Wireshark
Capture, filters, TCP/IP analysis, TLS, dissectors, flows, troubleshooting and forensics.
Before starting, we run a 1-minute tech check — microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
Capture, filters, TCP/IP analysis, TLS, dissectors, flows, troubleshooting and forensics.
Before starting, we run a 1-minute tech check — microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
Stop listing Wireshark on your resume and start proving you can actually read a pcap — get a scored, shareable badge in 15 minutes.
The Plume Wireshark badge certifies your ability to capture, filter, and analyze real network traffic — not your ability to recite a manual. In a 15-minute AI-driven oral exam, you're asked about your BPF capture filter syntax, your display filter logic, how you use Expert Infos to diagnose TCP retransmissions and zero-window events, how you structure a forensic investigation starting from an unknown pcap file, and how you actually decrypt TLS 1.3 traffic today using SSLKEYLOGFILE. Claude Opus reads your full transcript and produces a 0-100 score plus a level: Novice, Proficient, Advanced, or Expert.
Anyone can tick "Wireshark" on LinkedIn. What this badge does differently is force you to explain your reasoning out loud — the same way you'd debrief a senior engineer or a client after an incident. The AI examiner probes your filter choices, asks why you'd use `tcp.analysis.flags` vs a raw BPF, challenges you on when Wireshark isn't the right tool, and follows up on anything that sounds vague. That depth is exactly what makes the resulting score meaningful: it reflects what you can actually do under questioning, not what you've claimed.
This badge is built for network and systems engineers who troubleshoot production issues daily, SOC analysts and IR responders who live in pcap files, pentesters who capture traffic during engagements, and independent consultants who need a verifiable credential to stand out in bids and client pitches. If you regularly fire up Wireshark and aren't afraid to explain your filter decisions, this exam is your opportunity to make that expertise official.
Here are the concrete dimensions the AI examines during the 15-minute oral.
Writing precise Berkeley Packet Filter expressions for capture (`tcp port 443 and not host 10.0.0.1`) and advanced Wireshark display filters for post-capture analysis — knowing their syntax differences and where each applies in a real workflow.
Reading and interpreting TCP performance indicators — retransmissions, duplicate ACKs, zero windows, TCP previous segment not captured — using Expert Infos, IO Graphs, and the TCP Stream Graph to pinpoint network vs application-layer issues.
Structuring an investigation from an unfamiliar pcap: rebuilding TCP/UDP streams, extracting transferred objects (HTTP, SMB, FTP), correlating timestamps, and identifying indicators of compromise or data exfiltration patterns.
Configuring Wireshark to decrypt TLS 1.3 traffic using the SSLKEYLOGFILE environment variable, understanding why the RSA private key method no longer works with Perfect Forward Secrecy, and knowing what ESNI and ECH mean for visibility.
Using tshark on the command line to automate analysis (`tshark -r file.pcap -T fields -e ip.src -e tcp.port`), orchestrating remote captures with tcpdump, and knowing when to hand off to Zeek or NetFlow/IPFIX instead of Wireshark.
Writing or adapting a Lua dissector to decode a proprietary or unsupported protocol, understanding the dissector registration lifecycle in Wireshark's API (`proto.dissector`, `DissectorTable`), and debugging dissectors without crashing the GUI.
Tracing hard-to-reproduce network issues back to root cause: picking the right interface, enabling nanosecond timestamps, crafting filters to catch rare anomalies, and reading TCP Window Scale and congestion graphs to isolate the culprit.
Knowing Wireshark's limits at scale — no indexing, no long-term retention, GUI bottlenecks — and making a clear case for when an IDS, Zeek, NetFlow/IPFIX collectors, or a SIEM is a better fit for the operational context.
Final scoring is performed by Claude (Anthropic), which reads back the full transcript and applies this weighted criteria grid.
Depth of knowledge across Wireshark's core feature set: BPF and display filters, dissectors, statistics (IO Graphs, Flow Graph, Conversations, Endpoints), coloring rules, and Expert Infos. Ability to name and use the right tool without hand-waving.
Real comprehension of the underlying protocols — TCP/IP, TLS, DNS, HTTP/2, QUIC — and the ability to interpret packet-level anomalies to correctly distinguish network-layer from application-layer problems.
Structured approach to analyzing an unknown pcap: how you triage, what you look for first, how you extract artifacts, and how you document findings in a way that holds up in a post-incident review or a client debrief.
Ability to position Wireshark within a real-world toolchain (tcpdump, tshark, Zeek, SIEM) and articulate concrete automation choices or deliberate handoffs to other tools based on operational constraints.
Ability to explain complex concepts — PFS, ESNI, selective retransmission, zero-window probing — precisely and accessibly, the way you'd brief a colleague or a client without losing accuracy or burying them in jargon.
A Plume session takes about 20 minutes, from tech check to badge delivery.
Before the exam starts, Plume checks your mic and connection are working properly. No Wireshark needed on screen — the entire exam is voice-only. No screen sharing, no pcap files to open in real time.
The AI asks you to briefly introduce yourself and walk through your most recent or most complex use of Wireshark. This sets the context — your industry, the type of traffic you analyze, and the stakes involved.
The heart of the exam: the AI works through your filter logic, TCP analysis approach, forensic methodology, TLS 1.3 decryption experience, Lua dissectors, and complementary toolchain. Follow-up questions adapt in real time to your answers.
The AI presents a concrete operational scenario — suspected exfiltration, unexplained latency spike, unknown protocol on the wire — and asks how you'd approach the analysis and what tool you'd reach for first and why.
Claude Opus analyzes your full transcript and delivers your 0-100 score, your level (Novice to Expert), a detailed point-by-point report, and your shareable badge link. Everything lands in your inbox.
Your score out of 100 translates into a level a recruiter can grasp at a glance.
You've opened Wireshark a handful of times. You can start a capture on an interface and apply a basic display filter like `ip.addr == 192.168.1.1`, but you struggle to interpret packet colors, Expert Infos, or TCP stream statistics in a meaningful way.
You use Wireshark regularly to troubleshoot common network issues. You know the difference between BPF and display filters, can read a TCP three-way handshake, spot retransmissions, and extract HTTP objects. TLS decryption and advanced dissectors are still outside your comfort zone.
You're comfortable with complex display filters, Expert Infos, IO Graphs, and conversation statistics. You've decrypted TLS traffic using SSLKEYLOGFILE, run tshark from the CLI to automate extraction, and conducted forensic analysis on unfamiliar pcap files. You use Wireshark as part of a broader toolchain.
You write Lua dissectors, run distributed captures on remote equipment, analyze QUIC traffic, and fully understand TLS 1.3 with ESNI/ECH and its implications for visibility. You know exactly when to hand off to Zeek, a SIEM, or flow data instead of Wireshark — and you're the team's go-to reference for packet analysis.
No degree or years of experience required to take the badge. Here are the profiles it makes the most sense for.
You spend your days resolving network incidents with Wireshark as your primary tool. This badge makes that expertise visible and verifiable on your resume and LinkedIn, especially when competing for senior roles or consulting contracts.
You work with pcap files in daily investigations — hunting lateral movement, C2 traffic, and data exfiltration. This badge certifies your ability to structure and communicate a forensic network analysis, not just run a capture.
You capture traffic during engagements to analyze protocols, bypass filters, and validate findings. The badge proves you understand what you generate — which strengthens your credibility in client debriefs and technical writeups.
When responding to an RFP or pitching a client, a Plume-verified Wireshark badge carries far more weight than a self-declared skill. It gives prospects an objective, scored data point on your actual operational capability.
You've used Wireshark in coursework and CTFs but don't have professional experience to point to yet. The badge gives you a concrete, scored proof of your technical level to lead with in early job applications.
Where and how your Wireshark badge will help you day to day.
You're applying for a Tier 2 SOC analyst role. Your Wireshark Advanced badge on LinkedIn immediately signals to the hiring manager that you can actually analyze a forensic pcap — not just launch a capture and stare at the waterfall.
A client requests proof of network analysis skills for an incident response engagement. You share your public badge link with the full score and evaluation report — an objective credential your competitors likely don't have.
You just resolved a latency issue by identifying TCP zero-window events caused by an undersized server receive buffer. The badge confirms you have the skills to do that, not just the familiarity with the tool name.
Your team suspects data exfiltration. You filter on unusual outbound destinations, rebuild TCP streams, and extract transferred files from the pcap. This badge certifies that specific operational capability.
You take the badge and score Proficient. You focus on TLS decryption and Lua dissectors for six months, then retake it. The visible progression is shareable with your manager and useful in a performance review conversation.
You're a lead on a SOC team and want to understand where your junior analysts actually stand on Wireshark. Having them take the badge surfaces specific gaps — TLS, forensic structure, display filter depth — and helps you prioritize team training.
A few minutes to check you have everything you need.
At the end of your session you don't just get a score — here's everything that awaits you.
You get a precise score from 0 to 100 and your official level — Novice, Proficient, Advanced, or Expert — computed by Claude Opus from your complete Wireshark oral exam transcript.
A point-by-point report covers your strengths and areas for improvement across every evaluated dimension: filters, TCP analysis, forensic approach, TLS, toolchain. Concrete enough to know exactly what to study next.
Your exam recording stays private and accessible only to you. Replay it to catch moments where you could have been more precise about your pcap analysis method or your filter choices.
A unique public link lets you add your Wireshark badge to LinkedIn, your resume, a GitHub profile, or an RFP response. Anyone who visits sees your score, your level, and the certification date.
Discover related skills you can validate with Plume.
A 15-min oral exam with an AI, a shareable badge for your recruiters.
Choose this badge · €19.99