Questions tagged [packet-capture]
Packet capture is the act of capturing data packets crossing a computer network. Packet capture can be: Deep packet capture (headers & payload), or partial packet capture (headers only).
175
questions
4
votes
1
answer
549
views
tcpdump -vvv is not verbose enough
For tcpdump, I use this command to see the packet details:
tcpdump -vvv -i interface
and to save the packets into a pcap file:
tcpdump -i interface -w output
The details from the first command are ...
- 41
0
votes
0
answers
16
views
How to capture GOAWAY from a Linux VM (Centos)
Objective:
I'm troubleshooting integration between two service fleets proxied by Envoy (AWS AppMesh) using GRPC.
My GRPC clients never send traffic to the new GRPC servers (after scale-out).
Context:
...
- 1
0
votes
1
answer
63
views
Understanding TCP RST Network Capture
I only really need help understand the following image, but I will give the background for context.
We have an app that is configured to use a proxy on port 8080 and requires Internet access. At ...
- 367
0
votes
0
answers
35
views
Method of streaming a packet capture from a Windows machine
I have a Windows 10 VM on Hyper-V. It is a production system (yeah I know) that is running multiple critical services that I need to analyse so I can migrate it off to something better. I need to ...
- 1
0
votes
0
answers
46
views
[Send mail with attachment]: TCP Retransmission, Duplicate ACK => TCP Reset
So, we have a linux box with postfix running on LAN site A which sends emails to an Microsoft exchange server sitting on site B. This runs perfectly when there is no attachment to the mail. But as ...
0
votes
0
answers
69
views
How to receive mirrored traffic on remote host using Ubiquiti EdgeRouterX?
I have the current network setup: two subnets are connected using an Ubiquiti EdgeRouterX, subnet 1 has a switch mirroring all traffic on that subnet to the router and on subnet 2 there is a host ...
0
votes
0
answers
26
views
ALPN negotiation fails
I am trying to connect two server to exchange data. I captured the packetes and they try to establish a connection but then are not sending data. Does someone know what the Problem could be?
captured ...
- 1
1
vote
0
answers
57
views
Ifconfig result on the server running PF_RING with zerocopy
I have an application which uses PF_Ring zero copy as a part of its packet sniffing capability. When this application is running would it be possible to find out the amount of RX/TX traffic using ...
- 111
0
votes
0
answers
220
views
Traffic capture at boot
I'm trying to figure out what packets a linux host sends at boot in order to debug it.
Is there a way to start packet capture during boot time to not miss any packets?
What is your way of going about ...
- 11
1
vote
0
answers
337
views
Disabled all TCP Offloading and still get 65Kb packets
I'm capturing packets in a Tensorflow two-node training. I want to capture the packet sizes over the wire (< MTU) from the hosts. Because of that, I turned off all of the offloading with ethtool. ...
1
vote
0
answers
81
views
How to see contents of output queue of NIC in Linux and introspect frame delay
I am experimenting with tc tool to implement prioritization of specific data coming from my computer and would like to see exatly how the frames are scheduled and how much time they spend in the qdisc ...
- 13
0
votes
1
answer
719
views
Capture filter filter with tcpdump/tshark
I'd like to filter ip messages which are constructed as follow (see picture below):
GRE on top of IP
GRE contains IP with UDP on port 1234 (in the picture below port 80).
How can I filter such ...
- 155
0
votes
0
answers
214
views
How to identify source, destination ip using STUN and DTLS protocols?
enter image description here
Given image i'm not able to identify which is source and destination ip address ( client or server). From STUN protocol 1st packet it's user request so i thought 131.202....
0
votes
1
answer
844
views
Where is the ACK to the packet in frame 76? [closed]
I am working through Kurose's book as part of a class and this particular exercise involves submitting a .txt file to the server and capturing this transfer and the server's response.
In one exercise ...
0
votes
1
answer
1k
views
Is there a way to disable TCP segmentation offloading to prevent packets greater than the MTU from being captured from the loopback interface?
I'm trying to create some captures on my linux box. The problem I have is that any captures I take from the loopback interface will contain massive packets that are much larger than the MTU. This ...
0
votes
1
answer
683
views
Pcap (tcpdump) filter to match against local port
I'm trying to write a libpcap (tcpdump, iftop) filter that would match packets having a specific local port.
That is, I'm interested in traffic that either goes out of port 12345 on the local machine ...
- 144
1
vote
1
answer
955
views
Forwarded Packets are received by namespace's veth0 but not received by application
I use libtins (It uses Pcap) to capture link layer packets and forward to a network namespace where the actual application runs on.
Client(Browser) -> Server -> Pcap -> Pcap Send -> br0 (...
- 11
1
vote
0
answers
279
views
Drawbacks of having pruned and collapsed packets
I am a newbie in networking field, I come across a note that we should not have pruned packets and collapsed packets, if we have, we should have to optimize the system.
But the note (neither the ...
- 123
3
votes
1
answer
3k
views
TCP Duplicate Ack without Packet Loss
edit: there were actually 2 problems, a buggy TCP implementation on the device running the RTOS and an issue causing the Linux network stack to receive the TCP fragments out of order when more than 1 ...
1
vote
0
answers
190
views
How can I capture traffic for a daemon listening on a cloned loopback IP address?
I have a daemon listening on a virtual IP address attached to a cloned loopback interface (lo1) on FreeBSD 11.x.
Inbound traffic for that daemon could arrive on several different physical interfaces, ...
- 21.3k
0
votes
1
answer
909
views
Send duplicate UDP packets to another computer
We have a production server where we receive a continuous stream of UDP packets (~ 15 Mbps). We have a small research team which wants to process this same exact stream for some research purposes on ...
- 11
0
votes
1
answer
1k
views
How do I capture packets on a Linux VM in a VMware environment?
I've got a Linux server that is a VM running on ESXi 6.7. We're running into some network trouble with it, and I'm trying to use tcpdump to capture traffic on the VM itself, but I'm getting only the ...
- 113
0
votes
1
answer
2k
views
OpenVPN log connections per user
I'm trying to set up a VPN solution where I can log packet captures of individual connections. I've been focusing on using OpenVPN but I am amenable to other solutions. It is important to note that I ...
- 149
1
vote
1
answer
199
views
how to man-in-the-middle blocking/intercepting/editing all network traffic going to a single cabled device and a server
I need to completely block and intercept and alter all packets going between two devices. possibly i need to isolate one device and block/intercept/edit ALL traffic going to and from it if i cannot ...
0
votes
0
answers
475
views
Loopback interfaces is not pinging on both pcs for packet tracer
I am trying to ping my isp ip address (aka loopback 1) and loopback 10 to PC1 and PC2. Whenever I ping both ip addresses and default gateway from pc1 to pc2 it works. However, when I'm trying to ping ...
- 1
0
votes
1
answer
2k
views
How can I gathering Network Traffic on AWS?
I am building packet mirroring using the Linux type's iptables tee module. In the case of instances(EC2), we confirmed that promiscuous mode can be set on AWS console configuration. than, I wonder if ...
- 9
0
votes
1
answer
68
views
CentOS 6 - Find KVM VM with HW addr
We are running KVM VM's (Linux & Windows) on our CentOS 6 & 7 hypervisors.
Sometimes we are noticing a lot of packets going in or out.
Now I want to see which IP address or network adapter ...
- 3
1
vote
2
answers
4k
views
What are the numbers preceeding a DNS packets flags for?
What does the Flags: 0x0500 section of this DNS query packet mean?
Domain Name System (query)
Transaction ID: 0x4242
Flags: 0x0500 Standard query
0... .... .... .... = Response: ...
- 13
0
votes
1
answer
107
views
Tips for working with very large pcaps?
What is the best approach for working with very large collections of network traffic (500GB+)?
Specifically, I'd like to be able to filter packets which match various payload and protocol criteria (...
- 101
0
votes
1
answer
253
views
Network sniffer that work as windows service
We need to log the traffic of incoming traffic for some application on our server.
The first instinct is to use Wireshark and of course, as soon our remote session end Wireshark also shutdown.
Since ...
- 101
0
votes
1
answer
504
views
Are TCP RTO value and RTT value influenced by the packet size?
I am doing troubleshooting in my network.
I found some re-transmission by using wireshark.
The segment 1400 bytes are well transmitted but
The segment 800 bytes are lost and re-transmitted.
I know ...
- 39
1
vote
2
answers
1k
views
What should be the next sequence number after a packet with the FIN containing payload?
I was capturing some HTTP traffics and I observed a packet with the FIN flag set and also containing payload data.
I searched for this topic and I found some similar questions but none of them ...
- 121
2
votes
2
answers
3k
views
Get network data transfer rate / throughput for use in Wireshark
I'm trying to get the ethernet NIC throughput rate / data transfer rate on a VPS in order to start a capture on Wireshark during DOS/DDOS attacks so I can analyze the nature of the packets.
I'm ...
- 212
1
vote
1
answer
270
views
How does LDAP Authentication Work at the TCP Layer?
Specifically, how does an LDAP server distinguish a TCP packet containing a SearchRequestOp from an authenticated user, from a TCP packet containing a SearchRequestOp from an unauthenticated user?
I ...
- 113
1
vote
1
answer
502
views
Can user credentials from HTTP session be seen through Wireshark? [duplicate]
Can we get that info the same way we do for FTP since HTTP is a plain text protocol?
- 21
1
vote
1
answer
2k
views
Can I verify failure of port forwarding using wireshark / packet capture
I've recently configured a Debian 9 server (Debian 4.9.130-2) to run as a lightweight server, running a series of Docker containers (nextcloud, sync, etc.) alongside basic services like ssh. Services ...
- 113
1
vote
0
answers
3k
views
Can I capture full TCP packet content with haproxy without knowing length of the packet?
I know I can capture 6 bytes length packet using this config:
global
log /dev/log local0 debug
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /...
- 153
0
votes
1
answer
1k
views
How to turn an ethernet port into a passive listener?
I want to capture ethernet packets with my raspberry pi's ethernet port. I know I could create an ethernet bridge between two ethernet ports on the raspberry and analyze the packets internally with ...
1
vote
1
answer
568
views
rpcapd behind a firewall
I have a remote server with rpcapd installed that follows strict security policy rules. Any client can access to the server only via firewall that follows same security policy (please, don't blame me, ...
- 11
0
votes
2
answers
131
views
Port forwarding for 100K+ IP's
I need to do port forwarding on my Linux (Debian 8) to intercept packets going through the machine.
It needs to be based on source IP, so different ports for different IPs.
I've though of using ...
- 409
0
votes
2
answers
2k
views
Who can issue a RST?
I have a client connecting to a server via a VPN tunnel. The connectivity is in place, I can ping the server and requests some other services (a curl request on an API for instance) through that ...
- 3,617
-5
votes
1
answer
61
views
How packet is transmitted over the network? [closed]
I am writing discrete event-driven simulator to measure time between sending datasets over network.
If multiple processes sends n packets through network they (packets) will go one after one through ...
0
votes
1
answer
75
views
Cisco 877 doesn't respond to IP determined through ARP
I have just obtained an old Cisco 877. I made sure to first push the reset button in the back. I then plugged into one of the LAN ports. The device gave me an IPv4 address (169.254.14.65/16) and an ...
- 39
7
votes
2
answers
6k
views
How can I decrypt STARTTLS communication over SMTP in a packet capture (if I have the private key)?
For the purpose of troubleshooting, I need to see what an email looks like when it's sent to my sendmail server via SMTP. The upstream server requires the SMTP connection to use STARTTLS so a packet ...
- 11.9k
2
votes
1
answer
4k
views
How can NETSH be used to sniff and collate network traffic?
I am trying to capture all network traffic and view it in a human-readable way.
To begin packet capture with netsh, I am running the following command.
netsh trace start scenario=NetConnection ...
- 145
2
votes
1
answer
15k
views
Client sends RST after FIN,ACK
While doing a file transfer using secure file transfer protocol, I am seeing the behaviour as given in the below image.
Instead accepting packets from server, it simply sends a RST. Found a similar ...
0
votes
1
answer
934
views
How can I identify the cause of packet loss in DNS?
We have upgraded some of our routers to Ubuntu 16.04 and are now getting some performance problems with DNS. It seems that packets are sometimes truncated, but I have no clue what else I can do:
This ...
- 187
6
votes
2
answers
8k
views
How to determine which process is sending UDP packets once per hour?
I was doing a packet capture as part of a development project and saw some odd traffic coming from my machine in the capture file.
About every 3600 seconds, a NAT-PMP request is being sent to the IP "...
- 409
1
vote
1
answer
3k
views
Packet Captures saved in bin file format
Does anyone know of a tool to open a packet capture saved as a .bin file? That or how to convert it to pcap or something wireshark can open.
I took a packet capture from a thin client and when I ...
- 288
0
votes
1
answer
661
views
How do I generate a source of netflow data for nfcapd?
I am trying to use nfcapd to save netflow files for use by a network analysis tool.
How do I capture network traffic on my host and send it into nfcapd? Can I use wireshark/tshark or something ...
- 351