2023-01-31 11:56:58 +0000 | commented answer | UDP Packets and MSS Not all questions answered here are specific to Wireshark, but as long as it has something to do with Wireshark, analyzi |
2023-01-31 11:55:40 +0000 | answered a question | Extreme Cyber Attack Chip Level No this doesn't look like any kind of attack. It looks like your computer is trying to use a DNS server that refuses to |
2023-01-31 11:55:40 +0000 | received badge | ● Rapid Responder (source) |
2023-01-20 14:51:46 +0000 | commented answer | Editcap ignore first 14 bytes of a packet Good idea, I could put something like a generic "cut n bytes from the beginning and set encapsulation to a value" in Tra |
2023-01-20 14:41:29 +0000 | commented question | Editcap ignore first 14 bytes of a packet What is the reason why you need to strip the 14 bytes (as @cmaynard assumes this is probably the Ethernet header)? I'd g |
2022-10-22 18:47:51 +0000 | answered a question | Extract and concat packet bytes from multiple streams After a nudge from @Chuckc I spent an hour to create a small Win64 command line tool that should do what you need. All y |
2022-10-22 18:47:51 +0000 | received badge | ● Rapid Responder (source) |
2022-04-13 08:00:46 +0000 | received badge | ● Rapid Responder (source) |
2022-04-13 08:00:46 +0000 | answered a question | How is these packets handled? The packets are greater than the MTU because you captured them on the server sending them, as you already suspected (the |
2021-04-21 07:47:59 +0000 | commented answer | Anonymizing pcaps for sharing/analysis I'll have to check into that - Tracewrangler can parse stacked VLAN tags but maybe I forgot to actually add code to remo |
2021-04-02 13:34:03 +0000 | commented answer | How do I find two consecutive frames from the same IP source address Sometimes you can solve this kind of problem if the higher level protocol dissectors have a "request in/answer in" field |
2021-03-15 09:15:03 +0000 | received badge | ● Rapid Responder (source) |
2021-03-15 09:15:03 +0000 | answered a question | How do I start a capture in Wireshark via the command line? You should use dumpcap instead of Wireshark, because that's what Wireshark uses to capture packets anyway. You can find |
2020-08-05 13:47:10 +0000 | commented answer | how to recognize a duplicate packet in wireshark ? First, no, the IP ID will be different, because the duplicate ACK is a TCP (layer 4) mechanism, and does not affect the |
2020-08-05 13:43:55 +0000 | commented answer | How to avoid ICMP "Destination Protocol Unreachable" with ERSPAN to WIndows 10 You're welcome! This is a curious issue, unbinding everything except the npcap binding should mute the NIC completely. I |
2020-06-28 10:01:39 +0000 | commented question | Network card not working properly after wireshark install Does the problem go away if you de-install npcap (and keep Wireshark installed)? |
2020-06-28 10:00:04 +0000 | received badge | ● Rapid Responder (source) |
2020-06-28 10:00:04 +0000 | answered a question | how to recognize a duplicate packet in wireshark ? "True Duplicate" packets are completely identical, meaning that if you compare their bytes in the hex view you'll see th |
2020-03-09 14:42:59 +0000 | commented question | List at least three ways to do this in Wireshark? Look into the statistics menu, and check the available options. Hint: a connection is often also called a "flow", "strea |
2020-03-07 11:18:54 +0000 | received badge | ● Organizer (source) |
2020-03-07 11:18:10 +0000 | commented question | List at least three ways to do this in Wireshark? This sounds like a homework assignment to me. You might want to put in some effort to find out yourself, it's not that h |
2020-03-06 14:45:58 +0000 | edited answer | Need help analyzing Wireshark captures It's a little hard to say without knowing exactly what is going, but what I find interesting is that if you look at the |
2020-03-06 14:45:03 +0000 | answered a question | Need help analyzing Wireshark captures It's a little hard to say without knowing exactly what is going, but what I find interesting is that if you look at the |
2020-01-24 16:47:24 +0000 | commented question | Why I can't see traffic between two old Sun computers in network? Are you sure those computers are connected to the same network? How do you capture the packets? Is it a SPAN port? |
2020-01-24 16:44:03 +0000 | commented question | how make a diff between two pcap files ? I agree with @grahamb - both pcaps will be too different to do anything like that. Most likely the local capture will ha |
2019-12-16 00:54:13 +0000 | received badge | ● Nice Answer (source) |
2019-12-05 15:55:19 +0000 | commented question | Continuously observing [TCP Previous segment not captured] , Ignored Unknown Record You might want to look into sanitization of capture files. If your problem is on layers 1-4 you can remove/change any de |
2019-09-30 18:25:14 +0000 | answered a question | When does TCP decide not to ACK every packet The ACK frequency is basically something the TCP stack decides, so it depends on the operating system, the network stack |
2019-09-30 18:25:14 +0000 | received badge | ● Rapid Responder (source) |
2019-09-01 21:33:12 +0000 | commented question | TCP ACK with 1460 Bytes of Data Do you have a pcap file you could share? |
2019-09-01 21:27:44 +0000 | commented answer | In TCP 3-way handshake, 3 segments will be sent (SYN, SYN/ACK, ACK). What happens if the third segment(ACK) is lost? Sake is correct, of course. I just need to add (my OCD kicks in here) that if there is never an ACK (which can happen in |
2019-06-25 06:18:48 +0000 | commented answer | Does running Wireshark on a Domain Controller degrade performance of the DC? Better yet, don't use Wireshark or tshark. Use dumpcap, which is the best tool to do that (and is called by Wireshark an |
2019-05-13 10:00:43 +0000 | commented answer | Do we need a pcap header format to display captured packets via named pipes on Wireshark? Too sneaky ;-) |
2019-05-11 23:36:55 +0000 | answered a question | How does wireshark determine if a TCP packet is out-of-order? Doing this from a screenshot is suboptimal at best, especially without packet numbers, but let's try. If I get it wrong |
2019-05-11 23:36:55 +0000 | received badge | ● Rapid Responder (source) |
2019-05-08 14:16:00 +0000 | commented answer | Help analyzing TCP connection sequence In general you'll always see FIN and ACK together, because it signals the end from one side of the conversation and all |
2019-05-04 23:04:20 +0000 | received badge | ● Rapid Responder (source) |
2019-05-04 23:04:20 +0000 | answered a question | Searching upwards It looks like the forward/backward option wasn't yet ported to the QT UI. You might want to add an enhancement request a |
2019-05-03 07:14:27 +0000 | commented answer | File upload stalling, many "bad" TCP packages The Android phone might perform an automatic Path MTU detection when it fails to transfer large packets, learning the be |
2019-04-21 10:11:52 +0000 | commented answer | Packet sniff noise you could filter on tzsp after capturing both, and then "export specified packets" to a new pcapng file and open that to |
2019-04-21 10:09:33 +0000 | commented question | TCP Retransmission - Delay with Windows 10! I'm not sure I understand your example correctly, it's a little too abstract. If it's just a iperf test why not share th |
2019-04-18 09:37:16 +0000 | commented question | The interface "Console" its not showing. Can you give some more details? What do you mean by Interface "Console"? And why do you install such an old version? |
2019-04-17 11:32:44 +0000 | answered a question | What is a good solution to capture Bluetooth traffic from captoglove? Maybe this article could help: https://duo.com/decipher/bluetooth-hacking-tools-comparison They're looking at various c |
2019-04-17 11:32:44 +0000 | received badge | ● Rapid Responder (source) |
2019-04-17 11:29:40 +0000 | answered a question | Packet sniff noise That looks like a misconfiguration - that many errors are highly unlikely and are usually a result of an improper captur |
2019-04-17 11:29:40 +0000 | received badge | ● Rapid Responder (source) |
2019-04-17 11:01:50 +0000 | answered a question | How to enable all protocols in tshark? You should create a new profile in Wireshark with all protocols enabled. The user can then switch back to his previous p |
2019-04-17 11:01:50 +0000 | received badge | ● Rapid Responder (source) |
2019-04-14 12:47:09 +0000 | received badge | ● Nice Answer (source) |
2019-04-14 08:52:58 +0000 | received badge | ● Rapid Responder (source) |