1. What Wireshark and TShark Are Good At
Wireshark is the interactive GUI for packet inspection, stream following, and protocol dissection. TShark is the command-line interface built on the same dissector engine, which makes it ideal for automation, SSH sessions, servers, and quick summaries in incident response workflows.
For defenders, these tools answer questions that logs and alerts often cannot: Did a TCP handshake complete? Was DNS resolution successful? Was the TLS handshake negotiated properly? Did the client retry? Which headers were sent? Was the request malformed?
They are especially valuable when multiple systems disagree. A firewall may show accepted traffic, an application may show a timeout, and an IDS may show nothing. A packet capture can clarify whether the issue is routing, retransmission, protocol mismatch, encryption negotiation, or application behavior.