Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [wireshark]

Wireshark is an open source Network Protocol Analyzer under GNU License.

507 questions
8
votes
3 answers

Excessive 'TCP Dup ACK' & 'TCP Fast Retransmission' causing issues on network. What's causing this?

I'm getting excessive TCP Dup ACK and TCP Fast Retransmission on our network when I transfer files over the MetroEthernet link. The two sites are connected by one sonicwall router, so the sites are only one hop away. Here is a screenshot from…
Ingram
  • 153
  • 1
  • 2
  • 7
8
votes
1 answer

How to filter for HTTP 500 responses and their requests in Wireshark?

How do I filter for HTTP 500 responses and their requests in Wireshark? I'm able to use http.response.code == 500 to find all the responses which got the return code 500 but I want to be able to see the requests of those responses, too. Update: I…
Martin
  • 250
  • 1
  • 5
  • 11
7
votes
2 answers

How can I decrypt STARTTLS communication over SMTP in a packet capture (if I have the private key)?

For the purpose of troubleshooting, I need to see what an email looks like when it's sent to my sendmail server via SMTP. The upstream server requires the SMTP connection to use STARTTLS so a packet capture only shows me encrypted data. Is there a…
Mike B
  • 11,871
  • 42
  • 107
  • 168
7
votes
2 answers

TCP acks are paused, then resumed, then paused again. Why?

I would like some help finding the reason for the reduced data transfer rate in my application. I have 12 embedded systems and a Linux server. The embedded systems send data to the server over TCP on an Ethernet link through a switch. The following…
martinhans
  • 171
  • 2
7
votes
1 answer

Can firewall block packets visible in Wireshark?

Wireshark shows that an RTP package is received on a PC. Is it possible that despite detection by Wireshark, something (firewall?) is still prevent the application listening to the required port on that PC to receive the package? Example. Wireshark…
TheMeaningfulEngineer
  • 259
  • 3
  • 16
7
votes
1 answer

tcpdump capturing tcp resets by host

I am trying to figure out where my tcp resets on my webserver happen. I have the following capture: tcpdump -fnni bond0:-nnvvS -w dump.pcap 'tcp[tcpflags] & (tcp-rst) !=0' When I look at the pcap in wireshark shows me resets: Flags: 0x004…
rahrahruby
  • 587
  • 6
  • 12
  • 21
7
votes
2 answers

How to decrypt IKVe2 in Wireshark using StrongSwan log info?

Wireshark has the ability to decrypt IKEv2, if you do Preferences, select ISAKMP, it offers an IKEv2 decrypt table which wants the initiator's and responder's SPIs, the encryption and authentication keys (SK_ei, SK_er, SK_ai, SK_ar) and the…
user458233
  • 71
  • 1
  • 1
  • 2
7
votes
2 answers

tcpdump: snaplen set to 0 but still get "Packet size limited during capture"?

Due to this problem, I'm going to sniff some packets on the MySQL server backend to see what happens: # tcpdump -vv -s0 -c 100 -i bond0 tcp port 3306 and host 192.168.3.87 -w /home/quanta/3.87_aborted.pcap As you can see, I set snaplen to 0, but…
quanta
  • 51,413
  • 19
  • 159
  • 217
7
votes
4 answers

Capturing multicast data with Wireshark with IGMP Snooping Enabled at the switch

I am trying to capture multicast traffic via Wireshark (actually TShark), however the switch has IGMP snooping enabled and will only send Multicast traffic on the ports that have an active IGMP subscription. I am currently getting around this by…
Chuu
  • 213
  • 1
  • 2
  • 6
7
votes
1 answer

tcpdump filter for tcp zero window messages

Is there a pcap filter for TCPDump that will allow be to filter zero window messages? I know how to filter these in a wireshark display filter (tcp.analysis.zero_window) but the amount of data I need to work with easily crashes wireshark (at least…
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
7
votes
6 answers

Does Wireshark pose a threat when installed on a server in the DMZ?

If you install wireshark on a web server sitting in the DMZ, is there a hack that can be used to get backdoor entrace to that server even when RDP is disblaed? I'm trying to monitor the wire on the DMZ web server but getting pushback from the DMZ…
G33kKahuna
  • 289
  • 1
  • 4
  • 10
7
votes
4 answers

Wireshark and IPSec

I am trying to troubleshoot communication between two servers on a Windows network where IPSEC is encrypting everything. I installed wireshark on the source server and captured traffic at the point that the communication is failing, but other than…
Sean Earp
  • 7,227
  • 3
  • 36
  • 38
6
votes
4 answers

How do you continuously run Wireshark without eating up all of my RAM?

I need to run Wireshark all night to capture packets from a certain IP address. I notice the longer Wireshark runs, the more RAM it takes up because it stores all of the packets found during the run. There are 3 possible solutions for me, but I…
clarity
  • 163
  • 1
  • 3
6
votes
3 answers

How would a PCAP filter look like to capture all DHCP related traffic?

As I understand it, for IPv4 I would need to capture UDP port 67 and 68, ARP, ICMP echo request and reply, and for IPv6 I would need UDP port 546 and 547, all DHCP-related multicast addresses, ICMPv6 neighbor discovery. I want to capture DHCP…
Mathias Weidner
  • 417
  • 3
  • 10
6
votes
1 answer

Can WireShark detect Ethernet PAUSE packets on network when running on Windows?

We have a Windows server which is connected to a switch processing a large quantity of data. We noticed that when we disabled FlowControl on the network adapter, that it appeared that we were getting much better performance. We are occasionally…
Benjamin Peikes
  • 1,094
  • 3
  • 16
  • 26
1 2
3
33 34