0) = ping. ICMP destination unreachable (type 3) with code 13 = administratively prohibited (firewall). TTL exceeded (type 11) = traceroute. Analyzing ICMP helps diagnose connectivity and routing issues.

Protocol hierarchy: Wireshark shows the breakdown of protocols in a capture — what percentage of traffic is TCP, UDP, HTTP, DNS, etc. Helps identify unexpected protocols or traffic patterns that indicate security issues or misconfiguration.

Key exam facts — Network+

Wireshark = GUI packet capture; tcpdump = CLI packet capture (same underlying library)
SPAN/port mirroring: switch copies traffic to monitoring port for capture
Network TAP: passive hardware copy of traffic — doesn't affect the traffic stream
TCP RST = connection rejected; FIN = graceful close; SYN-RST = port closed/host unreachable
Display filter examples: 'ip.addr == x.x.x.x', 'tcp.port == 443', 'dns'
ICMP type 8 = echo request (ping); type 0 = echo reply; type 3 = unreachable
pcap file format: can be saved and opened in Wireshark for offline analysis

Common exam traps

Wireshark can see all traffic on a switched network

Wireshark on a switch port only captures traffic to/from its own MAC and broadcast/multicast traffic. To capture traffic between other devices, use port mirroring (SPAN) or a network TAP on the link of interest

Practice questions — Packet Capture

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator needs to capture traffic between two servers connected to a managed switch to diagnose an application issue. Which configuration is required?

A.Connect the capture laptop to any switch port

B.Configure port mirroring (SPAN) to copy server traffic to the capture port

C.Use a hub instead of the switch

D.Disable spanning tree to see all traffic

Explanation: Port mirroring (SPAN) is required on a switched network to capture traffic between specific ports. The switch copies traffic from the source ports (server ports) to the destination port (capture port). Without SPAN, the capture laptop only sees its own traffic and broadcasts. Using a hub would work for small captures but introduces a collision domain and degrades performance.

Frequently asked questions — Packet Capture

What is the difference between a SPAN port and a network TAP?

SPAN (port mirroring): software feature on a managed switch that copies traffic to a monitoring port. Can miss packets at high utilization when the switch is overloaded. SPAN only sees traffic the switch processes; traffic in hardware-accelerated paths may be missed. Network TAP: a passive hardware device inserted inline on a link — it physically splits the signal and creates a copy without the traffic flowing through a processor. TAPs never drop packets and are more reliable for critical captures.

Practice this topic

Network+practice questions

Test yourself on Packet Capture

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime