Questions tagged [wireshark]
Wireshark is an open source Network Protocol Analyzer under GNU License.
508
questions
-1
votes
0
answers
57
views
TLS1.2 connection issue
I am not sure if this is a TLS1.2 connection issue or something else. I have this WireShark trace summary.
I have a client and Exchange server. I am using below command on client machine.
Invoke-...
- 325
4
votes
1
answer
549
views
tcpdump -vvv is not verbose enough
For tcpdump, I use this command to see the packet details:
tcpdump -vvv -i interface
and to save the packets into a pcap file:
tcpdump -i interface -w output
The details from the first command are ...
- 41
0
votes
1
answer
47
views
Established TCP Communication terminates without any clue
I'm not able to understand what might be the reason for a lost TCP Communication over RPC between a CentOS 7 and Windows 2019 Server.
From the Wireshark I could see that the TCP Communication is ...
- 123
0
votes
0
answers
37
views
Repeated TCP DUP ACK of the same initial packets
I'm using Wireshark to analyze one of the TCP conversations in my packet capture and I have this sequence where the entire conversation between these two ports is made out of TCP DUP ACK for the same ...
- 213
0
votes
0
answers
74
views
Small read size by Windows SMB client
I am setting up a Linux server for high resolution online video editing. When I access the SMB share from a Windows 11 client, Wireshark analysis shows that the SMB Read requests are always a maximum ...
- 155
0
votes
1
answer
169
views
Why can't wireshark see local interfaces?
I'm experiencing some strange network errors on my local machine (MS-Windows 10 Enterprise 22H2). These also manifest in a WSL container running on the machine (but not on any other device on the same ...
- 21.9k
0
votes
0
answers
79
views
Promiscuous Mode on VMware capturing only broadcast
I'm facing an issue with using promiscuous mode on VMware. I have 3 VMs connected to a single portgroup on which promiscuous mode has been enabled. It's changed to "Accept". I am monitoring ...
- 162
0
votes
1
answer
350
views
Proxmox host cannot reach guest: TCP client retransmitting instead of sending ACK after SYN/ACK
Setup: server (HTTP server on 80) on 192.168.1.20, clients on 192.168.1.17, 192.168.1.18
Client 192.168.1.17 can connect to the server fine (Wireshark capture on the client side attached)
1 0.000000 ...
- 101
0
votes
2
answers
4k
views
What is Option 60 (Vendor Class Identifier) used for in DHCPv4?
Currently I'm using Wireshark to analyze the DHCP process between wireless devices and my DHCP server (which in this case, is my Wi-Fi router).
On all of the devices that I tested, I noticed that each ...
0
votes
0
answers
243
views
Failing to decrypt kerberos AP_REP with wireshark
I'm trying to decrypt kerberos traffic with wireshark for the learning purposes. My process of following:
First I retrive keytab for the test user with kadmin
kadmin.local: ktadd -k vdzh-fin.keytab ...
- 1
0
votes
0
answers
76
views
How do I convert raw data to text in data field in LPD protocol from wireshark?
I have captured the data sent to a receipt printer (https://starmicronics.com/support/products/tsp100iii-support-page/) using Wireshark. It seems that the printer uses LPD protocol. How do I convert ...
- 101
0
votes
0
answers
187
views
Not able to decrypt traffic with tshark and curl
Run tshark in background tshark -i any -w file_name.pcap -f "(port 443 or port 10002)" on server machine
Run curl command on client machine after setting export SSLKEYLOGFILE=...
- 218
0
votes
0
answers
57
views
Periodic Disconnection with DHCP DISCOVER
LAYOUT
192.168.0.103(THE ONE LOSES THE CONNECTION - WIRESHARK CAPTURE)
192.168.0.84(THE ONE WORKS PROPERLY - WIRESHARK CAPTURE)
We have an app that receives data from one of our devices. We installed ...
0
votes
1
answer
237
views
Continuous [ACK]Packets Without any Response From Receiver
Our application sends some data to one of our devices via TCP/IP, However communication in between not working as it should be.Because TCP/IP is bidirectional, so if one side sends data to other, ...
0
votes
1
answer
426
views
Apache server on Macos Monterey not accepting external public IP connections... why?
I am using MacOS Monterey 12.4 and have configured an Apache 2.4 server with virtual hosts that listen to all interfaces (0.0.0.0:80) on my host. I have tested my private ip (192.168.1.2), external-...
1
vote
2
answers
1k
views
PXE with proxyDHCP server: What makes a DHCP client accept / ignore offers from primary DHCP?
I am considering a setup with a primary DHCP server providing "IP data" (IP address, subnet mask, DNS, …), and a proxyDHCP server providing only PXE boot options. As it happens, my proxyDHCP ...
- 33
0
votes
1
answer
420
views
How to track down IPv6 DNS server configuration with Wireshark?
What Wireshark filter should I use to track down IPv6 DNS server advertisements on the network? I don't see any DHCPv6 traffic on my network, so I assume that the config of clients is happening ...
- 9,662
0
votes
0
answers
292
views
REST requests to an API falls in timeout randomly
0
I developed a web app that communicate with an external API in REST. Most of the time I have no problem, but a few times (1 or 2 times a day) I have my request which is timed out although the ...
- 1
0
votes
0
answers
167
views
Checking for port exhaustion using WireShark
We have been having some rare port exhaustion issues on our computers. We deployed a little netstat monitoring app that tracks the amount of TIME_WAIT statuses per application and notifies us if there ...
1
vote
0
answers
93
views
Why are network packets getting sent to incorrect switch port
All,
I have multiple security monitoring devices that lose communication/connectivity on a regular basis throughout the week.
I have set up WireShark to monitor the network traffic going to/from one ...
- 11
0
votes
0
answers
22
views
Connection drop
Trying to solve this problem here but not 100% sure what's the issue.
4 Fetal monitors and a PC in a clinic are connected to a switch. Those communicate with the PC. 1 to 4 times a day there is a ...
- 1
0
votes
1
answer
625
views
How to detect packets on mirrored port using Promiscuous mode on a VM running on Proxmox
I have a Proxmox server with four network ports eno1, eno2, eno3, eno4. The eno4 is used for management console and internet access using vmbr0 linux bridge. I have created a vmbr1 bridge for the port ...
0
votes
1
answer
130
views
TCP packets being lost
I have some TCP packets being lost. I have monitored the interface with tcpdump pcap file - https://www.dropbox.com/s/7m3hr1b7065tenx/tcp.pcap?dl=0
I noticed that when I lose packets I only get 5 ...
- 1
0
votes
0
answers
160
views
How can I inspect everything that happens before a TCP handshake
On my local machine when I connect to a remote linux machine with netcat I can only see 3 related packets(the tcp handshake) in Wireshark.
I'm pretty sure there's more that happens before that(router -...
0
votes
0
answers
212
views
What does it mean if I don't receive a SMB Negotiate Protocol Response from server?
What does it mean to not get an SMB Negotiate Protocol Response from server? Unable to mount fileshare drive (a third-party fileshare outside Azure). The architecture is similar to this one: https://...
- 1
0
votes
0
answers
220
views
Traffic capture at boot
I'm trying to figure out what packets a linux host sends at boot in order to debug it.
Is there a way to start packet capture during boot time to not miss any packets?
What is your way of going about ...
- 11
2
votes
0
answers
146
views
TShark - Include decrypted tls data in output
I'm trying to read https requests from an application and while I can somewhat make sense of the data using wireshark, I cannot make tshark output the data as I want it. One of the problems I've ...
- 121
0
votes
0
answers
258
views
Difference between TCP Segment Data and Data on a Wireshark capture
I am trying to replicate some TCP communication that is sent from MongoDB and I have been able to replicate it byte by byte and it is still not being recognized.
The only difference I could find when ...
- 235
0
votes
1
answer
69
views
DNS behavior / Wireshark
I'm a Cloud Engineer and currently diving into networking and stuff. I have a question, I have the understanding that whenever I go to a site the first thing is DNS. So a DNS request gets sent to a ...
- 1
1
vote
1
answer
2k
views
How to capture USB traffic using Wireshark in linux CLI?
I've found (hopefully) all I need in order to setup Wireshark and usbmon kernel module - including allowing a non-root user to capture USB traffic: https://www.wireshark.org/docs/wsug_html_chunked/...
- 203
0
votes
1
answer
442
views
Why do I see unicast packets for a different IP when I sniff my interface?
I hook up a laptop via gigabit Ethernet to my corporate network and run Wireshark on the interface. I expect to see all broadcast and multicast traffic and unicast traffic either originating from or ...
- 115
0
votes
0
answers
188
views
Bytes-in-flight higher than receiver window in frozen client connections
I am dealing with sort of a "ghost issue". We have an endpoint URL that some people can use at all times with no issues but others have a frozen connection on the client side (checked with ...
- 1
0
votes
0
answers
1k
views
How to find the symmetric key algorithm being used for a TLS connection in Wireshark?
I'm doing a TLS Wireshark lab and I can't find any information in Wireshark, the lab, or online how to find this answer:
What symmetric key cryptography algorithm is being used by the client and ...
- 101
1
vote
1
answer
46
views
Wireshark != doesn't work like it did before version 3.6
I use the filter ip.addr != 10.0.0.0/8 && !(ip.addr == 224.0.0.0/3) to identify any traffic between our network and the outside (and also exclude class-D address space). This filter no longer ...
- 231
2
votes
1
answer
841
views
Duplicated UDP packets sent
We have a few applications that we develop in my company that talk to some hardware via UDP. Recently, we started having issues using these applications on some of our machines (hardware basically ...
- 121
-2
votes
1
answer
232
views
Discover IP address of the device knowing only MAC address
While "wiresharking" the network, You may come across packets that looks like
THIS
eth.src to eth.dst (mainly colored white).. sometimes Wireshark recognize protocol LLC, NDP etc..
but ...
2
votes
1
answer
1k
views
Wireshark find DNS response "Refused"
I'm looking for a way to filter a packet capture in wireshark for instances where our server responds with "Refused" to a recursive DNS query.
dns.resp.type== doesn't seem to offer anything ...
- 1,035
0
votes
1
answer
464
views
DNS, why is it sometimes doing a PTR lookup before A lookup?
When I perform NSLOOKUP -q=a chinaa.cn I get the following result in WireShark:
Why did it FIRST look up the PTR of my ISP DNS before sending an A-request?
And why did the DNS server respond first ...
- 144
0
votes
1
answer
66
views
How to inspect outgoing traffic from Acess Point
I have Access Point which is connecting to VPN and create internal WiFi network of our company everywhere. Now I need to inspect what protocol for VPN is this AP using. I am not able to configure it, ...
- 3
1
vote
1
answer
117
views
How to find the linux user that sent the packet [duplicate]
Our server is compromised and we would like to know which accounts sent the malicious queries from our server. I used tcpdump to get this :
our.host.net.48194 > box5596.bluehost.com.http: Flags [P....
- 113
1
vote
0
answers
158
views
Running tshark and find in parallel + strict time-sorted output
I'm trying to obtain debug output of
what "find" does
compared to what happens on the network (tshark)
Therefore I want to run these commands in parallel and have output meticulously ...
- 2,854
0
votes
0
answers
214
views
How to identify source, destination ip using STUN and DTLS protocols?
enter image description here
Given image i'm not able to identify which is source and destination ip address ( client or server). From STUN protocol 1st packet it's user request so i thought 131.202....
2
votes
1
answer
906
views
Piping SSH to wireshark on windows
In my day-to-day operations, I frequently need to execute tcpdump's on remote servers, and it's a pain to save the output to a file and then have to move the file to my laptop to analyze it on ...
- 378
1
vote
0
answers
594
views
'socat' not displaying incoming UDP packets, but Wireshark does
The link is an image of a Wireshark dump of an incoming 60-byte Ethernet frame which contains a UDP packet. The packet payload is the single word 'hello' (sorry, I don't have enough rep to paste the ...
- 191
0
votes
1
answer
522
views
iptables DNAT change not showing up in Wireshark
I want to re-route all incoming traffic on interface ens4f0 to IP address 192.168.50.10, but Wireshark is showing that the destination IP address on incoming packets is unchanged. Is this the expected ...
- 191
0
votes
1
answer
179
views
when router sends ICMP protocol error message how does it set it's own TTL?
when using (traceroute -q 1 serverAddress), we know that it starts with TTL(Time to Live) = 1.
when it goes through router, the router decrements TTL by 1. If TTL becomes 0 at that router, it sends ...
0
votes
2
answers
985
views
How to capture a remote server in different network from home?
I want to capture packets from a remote server using Wireshark. I have a Linux-based server and I can access to it through Putty. This remote server is not on my network. How could I access to a ...
0
votes
1
answer
844
views
Where is the ACK to the packet in frame 76? [closed]
I am working through Kurose's book as part of a class and this particular exercise involves submitting a .txt file to the server and capturing this transfer and the server's response.
In one exercise ...
1
vote
1
answer
817
views
VoIP one-way audio, only when call initiated from one side
I am setting up some new switches and VLANs and I am getting trouble with our pre-existing Asterisk VoIP set-up.
Most calls work ok. Some get just one-way audio. I tried to narrow it down to this ...
- 459
-1
votes
1
answer
865
views
Python sockets: TCP errors in linux, while same program works fine on Windows10
I'm trying to communicate with a commercial power supply device via TCP/IP using python sockets.
I tried using both a virtual linux(centos8stream) and virtual windows10, both running at the same ...
- 21