Questions tagged [packet-capture]

is for questions about capturing packets of various protocols that are transmitted over a network.

A lot of computer network protocols transmit their contents in packets. Packet capture is the interception of these packets as they are moved over a network of some type.

A packet sniffer captures raw data traveling over a network segment and saves it to a file for analysis.

Software

A software sniffer can generally only capture network data either originating from or going to the computer running it, plus any "broadcast" messages, if the computer is connected to the network via a switch. If the computer is connected to the network via a router, it may be able to capture network data for any device on connected to the same router.

Hardware

A hardware packet sniffer is physically connected to the network by connecting it to a router or switch. Sometimes the router or switch has to be configured to allow the sniffer to capture traffic being routed through it; this is called port mirroring.

Analysis

The captured data can be analyzed by the software that captured it, or by a program specifically designed to analyze the network data.

See Also

Wikipedia Article on Packet Analyzers
The term packet sniffer is also common and can be considered a synonym.

659 questions

7

votes

1 answer

frame contains "\x03\x00\x0e\xa8" display filter in wireshark displays packets not containing these bytes

i used the following filter in wireshark to find the packets containing these bytes : frame contains "\x03\x00\x0e\xa8" but when i see the result of this filter, it displays more than 1k packets which don't even contain these bytes. For example, it…

network-programming wireshark packet-capture tcpdump wireshark-dissector

asked Sep 20 '12 at 11:37

mezda

3,537
6
30
37

7

votes

2 answers

How to find the packet loss in Wireshark?

I need to test packet loss for an FTP application. I used the Wireshark packet sniffer, and I got TCP Stream. How do I find the packet loss using Wireshark?

packet wireshark packet-capture

asked Jun 30 '09 at 11:13

krishnakumar

2,187
5
21
24

7

votes

1 answer

Does libpcap always make a copy of the packet?

I am writing monitoring program for a very high traffic network (HD videos are streamed through the network). Most packets are very large and I only want to watch the headers (IP and UDP/TCP only). Of course I want to avoid overhead of copying the…

libpcap packet-capture

asked Apr 29 '12 at 10:59

Ameer Jewdaki

1,758
4
21
36

6

votes

1 answer

How to sniff iphone network data

I have recently been having problems with my app and I need to view the data being sent to and from my iPhone. I have read about Paros and downloaded it, but I don't know what information I need to put into paros and my iPhone to make it work. I am…

iphone packet-capture packet-sniffers

asked Jan 09 '11 at 23:20

user513064

6

votes

1 answer

BPF expression to capture only arp-reply packets

Is there a BPF expression that would only capture arp-reply packets? Currently, I am using Pcap4J and the following BPF expression: arp and dst host host and ether dst mac where host is the IP address of my device and mac is the MAC address of my…

java packet-capture arp bpf pcap4j

asked Oct 22 '16 at 20:09

rolling_codes

15,174
22
76
112

6

votes

1 answer

What's the meaning of "ecr" option in tcpdump?

19:25:47.629351 IP 2.2.2.2.80 > 1.1.1.1.31889: Flags [.], seq 2372487272:2372492544, ack 2808407165, win 122, options [nop,nop,TS val 911640439 ecr 235835291], length 5272 19:25:47.631626 IP 1.1.1.1.31889 > 2.2.2.2.80: Flags [.], ack 2372480682, win…

networking tcp tcpdump packet-capture

asked Sep 19 '16 at 12:41

Dan

3,221
7
27
24

6

votes

4 answers

Analyzing Bluetooth Low Energy Traffic

While trying to study BLE I am wondering if it is possible to analyse it through tools like Wireshark and snort? I came across one by the name "ubertooth" but that's a USB device which needs to be purchased in order for us to do DPI on BLE frames,…

bluetooth-lowenergy wireshark packet-capture snort

asked Sep 17 '15 at 21:55

user3563251

69
1
1
4

6

votes

4 answers

What's the BPF for HTTP?

The definition can be seen here. The candidate answer may be tcp and dst port 80,but can tcp and dst port 80 guarantee it's HTTP traffic and includes all HTTP traffic? It seems not,because some site can be visited by specifying a different port…

c packet-capture

asked May 05 '10 at 16:47

Gtker

2,237
9
29
37

6

votes

2 answers

C Program to receive and send the same packets out over another interface

I have a linux system with two physical interfaces. I need to intercept (read) incoming packets over one interface, read (or process) the data and send it out over the other interface as it is - just like a middleman. I am able to extract all the…

c sockets networking packet-capture

asked Nov 13 '14 at 12:00

anon_16

329
2
3
11

6

votes

4 answers

How to send pcap file packets on NIC?

I have some network traffic captured pcap file and want to send its packets on NIC; is it possible? Is there any application to do this?

network-programming packet-capture pcap

asked Dec 23 '09 at 15:05

salman

1,966
3
15
18

6

votes

2 answers

RawCap sniffer results in empty pcap file

So... I'm attempting to use RawCap to capture traffic to localhost When I run rawcap, it reports packets in the cmd prompt - but the dump file is always empty. Any ideas (I've tried running with admin privs)

pcap packet-capture

asked Jan 17 '13 at 20:42

iasksillyquestions

5,558
12
53
75

6

votes

3 answers

How to capture network packet in Android without using any root permissions

I want to capture network data packets on android app. Do you have any suggestions or source code to help me understand if this is possible?

android capture packet-capture packet-sniffers

asked Aug 09 '12 at 00:09

Kadir GÜZEL

141
1
1
11

6

votes

1 answer

Wireshark not capturing HTTPS packets?

Wireshark is not capturing https packets. I've tried filtering them by portmap.port == 443 but no https packet is shown, however, http packets are captured fine. Any suggestions?

https wireshark packet-capture

asked Aug 07 '12 at 10:16

Uzair Farooq

2,402
3
24
37

5

votes

1 answer

How can I get a live view of the tcpdump from the Android emulator in Wireshark on OSX?

I currently need to debug the communications between my application and the server. I have been able to capture the packets by launching the emulator with the tcpdump switch: %emulator -tcpdump emulator.cap @MyDroid The problem I have, is that I…

android macos android-emulator wireshark packet-capture

asked Nov 04 '11 at 14:14

Eric Levine

13,536
5
49
49

5

votes

1 answer

using tshark with timestamp and flags

I am trying to use tshark with a few flags and also get timestamp for each filtered trace. I am using this to filter all the DNS queries in my system. I am not able to get the time stamps along with the filters working. For instance if i try…

packet-capture tshark

asked Sep 02 '18 at 15:48

gsk308

55
1
5

Prev 1 2 3

…

43 44 Next