Highest Voted 'wireshark' Questions - Server Fault Stack Exchange

0

votes

1 answer

Can a remote connetion from outside a LAN be invisible to protocol analyzers such as Wireshark, Process Hacker, Nbtstat?

When studying the behavior of trojans and (RAT) Remote Access Trojans this question came up. Can an attacker create a trojan that could trick the OS or the NIC into hiding a remote connection to a computer so tools like Wireshark or Process hacker…

remote-access encryption wireshark

asked Jan 21 '16 at 15:37

user333243

0

votes

0 answers

Wireshark doesn't filter correctly http.host

When trying to filter for a specific host with http.host=="abc.com" it shows me everything instead of only the related packets. What am I doing wrong? Wireshark 1.12.6

http wireshark host

asked Jan 16 '16 at 18:44

thedp

333
1
6
14

0

votes

2 answers

Wireshark unable to capture squid traffic at port other than 3128

I use the following display filters to analysis traffic between client and squid3 server with Wireshark but nothing shows up. http && tcp http && tcp && tcp.port == 3888 If I changed the squid port back to 3128 then I can see the HTTP packets. Is…

proxy wireshark

asked Jan 02 '16 at 08:01

user891260

21
3

0

votes

1 answer

wireshark sort by TCP dup ack and sort by worst offender?

I have lots of hosts on this network, I want to find out who is the "noisiest", I captured 500k packets and many hosts have TCP dup ack (and other things), what regex should I use to sort by and then order output to show worst offender IP? If I…

wireshark

asked Nov 03 '15 at 01:51

batflaps

179
1
3
10

0

votes

1 answer

Is the output complete after omitting [TCP segment of reassembled PDU]?

If the tshark -r dumpfile output contains the type [TCP segment of a reassembled PDU], as in 81 3.164109000 4.5.6.7 -> 12.13.14.15 TLSv1.2 609 Application Data 83 3.164523000 4.5.6.7 -> 12.13.14.15 TCP 2802 [TCP segment of a reassembled…

wireshark tshark

asked Oct 21 '15 at 15:24

serv-inc

167
9

0

votes

1 answer

Capturing un-encrypted HTTPS traffic using wireshark

I am trying to capture HTTPS traffic between a client (windows machine) and a server. I would like to do this before the traffic is encrypted as I would like to analysis its contents. Is there an easy way to do this on the local machine? For…

http https wireshark

asked Oct 20 '15 at 20:34

SivaDotRender

103
4

0

votes

1 answer

MCU packet capture

I am trying to do a packet capture of a video conference hosted with CISCO [Codian] MCU. The instructions for capturing SIP packets with Wireshark are available. I also configured MCU to accept SIP calls. I have installed X-Lite as a SIP client and…

cisco voip wireshark sip pcap

asked Jul 14 '15 at 07:18

Moshe Shmukler

207
1
8

0

votes

1 answer

Too Many HTTP Requests from one source

We are having an issue at one of our customer sites where Tripwire is flagging events when more than 1000 HTTP connections are being individually created from different IP addresses within a span of one minute. We have turned on keep-alive( 10 secs)…

apache-2.2 http connection wireshark tripwire

asked May 20 '15 at 02:45

Porter Leblanc

1
2

0

votes

0 answers

Remote packet capturing using fifo and dumpcap

I'm currently working on two linux servers where one server is running in 2.6.18-274.el5(Server A) and the second one in CentOS 7 (Server B). My requirement is to capture the packets of the network interface of Server A from the Sever B. For that…

centos ssh firewall wireshark pipe

asked Apr 16 '15 at 09:15

BAdhi

111
6

0

votes

1 answer

How to ping a host with different MTU size to simulate icmpv6 packet too big scenario?

As the Title states,I want to check whether my host will actually send a ICMPv6 packet too big if i send a packet with beyond the defined MTU size.I don't have a cisco router(extended ping) to try out the scenario,Hence i would like to inject the…

tcp ipv6 wireshark packet-capture icmpv6

asked Apr 14 '15 at 06:20

Renold

33
1
4

0

votes

0 answers

Unknown device showing up in network scan

I need some help finding a device that has been showing up whenever I scan my network using Spiceworks' "Inventory" scan. I can ping the device, but nslookup returns a non-existent domain, and Spiceworks is telling me that the device has no open…

networking wireshark nmap device

asked Mar 26 '15 at 15:50

zomgdavidbowie

63
1
1
6

0

votes

0 answers

What conditions can account for incorrect inbound TCP checksums?

According to The Wireshark FAQ TCP checksum offloading causes checksums for outbound traffic to be calculated incorrectly. On some Linux hosts I see some inbound TCP traffic that is flagged with incorrect checksums: $ sudo tcpdump -n -vvv dst…

wireshark tcpdump

asked Jan 23 '15 at 16:10

eradman

150
4

0

votes

2 answers

Wireshark/tshark cutting data short

We are doing a packet capture from within our testing software using the command line: tshark -V -i vlan2091 -R "bootp.hw.mac_addr contains "00:17:33:00:00:00"" The problem we have is one of the DHCP options is displayed in hex and cut short. Is…

wireshark tshark

asked Jan 16 '15 at 01:31

MikeKulls

336
1
2
16

0

votes

1 answer

Difference between ISAKMP exchanges types IKE_SA_INIT and Identity protection

I have some Wireshark traces to see how ISAKMP works. This traces were taken from peers when a IPsec tunnel is stablished. It seems that the traces display a different IPsec implementation. When IKE phase 1 takes place sometimes i see packets…

ipsec wireshark isakmp

asked Jan 09 '15 at 15:26

MABC

203
1
5
11

0

votes

1 answer

Plain UDP shows up as STUN in Wireshark

I am sending 4 bytes of data over UDP upon request from another program. Sometimes the frame's protocol is identified as STUN in Wireshark, but I have no clue why. A ruby prototype of the communication looks like this(simpled down as much as…

wireshark udp

asked Dec 12 '14 at 12:04

Klāvs Taube

3
2

Questions tagged [wireshark]