Identifying unacceptable or suspicious traffic
Wireshark can be used to identify unusual patterns or packet contents in the network traffic including network scans, malformed packets, and unusual protocols, applications, and or conversations that should not be running on your network. The following is a general list of traffic types that may not be acceptable and/or warrant investigation to validate their legitimacy in your environment:
MAC or IP address scans: These attempt to identify active hosts on the network
TCP or UDP port scans: These attempt to identify active applications and services
IP address and port scans can be generated from network management applications to build or maintain their list of devices and applications to monitor/manage, but that's usually the only legitimate source of these types of traffic.
Clear text passwords: These are passwords that you can see in the Wireshark's Packet Details or Packet Bytes fields. These are typical for File Transfer Protocol (FTP) logins...