In an analytic world with a vast wealth of tools, often the simplest methods are the best for determining an attack chain. Wireshark provides the perfect platform for the "dirty" analysis that no one wants to get into. Rather than sifting through false positives provided by IDS/IPS alerts, Wireshark, and a bit of patience, can show summarize an attack. The dissection of anomalous traffic into segments using Wireshark can provide a framework for the reconstruction of an attack. A hands-on approach to traffic analysis. Providing post-mortem PCAPs of an attack, individuals will be asked to determine a method of attack using whatever tools available. Reconstruction of an attack and the determination attack patterns will be then decoded and reconstructed using nothing but Wireshark.