Questions tagged [wireshark]
Wireshark is an open source Network Protocol Analyzer under GNU License.
512 questions
7
votes
6
answers
2k
views
Finding out websites visited via https
I am trying to identify https sites my computer is communicating with. I understand that when I enter a website like www.example.com, a DNS call is made, the IP address of the website is obtained, ...
- 179
1
vote
0
answers
20
views
Data Size difference Between Client-Proxy and Proxy-Server Connections with CONNECT Proxy
I have a small setup which I have a wss server running on port 4433. I also have a client trying to access the wss server via a CONNECT proxy. My understand of CONNECT proxy is that proxy will create ...
- 111
1
vote
0
answers
25
views
TCP SEQ or ACK do not increment despite non-zero LEN
My TCP downloads (git fetch, Chrome browser downloads, flatpak downloads) often fail to complete. When I look into the packets with Wireshark, I find that the connection ends in RST from the client.
...
- 61
1
vote
1
answer
59
views
debugging TCP ports number reused after FIN, ACK
I have an app running in a k3s cluster (flannel CNI). The app runs TCP+TLS requests in a loop and I've noticed that some of them are randomly timing out.
I've captured the traffic w/ tcpdump on the ...
- 142
0
votes
0
answers
163
views
TCP stream ends with retransmission of last FIN,ACK packet
The TCP network connection between an Haproxy server in TCP mode (.94) and Postfix (.137) randomly ends with the retransmission of last FIN,ACK packet from the Postfix server:
It only happens for ...
- 812
0
votes
1
answer
319
views
TCP CWND and RWND Mismatch
currently I am doing some Measurements (using iperf3, TCP-Tracepoints (for monitoring the Congestion-Window (CWND)) and tcpdump).
While altering the TCP-Window (RWND) Field (using a nf-hook kernel ...
0
votes
0
answers
258
views
tcp previous segment not captured
I'm attempting to remotely control a device with c code. I could not send commands. I'm also not able to see the commands entering Wireshark either. Whenever I execute the code, it displays the error ...
0
votes
0
answers
105
views
TCP & Wireshark: Retransmission not working?
I traced a TCP connection in wireshark and try to understand how ACK'ing should work correctly.
As you can see in the picture at some point there's a paket missing from IPx.61. Wireshark tags this ...
- 11
0
votes
0
answers
61
views
ICMP request | By Virtual NIC | no response
The Issue:
I want to Understand what's going on when I'm sniffing from the host machine with Wireshark for instance packets that are coming from the VM that is bridged directly to the physical network....
1
vote
0
answers
79
views
TCP & Wireshark - Server not re-transmitting segments?
I am new to TCP-in-depth-analysis which I need for a current problem.
Connections:
Client = Host PC, Ubuntu 22.04.4 LTS (IP: ...60)
Switch (TL-SG1016D by tp-link, Gbit)
Server = Proprietary embedded ...
- 11
0
votes
1
answer
296
views
Squid's `tls_key_log` does not work as alternative to `SSLKEYLOGFILE` to decrypt TLS traffic
Following the instruction I can successfully descrypt TLS traffic in wireshark while browsing in firefox with SSLKEYLOGFILE env variable set and running squid as middle man proxy.
export SSLKEYLOGFILE=...
- 103
0
votes
0
answers
208
views
HAPROXY http response 200 but response data missing
I have been working on troubleshooting mobile application issue, each and every request from mobile application will hit to domain lets say https://example.com with request payload in post body, this ...
- 127
4
votes
1
answer
868
views
tcpdump -vvv is not verbose enough
For tcpdump, I use this command to see the packet details:
tcpdump -vvv -i interface
and to save the packets into a pcap file:
tcpdump -i interface -w output
The details from the first command are ...
- 41
0
votes
1
answer
58
views
Established TCP Communication terminates without any clue
I'm not able to understand what might be the reason for a lost TCP Communication over RPC between a CentOS 7 and Windows 2019 Server.
From the Wireshark I could see that the TCP Communication is ...
- 123
0
votes
1
answer
2k
views
Why can't wireshark see local interfaces?
I'm experiencing some strange network errors on my local machine (MS-Windows 10 Enterprise 22H2). These also manifest in a WSL container running on the machine (but not on any other device on the same ...
- 23.4k
0
votes
1
answer
787
views
Proxmox host cannot reach guest: TCP client retransmitting instead of sending ACK after SYN/ACK
Setup: server (HTTP server on 80) on 192.168.1.20, clients on 192.168.1.17, 192.168.1.18
Client 192.168.1.17 can connect to the server fine (Wireshark capture on the client side attached)
1 0.000000 ...
- 101
2
votes
2
answers
18k
views
What is Option 60 (Vendor Class Identifier) used for in DHCPv4?
When looking at the DHCP process between devices and my Wi-Fi router (DHCP server) with Wireshark, I noticed that most devices provide a 'Vendor Class Identifier' (or Option 60) in its DHCP Discover ...
0
votes
1
answer
720
views
Continuous [ACK]Packets Without any Response From Receiver
Our application sends some data to one of our devices via TCP/IP, However communication in between not working as it should be.Because TCP/IP is bidirectional, so if one side sends data to other, ...
0
votes
1
answer
603
views
Apache server on Macos Monterey not accepting external public IP connections... why?
I am using MacOS Monterey 12.4 and have configured an Apache 2.4 server with virtual hosts that listen to all interfaces (0.0.0.0:80) on my host. I have tested my private ip (192.168.1.2), external-...
2
votes
2
answers
4k
views
PXE with proxyDHCP server: What makes a DHCP client accept / ignore offers from primary DHCP?
I am considering a setup with a primary DHCP server providing "IP data" (IP address, subnet mask, DNS, …), and a proxyDHCP server providing only PXE boot options. As it happens, my proxyDHCP ...
- 43
0
votes
2
answers
1k
views
How to track down IPv6 DNS server configuration with Wireshark?
What Wireshark filter should I use to track down IPv6 DNS server advertisements on the network? I don't see any DHCPv6 traffic on my network, so I assume that the config of clients is happening ...
- 9,774
0
votes
0
answers
587
views
REST requests to an API falls in timeout randomly
0
I developed a web app that communicate with an external API in REST. Most of the time I have no problem, but a few times (1 or 2 times a day) I have my request which is timed out although the ...
- 1
0
votes
0
answers
346
views
Checking for port exhaustion using WireShark
We have been having some rare port exhaustion issues on our computers. We deployed a little netstat monitoring app that tracks the amount of TIME_WAIT statuses per application and notifies us if there ...
1
vote
0
answers
172
views
Why are network packets getting sent to incorrect switch port
All,
I have multiple security monitoring devices that lose communication/connectivity on a regular basis throughout the week.
I have set up WireShark to monitor the network traffic going to/from one ...
- 11
0
votes
0
answers
23
views
Connection drop
Trying to solve this problem here but not 100% sure what's the issue.
4 Fetal monitors and a PC in a clinic are connected to a switch. Those communicate with the PC. 1 to 4 times a day there is a ...
- 1
0
votes
1
answer
1k
views
How to detect packets on mirrored port using Promiscuous mode on a VM running on Proxmox
I have a Proxmox server with four network ports eno1, eno2, eno3, eno4. The eno4 is used for management console and internet access using vmbr0 linux bridge. I have created a vmbr1 bridge for the port ...
0
votes
1
answer
193
views
TCP packets being lost
I have some TCP packets being lost. I have monitored the interface with tcpdump pcap file - https://www.dropbox.com/s/7m3hr1b7065tenx/tcp.pcap?dl=0
I noticed that when I lose packets I only get 5 ...
- 1
0
votes
0
answers
222
views
How can I inspect everything that happens before a TCP handshake
On my local machine when I connect to a remote linux machine with netcat I can only see 3 related packets(the tcp handshake) in Wireshark.
I'm pretty sure there's more that happens before that(router -...
0
votes
0
answers
322
views
What does it mean if I don't receive a SMB Negotiate Protocol Response from server?
What does it mean to not get an SMB Negotiate Protocol Response from server? Unable to mount fileshare drive (a third-party fileshare outside Azure). The architecture is similar to this one: https://...
- 1
0
votes
0
answers
355
views
Traffic capture at boot
I'm trying to figure out what packets a linux host sends at boot in order to debug it.
Is there a way to start packet capture during boot time to not miss any packets?
What is your way of going about ...
- 11
2
votes
0
answers
316
views
TShark - Include decrypted tls data in output
I'm trying to read https requests from an application and while I can somewhat make sense of the data using wireshark, I cannot make tshark output the data as I want it. One of the problems I've ...
- 121
0
votes
0
answers
361
views
Difference between TCP Segment Data and Data on a Wireshark capture
I am trying to replicate some TCP communication that is sent from MongoDB and I have been able to replicate it byte by byte and it is still not being recognized.
The only difference I could find when ...
- 235
0
votes
1
answer
117
views
DNS behavior / Wireshark
I'm a Cloud Engineer and currently diving into networking and stuff. I have a question, I have the understanding that whenever I go to a site the first thing is DNS. So a DNS request gets sent to a ...
- 1
1
vote
1
answer
3k
views
How to capture USB traffic using Wireshark in linux CLI?
I've found (hopefully) all I need in order to setup Wireshark and usbmon kernel module - including allowing a non-root user to capture USB traffic: https://www.wireshark.org/docs/wsug_html_chunked/...
- 213
0
votes
1
answer
630
views
Why do I see unicast packets for a different IP when I sniff my interface?
I hook up a laptop via gigabit Ethernet to my corporate network and run Wireshark on the interface. I expect to see all broadcast and multicast traffic and unicast traffic either originating from or ...
- 125
0
votes
0
answers
257
views
Bytes-in-flight higher than receiver window in frozen client connections
I am dealing with sort of a "ghost issue". We have an endpoint URL that some people can use at all times with no issues but others have a frozen connection on the client side (checked with ...
- 1
0
votes
0
answers
2k
views
How to find the symmetric key algorithm being used for a TLS connection in Wireshark?
I'm doing a TLS Wireshark lab and I can't find any information in Wireshark, the lab, or online how to find this answer:
What symmetric key cryptography algorithm is being used by the client and ...
- 101
1
vote
1
answer
53
views
Wireshark != doesn't work like it did before version 3.6
I use the filter ip.addr != 10.0.0.0/8 && !(ip.addr == 224.0.0.0/3) to identify any traffic between our network and the outside (and also exclude class-D address space). This filter no longer ...
- 231
2
votes
1
answer
1k
views
Duplicated UDP packets sent
We have a few applications that we develop in my company that talk to some hardware via UDP. Recently, we started having issues using these applications on some of our machines (hardware basically ...
- 121
-2
votes
1
answer
319
views
Discover IP address of the device knowing only MAC address
While "wiresharking" the network, You may come across packets that looks like
THIS
eth.src to eth.dst (mainly colored white).. sometimes Wireshark recognize protocol LLC, NDP etc..
but ...
2
votes
1
answer
2k
views
Wireshark find DNS response "Refused"
I'm looking for a way to filter a packet capture in wireshark for instances where our server responds with "Refused" to a recursive DNS query.
dns.resp.type== doesn't seem to offer anything ...
- 1,033
0
votes
1
answer
777
views
DNS, why is it sometimes doing a PTR lookup before A lookup?
When I perform NSLOOKUP -q=a chinaa.cn I get the following result in WireShark:
Why did it FIRST look up the PTR of my ISP DNS before sending an A-request?
And why did the DNS server respond first ...
- 144
0
votes
1
answer
73
views
How to inspect outgoing traffic from Acess Point
I have Access Point which is connecting to VPN and create internal WiFi network of our company everywhere. Now I need to inspect what protocol for VPN is this AP using. I am not able to configure it, ...
- 3
1
vote
1
answer
136
views
How to find the linux user that sent the packet [duplicate]
Our server is compromised and we would like to know which accounts sent the malicious queries from our server. I used tcpdump to get this :
our.host.net.48194 > box5596.bluehost.com.http: Flags [P....
- 113
1
vote
0
answers
221
views
Running tshark and find in parallel + strict time-sorted output
I'm trying to obtain debug output of
what "find" does
compared to what happens on the network (tshark)
Therefore I want to run these commands in parallel and have output meticulously ...
- 2,863
0
votes
0
answers
296
views
How to identify source, destination ip using STUN and DTLS protocols?
enter image description here
Given image i'm not able to identify which is source and destination ip address ( client or server). From STUN protocol 1st packet it's user request so i thought 131.202....
4
votes
2
answers
2k
views
Piping SSH to wireshark on windows
In my day-to-day operations, I frequently need to execute tcpdump's on remote servers, and it's a pain to save the output to a file and then have to move the file to my laptop to analyze it on ...
- 398
1
vote
0
answers
792
views
'socat' not displaying incoming UDP packets, but Wireshark does
The link is an image of a Wireshark dump of an incoming 60-byte Ethernet frame which contains a UDP packet. The packet payload is the single word 'hello' (sorry, I don't have enough rep to paste the ...
- 223
0
votes
1
answer
655
views
iptables DNAT change not showing up in Wireshark
I want to re-route all incoming traffic on interface ens4f0 to IP address 192.168.50.10, but Wireshark is showing that the destination IP address on incoming packets is unchanged. Is this the expected ...
- 223
0
votes
1
answer
286
views
when router sends ICMP protocol error message how does it set it's own TTL?
when using (traceroute -q 1 serverAddress), we know that it starts with TTL(Time to Live) = 1.
when it goes through router, the router decrements TTL by 1. If TTL becomes 0 at that router, it sends ...