Questions tagged [packet-capture]
Packet capture is the act of capturing data packets crossing a computer network. Packet capture can be: Deep packet capture (headers & payload), or partial packet capture (headers only).
177 questions
1
vote
1
answer
48
views
Windows Firewall creating custom rule for port forwarding - confusing fields [closed]
I've got quite some experience with TCP port forwarding in the UNIX world (netcat, iptables) but now I need to do the same on Windows Server 2022.
Client machines can reach TCP 25 on "gateway&...
- 109
0
votes
1
answer
116
views
OpenSSL routines:ssl3_read_bytes:tlsv1 alert internal error with kubernetes and caddy
My domain androz2091.fr is pointing to a single-node kubernetes cluster. Caddy is installed on the node (on the host, not inside k8s), and uses the cluster DNS to redirect to the right service.
Here ...
- 101
1
vote
1
answer
168
views
Someone on the network is trying to log in to the Windows Server
I have a Domain. It has a file sharing Windows Server. The rights to folders are set for domain users.
Users are complaining that some files (not all) were disappearing, although the "admins"...
Tonik
0
votes
0
answers
184
views
Windows Server 2022 offline DNS Forwarders fails validation
I have an offline network with two domain controllers that are DNS servers.
There is slow performance when accessing Active Directory and Group Policy.
In DNS Properties > Forwarders, the DCs ...
- 867
1
vote
1
answer
5k
views
"Network error: software caused connection abort"
I am experiencing a persistent issue when using PuTTY. I can logon to my ubuntu server, but after 5 minutes the connection is terminated with the following message:
"network error: software ...
0
votes
1
answer
190
views
HTTPS timeout/site won't load. HTTP works
Have 'mydomain.com' hosted by GoDaddy 'with multiple CNAMEs, ex: 'one.mydomain.com', 'two.mydomain.com'.
I have a wildcard SSL certificate from GoDaddy installed in IIS and setup site bindings. Every ...
- 1
4
votes
1
answer
868
views
tcpdump -vvv is not verbose enough
For tcpdump, I use this command to see the packet details:
tcpdump -vvv -i interface
and to save the packets into a pcap file:
tcpdump -i interface -w output
The details from the first command are ...
- 41
0
votes
1
answer
1k
views
Understanding TCP RST Network Capture
I only really need help understand the following image, but I will give the background for context.
We have an app that is configured to use a proxy on port 8080 and requires Internet access. At ...
- 375
0
votes
0
answers
91
views
[Send mail with attachment]: TCP Retransmission, Duplicate ACK => TCP Reset
So, we have a linux box with postfix running on LAN site A which sends emails to an Microsoft exchange server sitting on site B. This runs perfectly when there is no attachment to the mail. But as ...
1
vote
0
answers
76
views
Ifconfig result on the server running PF_RING with zerocopy
I have an application which uses PF_Ring zero copy as a part of its packet sniffing capability. When this application is running would it be possible to find out the amount of RX/TX traffic using ...
- 111
0
votes
0
answers
355
views
Traffic capture at boot
I'm trying to figure out what packets a linux host sends at boot in order to debug it.
Is there a way to start packet capture during boot time to not miss any packets?
What is your way of going about ...
- 11
1
vote
0
answers
427
views
Disabled all TCP Offloading and still get 65Kb packets
I'm capturing packets in a Tensorflow two-node training. I want to capture the packet sizes over the wire (< MTU) from the hosts. Because of that, I turned off all of the offloading with ethtool. ...
1
vote
0
answers
218
views
How to see contents of output queue of NIC in Linux and introspect frame delay
I am experimenting with tc tool to implement prioritization of specific data coming from my computer and would like to see exatly how the frames are scheduled and how much time they spend in the qdisc ...
- 13
0
votes
1
answer
1k
views
Capture filter filter with tcpdump/tshark
I'd like to filter ip messages which are constructed as follow (see picture below):
GRE on top of IP
GRE contains IP with UDP on port 1234 (in the picture below port 80).
How can I filter such ...
- 155
0
votes
0
answers
296
views
How to identify source, destination ip using STUN and DTLS protocols?
enter image description here
Given image i'm not able to identify which is source and destination ip address ( client or server). From STUN protocol 1st packet it's user request so i thought 131.202....
0
votes
1
answer
1k
views
Where is the ACK to the packet in frame 76? [closed]
I am working through Kurose's book as part of a class and this particular exercise involves submitting a .txt file to the server and capturing this transfer and the server's response.
In one exercise ...
0
votes
1
answer
2k
views
Is there a way to disable TCP segmentation offloading to prevent packets greater than the MTU from being captured from the loopback interface?
I'm trying to create some captures on my linux box. The problem I have is that any captures I take from the loopback interface will contain massive packets that are much larger than the MTU. This ...
0
votes
1
answer
964
views
Pcap (tcpdump) filter to match against local port
I'm trying to write a libpcap (tcpdump, iftop) filter that would match packets having a specific local port.
That is, I'm interested in traffic that either goes out of port 12345 on the local machine ...
- 156
1
vote
1
answer
1k
views
Forwarded Packets are received by namespace's veth0 but not received by application
I use libtins (It uses Pcap) to capture link layer packets and forward to a network namespace where the actual application runs on.
Client(Browser) -> Server -> Pcap -> Pcap Send -> br0 (...
- 11
1
vote
0
answers
340
views
Drawbacks of having pruned and collapsed packets
I am a newbie in networking field, I come across a note that we should not have pruned packets and collapsed packets, if we have, we should have to optimize the system.
But the note (neither the ...
- 133
3
votes
1
answer
3k
views
TCP Duplicate Ack without Packet Loss
edit: there were actually 2 problems, a buggy TCP implementation on the device running the RTOS and an issue causing the Linux network stack to receive the TCP fragments out of order when more than 1 ...
- 103
1
vote
0
answers
234
views
How can I capture traffic for a daemon listening on a cloned loopback IP address?
I have a daemon listening on a virtual IP address attached to a cloned loopback interface (lo1) on FreeBSD 11.x.
Inbound traffic for that daemon could arrive on several different physical interfaces, ...
- 21.5k
1
vote
1
answer
1k
views
Send duplicate UDP packets to another computer
We have a production server where we receive a continuous stream of UDP packets (~ 15 Mbps). We have a small research team which wants to process this same exact stream for some research purposes on ...
- 31
0
votes
1
answer
2k
views
How do I capture packets on a Linux VM in a VMware environment?
I've got a Linux server that is a VM running on ESXi 6.7. We're running into some network trouble with it, and I'm trying to use tcpdump to capture traffic on the VM itself, but I'm getting only the ...
- 113
0
votes
1
answer
2k
views
OpenVPN log connections per user
I'm trying to set up a VPN solution where I can log packet captures of individual connections. I've been focusing on using OpenVPN but I am amenable to other solutions. It is important to note that I ...
- 149
1
vote
1
answer
330
views
how to man-in-the-middle blocking/intercepting/editing all network traffic going to a single cabled device and a server
I need to completely block and intercept and alter all packets going between two devices. possibly i need to isolate one device and block/intercept/edit ALL traffic going to and from it if i cannot ...
0
votes
0
answers
560
views
Loopback interfaces is not pinging on both pcs for packet tracer
I am trying to ping my isp ip address (aka loopback 1) and loopback 10 to PC1 and PC2. Whenever I ping both ip addresses and default gateway from pc1 to pc2 it works. However, when I'm trying to ping ...
- 1
0
votes
1
answer
3k
views
How can I gathering Network Traffic on AWS?
I am building packet mirroring using the Linux type's iptables tee module. In the case of instances(EC2), we confirmed that promiscuous mode can be set on AWS console configuration. than, I wonder if ...
- 9
0
votes
1
answer
69
views
CentOS 6 - Find KVM VM with HW addr
We are running KVM VM's (Linux & Windows) on our CentOS 6 & 7 hypervisors.
Sometimes we are noticing a lot of packets going in or out.
Now I want to see which IP address or network adapter ...
- 3
1
vote
2
answers
4k
views
What are the numbers preceeding a DNS packets flags for?
What does the Flags: 0x0500 section of this DNS query packet mean?
Domain Name System (query)
Transaction ID: 0x4242
Flags: 0x0500 Standard query
0... .... .... .... = Response: ...
- 13
0
votes
1
answer
155
views
Tips for working with very large pcaps?
What is the best approach for working with very large collections of network traffic (500GB+)?
Specifically, I'd like to be able to filter packets which match various payload and protocol criteria (...
- 101
0
votes
1
answer
420
views
Network sniffer that work as windows service
We need to log the traffic of incoming traffic for some application on our server.
The first instinct is to use Wireshark and of course, as soon our remote session end Wireshark also shutdown.
Since ...
- 101
0
votes
1
answer
693
views
Are TCP RTO value and RTT value influenced by the packet size?
I am doing troubleshooting in my network.
I found some re-transmission by using wireshark.
The segment 1400 bytes are well transmitted but
The segment 800 bytes are lost and re-transmitted.
I know ...
- 139
1
vote
2
answers
1k
views
What should be the next sequence number after a packet with the FIN containing payload?
I was capturing some HTTP traffics and I observed a packet with the FIN flag set and also containing payload data.
I searched for this topic and I found some similar questions but none of them ...
- 121
3
votes
2
answers
4k
views
Get network data transfer rate / throughput for use in Wireshark
I'm trying to get the ethernet NIC throughput rate / data transfer rate on a VPS in order to start a capture on Wireshark during DOS/DDOS attacks so I can analyze the nature of the packets.
I'm ...
- 232
1
vote
1
answer
366
views
How does LDAP Authentication Work at the TCP Layer?
Specifically, how does an LDAP server distinguish a TCP packet containing a SearchRequestOp from an authenticated user, from a TCP packet containing a SearchRequestOp from an unauthenticated user?
I ...
- 113
1
vote
1
answer
780
views
Can user credentials from HTTP session be seen through Wireshark? [duplicate]
Can we get that info the same way we do for FTP since HTTP is a plain text protocol?
- 21
2
votes
1
answer
2k
views
Can I verify failure of port forwarding using wireshark / packet capture
I've recently configured a Debian 9 server (Debian 4.9.130-2) to run as a lightweight server, running a series of Docker containers (nextcloud, sync, etc.) alongside basic services like ssh. Services ...
- 123
1
vote
1
answer
4k
views
Can I capture full TCP packet content with haproxy without knowing length of the packet?
I know I can capture 6 bytes length packet using this config:
global
log /dev/log local0 debug
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /...
- 153
0
votes
1
answer
1k
views
How to turn an ethernet port into a passive listener?
I want to capture ethernet packets with my raspberry pi's ethernet port. I know I could create an ethernet bridge between two ethernet ports on the raspberry and analyze the packets internally with ...
1
vote
1
answer
632
views
rpcapd behind a firewall
I have a remote server with rpcapd installed that follows strict security policy rules. Any client can access to the server only via firewall that follows same security policy (please, don't blame me, ...
- 11
0
votes
2
answers
148
views
Port forwarding for 100K+ IP's
I need to do port forwarding on my Linux (Debian 8) to intercept packets going through the machine.
It needs to be based on source IP, so different ports for different IPs.
I've though of using ...
- 419
0
votes
2
answers
2k
views
Who can issue a RST?
I have a client connecting to a server via a VPN tunnel. The connectivity is in place, I can ping the server and requests some other services (a curl request on an API for instance) through that ...
- 3,767
-5
votes
1
answer
62
views
How packet is transmitted over the network? [closed]
I am writing discrete event-driven simulator to measure time between sending datasets over network.
If multiple processes sends n packets through network they (packets) will go one after one through ...
0
votes
1
answer
81
views
Cisco 877 doesn't respond to IP determined through ARP
I have just obtained an old Cisco 877. I made sure to first push the reset button in the back. I then plugged into one of the LAN ports. The device gave me an IPv4 address (169.254.14.65/16) and an ...
- 39
8
votes
2
answers
7k
views
How can I decrypt STARTTLS communication over SMTP in a packet capture (if I have the private key)?
For the purpose of troubleshooting, I need to see what an email looks like when it's sent to my sendmail server via SMTP. The upstream server requires the SMTP connection to use STARTTLS so a packet ...
- 12.2k
2
votes
1
answer
5k
views
How can NETSH be used to sniff and collate network traffic?
I am trying to capture all network traffic and view it in a human-readable way.
To begin packet capture with netsh, I am running the following command.
netsh trace start scenario=NetConnection ...
- 145
2
votes
1
answer
17k
views
Client sends RST after FIN,ACK
While doing a file transfer using secure file transfer protocol, I am seeing the behaviour as given in the below image.
Instead accepting packets from server, it simply sends a RST. Found a similar ...
- 21
0
votes
1
answer
1k
views
How can I identify the cause of packet loss in DNS?
We have upgraded some of our routers to Ubuntu 16.04 and are now getting some performance problems with DNS. It seems that packets are sometimes truncated, but I have no clue what else I can do:
This ...
- 187
6
votes
2
answers
9k
views
How to determine which process is sending UDP packets once per hour?
I was doing a packet capture as part of a development project and saw some odd traffic coming from my machine in the capture file.
About every 3600 seconds, a NAT-PMP request is being sent to the IP "...
- 419