All Questions
60 questions
0
votes
0
answers
164
views
TCP stream ends with retransmission of last FIN,ACK packet
The TCP network connection between an Haproxy server in TCP mode (.94) and Postfix (.137) randomly ends with the retransmission of last FIN,ACK packet from the Postfix server:
It only happens for ...
- 812
0
votes
1
answer
320
views
TCP CWND and RWND Mismatch
currently I am doing some Measurements (using iperf3, TCP-Tracepoints (for monitoring the Congestion-Window (CWND)) and tcpdump).
While altering the TCP-Window (RWND) Field (using a nf-hook kernel ...
4
votes
1
answer
868
views
tcpdump -vvv is not verbose enough
For tcpdump, I use this command to see the packet details:
tcpdump -vvv -i interface
and to save the packets into a pcap file:
tcpdump -i interface -w output
The details from the first command are ...
- 41
0
votes
1
answer
58
views
Established TCP Communication terminates without any clue
I'm not able to understand what might be the reason for a lost TCP Communication over RPC between a CentOS 7 and Windows 2019 Server.
From the Wireshark I could see that the TCP Communication is ...
- 123
0
votes
1
answer
193
views
TCP packets being lost
I have some TCP packets being lost. I have monitored the interface with tcpdump pcap file - https://www.dropbox.com/s/7m3hr1b7065tenx/tcp.pcap?dl=0
I noticed that when I lose packets I only get 5 ...
- 1
0
votes
0
answers
355
views
Traffic capture at boot
I'm trying to figure out what packets a linux host sends at boot in order to debug it.
Is there a way to start packet capture during boot time to not miss any packets?
What is your way of going about ...
- 11
1
vote
1
answer
136
views
How to find the linux user that sent the packet [duplicate]
Our server is compromised and we would like to know which accounts sent the malicious queries from our server. I used tcpdump to get this :
our.host.net.48194 > box5596.bluehost.com.http: Flags [P....
- 113
4
votes
2
answers
2k
views
Piping SSH to wireshark on windows
In my day-to-day operations, I frequently need to execute tcpdump's on remote servers, and it's a pain to save the output to a file and then have to move the file to my laptop to analyze it on ...
- 398
0
votes
1
answer
215
views
Can I determine a EWOULDBLOCK/EAGAIN situation from a pcap/tcpdump
Is there a way I can determine if a certain message resulted in an EWOULDBLOCK/EAGAIN return code to the server which sent the packet?
The server was sending messages to the client
At time 10,the ...
- 133
0
votes
0
answers
1k
views
Wireshark TLS conversation for ldaps
I am trying to troubleshoot an issue with delays in LDAPS bind operations with tcpdump/wireshark.
Here is what I get from client side on a conversation with delays:
I see the following problems:
I ...
- 528
-1
votes
1
answer
1k
views
SSH connection not established, but standard TCP/IP connection works
I'm working on a custom yocto Linux for a Raspberry PI 3 and try to get the WIFI connection working with SSH. However when trying to connect from my PC (Ubuntu 19.10, SSH OpenSSH_8.0p1 Ubuntu-6build1, ...
- 1
1
vote
1
answer
408
views
Wireshark capture filter from list file
Is it possible to pass Wireshark or tcpdump a file containing a list of host IP addresses and/or networks to be captured?
- 41
2
votes
0
answers
9k
views
Why TCP Out-Of-Order packet is seen after SYN?
I am trying to troubleshoot a performance issue between a client and a file server. When I look at the capture from the client, I see a weird behavior. I am trying to understand this weird behavior.
...
1
vote
0
answers
183
views
Server does not respond to SYN [duplicate]
When I launch an FTP transfer from a client machine, it fails because it cannot connect to the server.
With tcpdump I can see that the client sends a SYN to the server, and I can also see that the ...
- 111
0
votes
1
answer
3k
views
How to check for firewall drops in WireShark
We have an application setup across two servers. The application is failing because a firewall is blocking communication between the two servers. I need a way to figure out every single port that is ...
- 207
0
votes
1
answer
51
views
Linux: get all connect calls for a local port
I have a ssh tunnel through which a client is connecting to a server. Using, wireshark, I could see a periodic connection of SSH besides the keepalive, but I am unable to obtain the process (pid) that'...
- 379
1
vote
1
answer
2k
views
How to collect HTTP data in Wireshark from a remote Linux host?
I am trying to collect HTTP requests and responses from a remote host using Wireshark using SSH tunnel. So I have Windows host with Wireshark on it, and Linux host with tcpdump on it and a web server ...
1
vote
0
answers
2k
views
How to capture http requests headers and body
need to capture all incoming/outcoming http traffic of a unix machine, and then run a script on each http header/body.
I have found that tcpdump captures all the requests, but big ones end up being ...
- 111
2
votes
0
answers
3k
views
How to measure latency using wireshark
I'm trying to measure the wire-to-wire latency of a blackbox application. The application engages in tcp offloading (kernel bypass), it consumes incoming UDP packets via a NIC and in response, ...
- 121
0
votes
1
answer
410
views
can tcpdump detect higher level protocols like wireshark?
Wireshark will guess what higher level protocols are being used in a packet, but how can I get tcpdump to do likewise (or any other linux command line tool)?
For example, the following screenshot ...
- 431
0
votes
2
answers
730
views
Wireshark Packet Capture Data Data ACK Confusion
I understand how acks work and windowing works. What I am not getting is why am I seeing the following behavior in packet captures
Client Server
data1----->
data2----->
<--------ack ...
- 113
4
votes
2
answers
25k
views
How do I see absolute time stamps in Wireshark?
There is an example of pcap file opened in wireshark
The second column is time. Is it possible to see absolute timestamps here instead of relative?
- 1,662
1
vote
2
answers
283
views
tcpdump http containing non expected payload bytes
I am monitoring an openvpn link with tcpdump a la
tcpdump -i tun5 -w capture.dump -W 100 -C 100M -s 0 -n
There is http/xml traffic going over that link which is basically caputered just fine.
However, ...
12
votes
2
answers
34k
views
How to send captured packets to a different destination?
I have some data packets captured using tcpdump in a pcap file. Now I want to send those packets to a another destination. how I can achieve this?
- 486
2
votes
1
answer
2k
views
Wireshark shows "TCP Dup Ack" on SACK after each regular ACK
I have a TCP session captured via switch port mirroring and tcpdump. When viewing it (in Wireshark), I see the same pattern whenever I send a message; here's an excerpt of the outbound packets (I don'...
- 271
1
vote
1
answer
678
views
Packet capture on ESXi host
I have an issue I am trying to track down and I believe the problem is with physical networking hardware. I have read the VMWare documentation on the pktcap-uw command and I know I can use it to dump ...
- 182
1
vote
0
answers
536
views
Wireshark RST against TCP Zero Window
During application sharing with Microsoft Lync Client (Mac OS X), TCP ACK with RST flag is sent from my application end to Lync end against TCP Zero Window packets and call gets dropped.
Image Link.
...
6
votes
3
answers
10k
views
How would a PCAP filter look like to capture all DHCP related traffic?
As I understand it, for IPv4 I would need to capture
UDP port 67 and 68,
ARP,
ICMP echo request and reply,
and for IPv6 I would need
UDP port 546 and 547,
all DHCP-related multicast addresses,
...
- 427
-1
votes
1
answer
2k
views
Why is wireshark capturing packets not destined to my host? [closed]
My IP was configured as 192.168.101.91, I don't understand why my host is receiving packets which have a destination address of 192.168.87.203(and many other IPs which I didn't capture) given that I ...
- 109
2
votes
0
answers
947
views
Wireshark only capturing broadcast packages [closed]
I've ran Wireshark multiple times on my notebook for wireless networks verifying mobile packages for my devices and it used to work most of the time.
I haven't been able to monitor my traffic today ...
- 121
1
vote
1
answer
3k
views
server is not responding on SYN packets
On the attached tcp dump, the first two SYN packets (#21800 and 21801) came to the server, however SYN ACK was sent for the second SYN. Is that correct behaviour? My understanding is that the client ...
- 11
0
votes
0
answers
1k
views
What conditions can account for incorrect inbound TCP checksums?
According to The Wireshark FAQ TCP checksum offloading causes checksums for outbound traffic to be calculated incorrectly. On some Linux hosts I see some inbound TCP traffic that is flagged with ...
- 150
0
votes
3
answers
13k
views
user agent in http or https request
Is there any way that I can differentiate,
the HTTP or HTTPS packets are coming from browser or not ?
specially for https request.There is User-Agent field in packet in Http,but I could not found ...
- 211
2
votes
2
answers
13k
views
Only capture HTTP post requests through tcpdump
For security purposes we want to list all POST requests URI's that are used in our applications (so we would disable POST through mod_security except for those URI's). The idea is to use tcpdump to ...
- 121
-4
votes
1
answer
1k
views
how to sniff from a remote machine? [closed]
I have a PC and a tablet that connected to a TP-Link ADSL modem.
PROBLEM:
I want to see the packets that send and receive from my modem not my PC( to see both wire and wireless packets)
I search ...
- 11
0
votes
1
answer
264
views
Linux unfriendly IIS/ASP.NET :-) : Quick download on windows but slow on linux [closed]
This particular web site (gops.tay.be) serves objects quick if I try to request the page using windows, but I get them very slow if trying using linux. There is no difference if I use browser or curl:
...
- 33
4
votes
2
answers
5k
views
How to parse OpenFlow packets using tcpdump capture file programmatically
I am working with OpenFlow packets and am analyzing the network via tcpdump.
Currently, I use the WireShark GUI to parse the generated capture file and it does serve my need.
However, I was ...
- 225
7
votes
1
answer
48k
views
tcpdump capturing tcp resets by host
I am trying to figure out where my tcp resets on my webserver happen. I have the following capture:
tcpdump -fnni bond0:-nnvvS -w dump.pcap 'tcp[tcpflags] & (tcp-rst) !=0'
When I look at the ...
- 587
0
votes
1
answer
854
views
syn flood attack -- packet hits on shared ip
How can I dump the TCP packets to get a better idea to know which website is being attacked?
Here is what I have in my logs:
May 4 23:10:26 host kernel: [2130002.635000] Firewall: *SYNFLOOD ...
1
vote
2
answers
4k
views
TCPDump and IPTables DROP by string
by using tcpdump -nlASX -s 0 -vvv port 80 I get something like:
14:58:55.121160 IP (tos 0x0, ttl 64, id 49764, offset 0, flags [DF], proto TCP (6), length 1480)
206.72.206.58.http > 2.187.196....
- 6,691
3
votes
1
answer
17k
views
tcpdump not picking up traffic redirected by iptables
The following iptables rule is used to redirect all internet traffic coming in from eth1 to port 3000 at localhost (interface lo with ip 127.0.0.1):
iptables -t nat -A PREROUTING -i eth1 -p tcp --...
- 153
2
votes
2
answers
551
views
Is TCP RWIN set by application or OS?
I have a situation where an application is listening on a TCP port and every once in a while, as seen in tcp dumps, gets its Receiving Window (RWIN) set to zero. When this happens, its Recv-Q stops ...
- 139
-2
votes
2
answers
14k
views
Using tcpdump to find strings [closed]
I need to block certain TCP packets by trying to find a string match in and on them. Is there a way to do that with TCPDump? Or do I need wireshare install on my linux server?
One I have the string ...
- 125
3
votes
1
answer
1k
views
How to use a switch as a network tap?
I would like to tcpdump all traffic that my router does when it makes a firmware update.
So I have taken a HP ProCurve 1800-8G switch and mirrored port 7 to port 8.
I have connected:
Internet ...
- 10.7k
4
votes
2
answers
10k
views
How to use Linux to capture packets on eth0 and send everything to eth1?
Today I got an enterprise Internet connection together with a Sagemcom router. The first time it is connected to the Internet, it will spend 20 minutes upgrading the firmware.
I would really like to ...
- 10.7k
0
votes
1
answer
454
views
Application traffic classification with tcpdump
I have a trace file from my network. I would like to identify the top 10 applications used by us . Does tcpdump provide any application based filtering options ? Any details regarding this would be ...
- 133
0
votes
1
answer
614
views
Filtering inbound traffic without knowing the destination subnet
I have a linux machine configured as a router with two interfaces facing LAN A and LAN B. I want to filter traffic passing from LAN A to LAN B (inbound traffic) using tcpdump, but I don't have the ...
- 101
12
votes
2
answers
15k
views
Filter tcpdump file AFTER capturing
I captured a really big tcpdump file which now always crashes my wireshark. It was captured with no filters and I need to apply some afterwards to make the file smaller.
Is this somehow possible?
- 4,405
7
votes
2
answers
8k
views
tcpdump: snaplen set to 0 but still get "Packet size limited during capture"?
Due to this problem, I'm going to sniff some packets on the MySQL server backend to see what happens:
# tcpdump -vv -s0 -c 100 -i bond0 tcp port 3306 and host 192.168.3.87 -w /home/quanta/3....
- 52.2k
1
vote
4
answers
4k
views
Sniffing packets of specific binaries / apps / process id?
Is there a way to associate packets with executing binaries? I would be open to traditional sniffing methods or even dtrace for that matter.
I have a specific issue on a system with very high ...
- 1,247