Ask Your Question

Uli's profile - activity

2019-05-03 09:50:49 +0000 received badge  Enlightened (source)
2019-05-03 09:50:49 +0000 received badge  Good Answer (source)
2018-11-13 14:00:43 +0000 commented question How to display BSSLAP protocol, the data field can not decode.

The BSSLAP dissector is called by "GSM BSSMAP" dissector. So both dissectors must be enabled. Providing more details in

2018-11-07 07:07:45 +0000 received badge  Critic (source)
2018-11-07 07:07:42 +0000 received badge  Supporter (source)
2018-11-01 07:10:58 +0000 commented answer How to edit radius protocol packet in Wireshark?

I would also go with TraceWrangler for IP header etc. For editing Radius fields I would use Scapy. => Read pcap file,

2018-10-30 10:18:08 +0000 commented question Is there a dissector for CTI traffic among Avaya Contact Center and PBX "Avaya IP Office"?

Could you provide more details? As far as I know Avaya CC uses a bunch of protocols like SIP, RTP, HTTP. Maybe also som

2018-10-26 11:33:52 +0000 answered a question Malformed Packet:SV

Issue has been reported as Bug 15224 and has been fixed. Upcoming WS versions 2.6.5, 3.0 and 2.4.11 will include the fi

2018-04-25 19:53:47 +0000 received badge  Rapid Responder (source)
2018-04-25 19:53:47 +0000 answered a question Decrypting TLS traffic using RSA pre-master secret

According to epan/dissectors/packet-ssl-utils.c: /* The format of the file is a series of records with one of the follo

2018-04-14 13:50:50 +0000 edited answer Can Wireshark decode a LDAPs conversation?

Yes, it should be possible. Have you tried using 'Analyze' -> 'Decode as...' -> 'Field': 'SSL Port', 'Value': 'yo

2018-04-14 13:50:13 +0000 received badge  Rapid Responder (source)
2018-04-14 13:50:13 +0000 answered a question Can Wireshark decode a LDAPs conversation?

Yes, it should be possible. Have you tried using 'Analyze' -> 'Decode as...' -> 'Field': 'SSL Port', 'Value': <

2018-04-14 13:44:10 +0000 commented answer DCP-PFT filter in wireshark 2.x versions ...

Issue reported with bug 14607

2018-04-12 12:22:55 +0000 commented answer I am getting a Encryption alert from the Server and connection resets

As said, most of the times, a "Encrypted Alert" record contains the "Close notify" message. To be sure what's inside the

2018-04-11 06:11:00 +0000 received badge  Rapid Responder (source)
2018-04-11 06:11:00 +0000 answered a question I am getting a Encryption alert from the Server and connection resets

To clarify: You talk about SSL/TLS connections? You get a TLS Record with content type "Alert" (21)? This "alert" is u

2018-04-07 20:20:03 +0000 received badge  Rapid Responder (source)
2018-04-07 20:20:03 +0000 answered a question What is the unit of the field prism.did.signal?

According to epan/dissectors/packet-ieee80211-prism.c the value is dBm. 119 * I infer from the current NetBSD "wi" dr

2018-04-07 20:09:34 +0000 received badge  Rapid Responder (source)
2018-04-07 20:09:34 +0000 answered a question SMB2 Write requests not displayed

I can't reproduce your issue. Can you file a bug report? Please add a link to a sample capture and give some hints in w

2018-04-06 06:02:35 +0000 answered a question How I can capture packets on my mobile phone

If your mobile phone is running Android you can give it a try with androiddump.

2018-04-06 06:02:35 +0000 received badge  Rapid Responder (source)
2018-03-26 09:48:17 +0000 commented question How to decode ipfix315 payload using Tshark

Typo? You're running tshark with -d udp.port==2000,cflow. The dump shows UDP port 2200.

2018-03-26 09:47:56 +0000 commented question How to decode ipfix315 payload using Tshark

Typo? You're running tshark with -d udp.port==2000,cflow. The dump show UDP port 2200.

2018-03-22 19:41:58 +0000 commented answer malformed smb2 packet for Server 2016 across a MPLS WAN

Glad I've been able to help. I first filtered for 'ip.addr==10.254.188.123 and tcp.port==445'. This showed the tcp stre

2018-03-22 19:41:58 +0000 received badge  Commentator
2018-03-20 20:42:36 +0000 answered a question malformed smb2 packet for Server 2016 across a MPLS WAN

For me this looks like a application issue caused by a Riverbed Steelhead: The capture (I inspected tcp.stream==426) sh

2018-03-20 20:42:36 +0000 received badge  Rapid Responder (source)
2018-03-06 12:55:27 +0000 received badge  Rapid Responder (source)
2018-03-06 12:55:27 +0000 answered a question why can I see the mqtt traffic only in the info column? (same for http)

It looks like your running MQTT encrypted inside TLS (SSL). I guess the TLS Application data (e.g. frame 145) contains y

2018-01-16 20:40:50 +0000 commented question cannot access certain websites

Things I see in the capture file: The client 192.168.100 is able to establish a TCP connection to 52.85.220.13 (www.de

2018-01-16 20:40:31 +0000 commented question cannot access certain websites

Things I see in the capture file: The client 192.168.100 is able to establish a TCP connection to 52.85.220.13 (www.de

2018-01-02 20:36:57 +0000 received badge  Nice Answer (source)
2017-12-30 15:09:10 +0000 commented question "No interfaces found" on Windows 10 laptop

Is the npf service running? (Run cmd.exe as administrator and run the command sc qc npf) Have you tried to use npcap as

2017-12-30 15:01:28 +0000 answered a question Step by step SSL decrypt with wireshark

Have a look at Peter's slides of his talk at Sharkfest. TL;DR: Set environment variable SSLKEYLOGFILE before starting

2017-12-30 15:01:28 +0000 received badge  Rapid Responder (source)
2017-12-28 14:52:01 +0000 commented question Help to set up a "pass through bridge" sniffer

Yes, I know you asked for "Windows", but you can do this easily with Linux with brctl. You can run a Live Linux (such a

2017-12-24 11:45:08 +0000 commented question Modbus on UDP

Don't know if I get your question right: In current Wireshark (2.4.3 and developer build 2.5.X) the Modbus dissector has

2017-12-16 15:32:30 +0000 received badge  Enthusiast
2017-12-11 21:06:27 +0000 answered a question how can I graph mysql response time in wireshark

One possible way to get a graph is to use TRANSUM. Enable Transum (Analyze -> Enable Protocols -> Transum RTE Da

2017-12-11 13:14:46 +0000 received badge  Nice Answer (source)
2017-12-11 11:52:13 +0000 commented question Is it possible that wireshark doesn't recognize protocol?

Do you mean TCP and SSL as different protocols? If so: SSL is embedded in TCP. When there is TCP payload (tcp.len >0)

2017-11-28 19:18:34 +0000 commented question When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

Looks totally strange to me. And no, your network should not be able to handle this packet (IMHO). I expect that the pac

2017-11-28 19:05:50 +0000 edited answer Help to read this trace

Your client is trying to use plaintext LDAP on port 636/tcp. Normally this port is used for LDAPS. Therefore the server

2017-11-28 14:43:18 +0000 answered a question Help to read this trace

Your client is trying to use plaintext LDAP on port 636/tcp. Normally this port is used for LDAPS. Therefore the server

2017-11-28 14:43:18 +0000 received badge  Rapid Responder (source)
2017-11-28 12:51:18 +0000 commented question Help to read this trace

It's a little bit hard as you've only posted the text output and not a pcap file. For me it looks like the LDAP server

2017-11-28 09:46:51 +0000 received badge  Teacher (source)
2017-11-24 11:50:59 +0000 received badge  Rapid Responder (source)