Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2022-06-18 16:56:26 +0000

brec gravatar image

tshark capture display out of chronological order?

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where "..." denotes me truncating the line:

502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP 277 CONNECT ifconfig.me ... 503 47.114636300 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ... 504 47.115387336 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x7a6e A ifconfig.me 505 47.115428139 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x8f64 AAAA ifconfig.me 506 47.319604790 192.168.50.212 → 192.168.50.200 TCP 170 HTTP/1.0 500 Unable to connect ... 507 47.319861769 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ... 508 47.319917721 192.168.50.212 → 192.168.50.200 TCP 271 8888 → 57666 [PSH, ACK] ... 509 47.320158898 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ... 510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect 511 47.320428367 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [FIN, ACK] ... 512 47.320428585 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ... 513 47.320469557 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ... 514 47.320642196 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ... 515 47.319108832 1.1.1.2 → 10.4.0.2 DNS 128 Standard query response 0x8f64 AAAA ifconfig.me SOA ns31.domaincontrol.com 516 47.319109241 1.1.1.2 → 10.4.0.2 DNS 73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81 At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

tshark capture display out of chronological order?

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where "..." denotes me truncating the line:

502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP 277 CONNECT ifconfig.me ...
503 47.114636300 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
504 47.115387336 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x7a6e A ifconfig.me
505 47.115428139 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x8f64 AAAA ifconfig.me
506 47.319604790 192.168.50.212 → 192.168.50.200 TCP 170 HTTP/1.0 500 Unable to connect ...
507 47.319861769 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
508 47.319917721 192.168.50.212 → 192.168.50.200 TCP 271 8888 → 57666 [PSH, ACK] ...
509 47.320158898 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect
511 47.320428367 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [FIN, ACK] ...
512 47.320428585 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
513 47.320469557 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
514 47.320642196 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
515 47.319108832 1.1.1.2 → 10.4.0.2 DNS 128 Standard query response 0x8f64 AAAA ifconfig.me SOA ns31.domaincontrol.com
516 47.319109241 1.1.1.2 → 10.4.0.2 DNS 73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

tshark capture display out of chronological order?

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where "..." denotes me truncating the line:

502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP 277 CONNECT ifconfig.me ...
503 47.114636300 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
504 47.115387336 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x7a6e A ifconfig.me
505 47.115428139 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x8f64 AAAA ifconfig.me
506 47.319604790 192.168.50.212 → 192.168.50.200 TCP 170 HTTP/1.0 500 Unable to connect ...
507 47.319861769 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
508 47.319917721 192.168.50.212 → 192.168.50.200 TCP 271 8888 → 57666 [PSH, ACK] ...
509 47.320158898 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect
511 47.320428367 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [FIN, ACK] ...
512 47.320428585 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
513 47.320469557 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
514 47.320642196 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
515 47.319108832 1.1.1.2 → 10.4.0.2 DNS 128 Standard query response 0x8f64 AAAA ifconfig.me SOA ns31.domaincontrol.com ...
516 47.319109241 1.1.1.2 → 10.4.0.2 DNS 73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

tshark capture display out of chronological order?

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where 10.4.0.2 is the address of wg0 and "..." denotes me truncating the line:

502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP 277 CONNECT ifconfig.me ...
503 47.114636300 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
504 47.115387336 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x7a6e A ifconfig.me
505 47.115428139 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x8f64 AAAA ifconfig.me
506 47.319604790 192.168.50.212 → 192.168.50.200 TCP 170 HTTP/1.0 500 Unable to connect ...
507 47.319861769 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
508 47.319917721 192.168.50.212 → 192.168.50.200 TCP 271 8888 → 57666 [PSH, ACK] ...
509 47.320158898 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect
511 47.320428367 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [FIN, ACK] ...
512 47.320428585 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
513 47.320469557 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
514 47.320642196 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
515 47.319108832 1.1.1.2 → 10.4.0.2 DNS 128 Standard query response 0x8f64 AAAA ifconfig.me ...
516 47.319109241 1.1.1.2 → 10.4.0.2 DNS 73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

tshark capture display out of chronological order?

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one). one; that's another question). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where 10.4.0.2 is the address of wg0 and "..." denotes me truncating the line:

502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP 277 CONNECT ifconfig.me ...
503 47.114636300 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
504 47.115387336 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x7a6e A ifconfig.me
505 47.115428139 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x8f64 AAAA ifconfig.me
506 47.319604790 192.168.50.212 → 192.168.50.200 TCP 170 HTTP/1.0 500 Unable to connect ...
507 47.319861769 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
508 47.319917721 192.168.50.212 → 192.168.50.200 TCP 271 8888 → 57666 [PSH, ACK] ...
509 47.320158898 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect
511 47.320428367 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [FIN, ACK] ...
512 47.320428585 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
513 47.320469557 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
514 47.320642196 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
515 47.319108832 1.1.1.2 → 10.4.0.2 DNS 128 Standard query response 0x8f64 AAAA ifconfig.me ...
516 47.319109241 1.1.1.2 → 10.4.0.2 DNS 73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

click to hide/show revision 6
None

updated 2022-06-18 17:22:41 +0000

grahamb gravatar image

tshark capture display out of chronological order?

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one; that's another question). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where 10.4.0.2 is the address of wg0 and "..." denotes me truncating the line:

 502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP  277 CONNECT ifconfig.me ... 
   503 47.114636300 192.168.50.212 → 192.168.50.200 TCP  66 8888 → 57666 [ACK] ... 
   504 47.115387336  10.4.0.2  → 1.1.1.2       DNS  57 Standard query 0x7a6e A ifconfig.me 
   505 47.115428139  10.4.0.2  → 1.1.1.2       DNS  57 Standard query 0x8f64 AAAA ifconfig.me 
   506 47.319604790 192.168.50.212 → 192.168.50.200 TCP  170 HTTP/1.0 500 Unable to connect ... 
   507 47.319861769 192.168.50.200 → 192.168.50.212 TCP  66 57666 → 8888 [ACK] ... 
   508 47.319917721 192.168.50.212 → 192.168.50.200 TCP  271 8888 → 57666 [PSH, ACK] ... 
   509 47.320158898 192.168.50.200 → 192.168.50.212 TCP  66 57666 → 8888 [ACK] ... 
   510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect 
   511 47.320428367 192.168.50.200 → 192.168.50.212 TCP  66 57666 → 8888 [FIN, ACK]  ... 
   512 47.320428585 192.168.50.200 → 192.168.50.212 TCP  60 57666 → 8888 [RST] ... 
   513 47.320469557 192.168.50.212 → 192.168.50.200 TCP  66 8888 → 57666 [ACK] ... 
   514 47.320642196 192.168.50.200 → 192.168.50.212 TCP  60 57666 → 8888 [RST] ... 
   515 47.319108832  1.1.1.2  → 10.4.0.2      DNS  128 Standard query response 0x8f64 AAAA ifconfig.me ... 
   516 47.319109241  1.1.1.2  → 10.4.0.2      DNS  73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81  
34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?