brec's profile - activity

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one; that's another question). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where 10.4.0.2 is the address of wg0 and "..." denotes me truncating the line:

 502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP     277 CONNECT ifconfig.me ...  
 503 47.114636300 192.168.50.212 → 192.168.50.200 TCP       66 8888 → 57666 [ACK] ...  
 504 47.115387336 10.4.0.2       → 1.1.1.2        DNS       57 Standard query 0x7a6e A ifconfig.me  
 505 47.115428139 10.4.0.2       → 1.1.1.2        DNS       57 Standard query 0x8f64 AAAA ifconfig.me  
 506 47.319604790 192.168.50.212 → 192.168.50.200 TCP      170 HTTP/1.0 500 Unable to connect ...  
 507 47.319861769 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [ACK] ...  
 508 47.319917721 192.168.50.212 → 192.168.50.200 TCP      271 8888 → 57666 [PSH, ACK] ...  
 509 47.320158898 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [ACK] ...  
 510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect  
 511 47.320428367 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [FIN, ACK]  ...  
 512 47.320428585 192.168.50.200 → 192.168.50.212 TCP       60 57666 → 8888 [RST] ...  
 513 47.320469557 192.168.50.212 → 192.168.50.200 TCP       66 8888 → 57666 [ACK] ...  
 514 47.320642196 192.168.50.200 → 192.168.50.212 TCP       60 57666 → 8888 [RST] ...  
 515 47.319108832 1.1.1.2        → 10.4.0.2       DNS      128 Standard query response 0x8f64 AAAA ifconfig.me ...  
 516 47.319109241 1.1.1.2        → 10.4.0.2       DNS       73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

Based on @Chuckc's comment to my question, I think that, strictly speaking, there's not an answer to getting "tshark dis

Based on @Chuckc's comment to my question, I think that, strictly speaking, there's not an answer to getting "tshark dis

Based on @Chuckc's comment to my question, I think that, strictly speaking, there's not an answer to getting "tshark dis

@Chuckc OK, thanks. I see that info reordercap suggests that multiple sources could result in some out-of-order output,

tshark capture display out of chronological order? New tshark user, self-educating networker, trying to debug a proxy se

tshark capture display out of chronological order? New tshark user, self-educating networker, trying to debug a proxy se

tshark capture display out of chronological order? New tshark user, self-educating networker, trying to debug a proxy se

tshark capture display out of chronological order? New tshark user, self-educating networker, trying to debug a proxy se

tshark capture display out of chronological order? New tshark user, self-educating networker, trying to debug a proxy se

@Guy_Harris That's right. Here are the first three lines of output from sudo tshark -i enp2s0 -p recently: 1 0.00000000

@Guy_Harris That's right. Here are the first three lines of output from sudo tshark -i enp2s0 -p recently: 1 0.00000000

@GuyHarris That's right. Here are the first three lines of output from sudo tshark -i enp2s0 -p recently: 1 0.000000000

@GuyHarris That's right. Here are the first three lines of output from sudo tshark -i enp2s0 -p recently: 1 0.000000000

@GuyHarris That's right. Here are the first three lines of output from sudo tshark -i enp2s0 -p recently: 1 0.00000

@Chuckc enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

tshark: why is -p (no promiscuous mode) not working for me? sudo tshark -i enp2s0 -p on Ubuntu. New user. The host has

Yes, I relied on "least to most" implying left to right, i.e., the ascii arrows pointing from worse to better. Besides,

(Thanks for bearing with me!) Since tcpdump -> tshark for display capabilities, might it be better to use-- tshark

(Thanks for bearing with me!) Since tcpdump -> tshark for display capabilities, might it be better to use-- tshark [

Not sure what you mean by "dissects." To expand my previous: I'm capturing with tshark -w to generate a pcapng file, the

I meant tcpdump only for examining the tshark pcapng file output, after Ctrl-C-ing out of tshark.

Got it -- tcpdump

(If I shouldn't turn this into a "newbie's questions" thread beyond the scope of my original question, please let me kno

My initial use would be determining what, if anything, is coming in to the server on one of its ethernet interfaces from my Mac on the same LAN subnet. There's a router and a switch between the Mac and the server. I'm trying to set up the server as a web proxy for the Mac.

GUI required? Use on headless Ubuntu Server via SSH? My initial use would be determining what, if anything, is coming in