Vantage Point
Nice article, Jack.
This may go without saying, but it may be worth mentioning that it matters how the machine running Wireshark is connected to the network as to how much traffic you will see. If you install Wireshark in a normal switched network and fire it up, you will see that machine's traffic and any broadcast traffic, but not traffic from any other workstation to the internet. For that, you would either need to run Wireshark from the suspect computer, or configure a mirror/span port on the switch and plug the PC running Wireshark into that.
Sorry if I'm stating the obvious, but I know as a young admin coming up it took me some head banging to figure this one out on my own
