All Questions
21 questions
0
votes
1
answer
215
views
Can I determine a EWOULDBLOCK/EAGAIN situation from a pcap/tcpdump
Is there a way I can determine if a certain message resulted in an EWOULDBLOCK/EAGAIN return code to the server which sent the packet?
The server was sending messages to the client
At time 10,the ...
- 133
-1
votes
1
answer
1k
views
SSH connection not established, but standard TCP/IP connection works
I'm working on a custom yocto Linux for a Raspberry PI 3 and try to get the WIFI connection working with SSH. However when trying to connect from my PC (Ubuntu 19.10, SSH OpenSSH_8.0p1 Ubuntu-6build1, ...
- 1
1
vote
0
answers
5k
views
How do i convert text capture files back to pcap files?
I have opened Wireshark, selected the a.pcap file, and then went to File->Export and chose (K12 text file) to convert to text. Result is a.txt file.
How can I convert back a.txt file to original pcap ...
- 111
0
votes
1
answer
1k
views
Retrieve data from wireshark (PCAPNG)
I have a PCAPNG file and I need to retrieve two files from it, one is a TXT and the other one is a PNG. The provided file does not have FTP-DATA, it only have ARP, DHCP, DNS, FTP, HTTP, IGMPv3, OCSP, ...
0
votes
1
answer
694
views
Are TCP RTO value and RTT value influenced by the packet size?
I am doing troubleshooting in my network.
I found some re-transmission by using wireshark.
The segment 1400 bytes are well transmitted but
The segment 800 bytes are lost and re-transmitted.
I know ...
- 139
2
votes
2
answers
1k
views
I have a loopback traffic in linux involving port 631 and I have no idea what is causing it
So I did some packet capturing in my networking and everything else is actually fine except for this weird communication where source and destination is literally 127.0.0.1, source port is 631, and ...
- 23
0
votes
1
answer
1k
views
Capture packets on loopback
I'm running web service on my windows 10 machine. I decided to look at the packets between my service and client running on the same machine by using Wireshark. I know that it is not possible to get ...
- 99
4
votes
2
answers
2k
views
Wireshark under Windows: Any way to capture packets before dropped by special filter drivers?
I've got some GigabitEthernet Vision cameras, which use Ethernet to communicate. The protocol is simple UDP, but for performance reasons (high packet throughput causing CPU load) the manufacturer uses ...
- 405
0
votes
1
answer
226
views
Filter pcap by subsecond detail?
I'm trying to export a subset of a pcap file given a start and an end message, this start and end message identification is currently done using ngrep on the raw data(because we have no dissector for ...
- 113
0
votes
1
answer
491
views
PCAP traffic frame length short
I'm trying to make traffic and capture it using pcap file. I get pcap file from CAIDA(caida.org) site. This pcap file too big and doesn't have ethernet header. So i splitted pcap file to small size(40 ...
- 1
6
votes
3
answers
10k
views
How would a PCAP filter look like to capture all DHCP related traffic?
As I understand it, for IPv4 I would need to capture
UDP port 67 and 68,
ARP,
ICMP echo request and reply,
and for IPv6 I would need
UDP port 546 and 547,
all DHCP-related multicast addresses,
...
- 427
2
votes
2
answers
4k
views
How to efficiently re-order packets in PCAP files based on timestamp?
I have a PCAP file which contains many packets. They are however out of order based on the timestamp (it is actually randomized). What is the best way to efficiently sort the PCAP packets based on ...
- 165
0
votes
1
answer
116
views
MCU packet capture
I am trying to do a packet capture of a video conference hosted with CISCO [Codian] MCU. The instructions for capturing SIP packets with Wireshark are available. I also configured MCU to accept SIP ...
- 207
3
votes
0
answers
2k
views
Can I use tshark to write SSL-decrypted packets to a file?
I have a PCAP file containing SSL-encrypted HTTP traffic and the private key from the relevant web server. I'd like a PCAP file that contains the decrypted HTTP traffic to feed into a different tool. ...
- 375
2
votes
0
answers
660
views
replay decrypted ssl traffic with tcpreplay
I have an pcap format from some https traffic from one of my web-servers.
So I can use the key from my webserver to decrypt the traffic in wireshark. The problem I'm now facing is that I can't get an ...
- 958
3
votes
3
answers
5k
views
How to separate PCAP by unique IP address
I have an hour long PCAP file which has about 60 individual network attacks done on our test network here at work. Each attack comes from a unique IP address which was not used elsewhere during the ...
- 177
0
votes
1
answer
667
views
Tcp retransmission tcp session reconstruction
Im trying to write a program that reconstructs tcp sessions. I have a pcap file which have packets. The problem is i dont know which packets i should use to construct sessions when there is a ...
- 103
4
votes
2
answers
24k
views
Best way to analyze pcap files from Wireshark?
I've got 50-100MB pcap files captured from Wireshark and need to analyze where most of the traffic is going to/coming from.
What's the best way of doing this? Ideally I'd like to end up with an ...
- 486
7
votes
1
answer
13k
views
tcpdump filter for tcp zero window messages
Is there a pcap filter for TCPDump that will allow be to filter zero window messages?
I know how to filter these in a wireshark display filter (tcp.analysis.zero_window) but the amount of data I ...
- 85.1k
0
votes
2
answers
331
views
Identifying VoIP Users
I'm looking for a way to identify as many consumer VoIP users on my ISP network as possible using packet analysis.
My setup is like this:
On my core switch, all traffic going in and out of gigabit1 ...
- 1,618
2
votes
2
answers
2k
views
wireshark captures different on two computers from the same port
I Have a Windows XP Machine Running wireshark, connected to a Mirror port on a network. I'm capturing with no filtering, and it can only see half of some two way TCP conversations. I had thought it ...
- 768