Jasper's profile - activity

Not all questions answered here are specific to Wireshark, but as long as it has something to do with Wireshark, analyzi

No this doesn't look like any kind of attack. It looks like your computer is trying to use a DNS server that refuses to

Good idea, I could put something like a generic "cut n bytes from the beginning and set encapsulation to a value" in Tra

What is the reason why you need to strip the 14 bytes (as @cmaynard assumes this is probably the Ethernet header)? I'd g

After a nudge from @Chuckc I spent an hour to create a small Win64 command line tool that should do what you need. All y

The packets are greater than the MTU because you captured them on the server sending them, as you already suspected (the

I'll have to check into that - Tracewrangler can parse stacked VLAN tags but maybe I forgot to actually add code to remo

Sometimes you can solve this kind of problem if the higher level protocol dissectors have a "request in/answer in" field

You should use dumpcap instead of Wireshark, because that's what Wireshark uses to capture packets anyway. You can find

First, no, the IP ID will be different, because the duplicate ACK is a TCP (layer 4) mechanism, and does not affect the

You're welcome! This is a curious issue, unbinding everything except the npcap binding should mute the NIC completely. I

Does the problem go away if you de-install npcap (and keep Wireshark installed)?

"True Duplicate" packets are completely identical, meaning that if you compare their bytes in the hex view you'll see th

Look into the statistics menu, and check the available options. Hint: a connection is often also called a "flow", "strea

This sounds like a homework assignment to me. You might want to put in some effort to find out yourself, it's not that h

It's a little hard to say without knowing exactly what is going, but what I find interesting is that if you look at the

It's a little hard to say without knowing exactly what is going, but what I find interesting is that if you look at the

Are you sure those computers are connected to the same network? How do you capture the packets? Is it a SPAN port?

I agree with @grahamb - both pcaps will be too different to do anything like that. Most likely the local capture will ha

You might want to look into sanitization of capture files. If your problem is on layers 1-4 you can remove/change any de

The ACK frequency is basically something the TCP stack decides, so it depends on the operating system, the network stack

Do you have a pcap file you could share?

Sake is correct, of course. I just need to add (my OCD kicks in here) that if there is never an ACK (which can happen in

Better yet, don't use Wireshark or tshark. Use dumpcap, which is the best tool to do that (and is called by Wireshark an

Too sneaky ;-)

Doing this from a screenshot is suboptimal at best, especially without packet numbers, but let's try. If I get it wrong

In general you'll always see FIN and ACK together, because it signals the end from one side of the conversation and all

It looks like the forward/backward option wasn't yet ported to the QT UI. You might want to add an enhancement request a

The Android phone might perform an automatic Path MTU detection when it fails to transfer large packets, learning the be

you could filter on tzsp after capturing both, and then "export specified packets" to a new pcapng file and open that to

I'm not sure I understand your example correctly, it's a little too abstract. If it's just a iperf test why not share th

Can you give some more details? What do you mean by Interface "Console"? And why do you install such an old version?

Maybe this article could help: https://duo.com/decipher/bluetooth-hacking-tools-comparison They're looking at various c

That looks like a misconfiguration - that many errors are highly unlikely and are usually a result of an improper captur

You should create a new profile in Wireshark with all protocols enabled. The user can then switch back to his previous p