This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

VNC (RFB) dissector show not all data

0

If I set filter = "vnc" part of traffic not detected. Filter "tcp.port rq 5900" work more correct. Dissector not show data from packets like UserInit message, ServerInit, handshake, security options and any other data. Just binary data shown like in any another TCP packet. Also shown only data which was sent from server to client. But I want to see packets with queries from client to server.

alt text

asked 17 Sep '15, 02:27

QuAzI's gravatar image

QuAzI
6113
accept rate: 0%

edited 17 Sep '15, 02:30

Can you see any traffic at all from your client to anywhere? If not you have an (unfortunately common) issue with your Windows setup. The usual culprits are 3rd party VPN and AV software, do you have any of those installed?

(17 Sep '15, 03:19) grahamb ♦

I have no VPN and AV software installed at this PC. I can see all trafic in real LAN but this host work on VirtualBox 5.0.4 VM.

VM Network adapter settings:

  • Attached to: Host-only Adapter

  • Name: VirtualBox Host-Only Ethernet Adapter

(17 Sep '15, 03:41) QuAzI

VNC Server is RealVNC-5.2.3 (latest at this moment) with disabled security. I try write VNC client but I can't properly view traffic

(17 Sep '15, 03:51) QuAzI

Thanks. This can help resolve tracing trouble.

(17 Sep '15, 04:21) QuAzI

One Answer:

1

Maybe VB network tracing might help.

answered 17 Sep '15, 04:14

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I don't know why but traffic parsed from VB completely decoded now except some TCP packets

alt text

(17 Sep '15, 04:37) QuAzI
1

That looks normal to me, the first few frames with TCP as the protocol are ones that are "control" information for the TCP connection such as SYN, ACK etc. where there is no VNC protocol information.

The other reason for frames showing as TCP are where the frame contains a portion of the higher protocol PDU. e.g. frames 45, 46, you should see the completed VNC PDU a little further down.

(17 Sep '15, 06:13) grahamb ♦

Thanks for comments. Now everything is good

(17 Sep '15, 07:12) QuAzI

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(17 Sep '15, 07:54) grahamb ♦