2023-11-29 03:45:04 +0000 | received badge | ● Notable Question (source) |
2022-08-12 04:02:22 +0000 | marked best answer | What happened to reassemble_tcp? I pulled the Wireshark code several years ago (v1.8.6) to use its TCP reassembly logic to build a custom TCP reassembler for a project I work on. I'm needing that same logic today, and I'd like to use the latest version of the code (v2.6.1) as a go-by, but I cannot find the Can anyone point me to where/how the TCP reassembly is accomplished in the Wireshark code base today? |
2022-05-19 16:56:45 +0000 | received badge | ● Notable Question (source) |
2022-04-10 17:50:08 +0000 | received badge | ● Popular Question (source) |
2020-11-20 08:14:14 +0000 | received badge | ● Famous Question (source) |
2020-11-20 08:14:14 +0000 | received badge | ● Notable Question (source) |
2020-11-20 08:14:14 +0000 | received badge | ● Popular Question (source) |
2020-09-22 19:37:42 +0000 | received badge | ● Notable Question (source) |
2020-06-30 15:50:15 +0000 | received badge | ● Popular Question (source) |
2019-08-29 16:46:03 +0000 | marked best answer | TCP ACK shows only 54 bytes in Wireshark My understanding is that a minimum layer 2 Ethernet II frame has to be 64 bytes in length, which includes the 4-byte FCS. Since the FCS is not normally available to Wireshark, only 60 bytes are shown. Thus, in a TCP packet that has an empty payload, there are 6 padding bytes at the end of the frame that are highlighted along with the Ethernet II header. So,
gives the total of 60 bytes. In my testing, I'm running across a 54-byte packet that shows no padding bytes. It has the 14-byte Ethernet II header, the 20-byte IPv4 header, and the 20-byte TCP header for a total of 54 bytes. It is the ACK packet that follows the SYN and SYN,ACK handshake. Is there an explanation as to why this packet is 54 bytes long and not padded out to 60 bytes? Is this a network setting of some kind? |
2019-08-29 16:45:59 +0000 | commented answer | TCP ACK shows only 54 bytes in Wireshark That thought actually occurred to me on the drive home. lol. |
2019-08-23 23:05:41 +0000 | edited question | TCP ACK shows only 54 bytes in Wireshark TCP ACK shows only 54 bytes in Wireshark My understanding is that a minimum layer 2 Ethernet II frame has to be 64 bytes |
2019-08-23 23:04:42 +0000 | asked a question | TCP ACK shows only 54 bytes in Wireshark TCP ACK shows only 54 bytes in Wireshark My understanding is that a minimum layer 2 Ethernet II frame has to be 64 bytes |
2019-05-17 00:53:08 +0000 | received badge | ● Popular Question (source) |
2019-04-11 14:11:49 +0000 | marked best answer | Is WinPcap still being developed? As far as I can tell, WinPcap 4.1.3 is the final released version. Is that correct? Is it still being supported at all? By all appearances, it seems to still work on Windows 10, but I worry about the future if it isn't being actively maintained. Am I correct in my understanding that npcap is a viable alternative and is still being developed? |
2019-04-11 04:58:50 +0000 | asked a question | Is WinPcap still being developed? Is WinPcap still being developed? As far as I can tell, WinPcap 4.1.3 is the final released version. Is that correct? |
2018-08-28 14:23:07 +0000 | received badge | ● Enthusiast |
2018-08-03 14:50:02 +0000 | received badge | ● Rapid Responder (source) |
2018-08-03 14:50:02 +0000 | answered a question | What does ring buffer do if "create new" options aren't specified? I ran a packet capture overnight to test. There is a single pcapng file with a size of 2.9GB, and it has over 2.7 milli |
2018-08-02 20:13:44 +0000 | edited question | What does ring buffer do if "create new" options aren't specified? What does ring buffer do "create new" options aren't specified? In the 2.6.2 version of Wireshark (and I think recent ve |
2018-08-02 19:23:02 +0000 | received badge | ● Organizer (source) |
2018-08-02 19:21:32 +0000 | asked a question | What does ring buffer do if "create new" options aren't specified? What does ring buffer do "create new" options aren't specified? In the 2.6.2 version of Wireshark (and I think recent ve |
2018-05-29 14:28:31 +0000 | commented answer | What happened to reassemble_tcp? Guy, thank you. I was hoping you'd chime in on this. That definitely helps. |
2018-05-25 17:02:26 +0000 | asked a question | What happened to reassemble_tcp? What happened to reassemble_tcp? I pulled the Wireshark code several years ago (v1.8.6) to use its TCP reassembly logic |
2017-11-29 01:36:57 +0000 | commented answer | What is a valid LLC SNAP indicator? Thanks, @Guy Harris. |
2017-11-29 01:36:33 +0000 | marked best answer | What is a valid LLC SNAP indicator? I'm trying to solidify some things in my head. Wikipedia indicates that a SNAP extension is in use if the DSAP and SSAP values in the IEEE 802.3 header are 0xAA or 0xAB. The Network Sorcery page indicates that only 0xAA indicates a SNAP extension, and this seems to be confirmed by Wireshark 2.4.2. If either of the DSAP/SSAP values are 0xAB, Wireshark does not process the upper layer as the specified protocol (e.g., CDP, PAgP, etc.), but instead treats it as a data block. Assuming that the DSAP and SSAP values are both 0xAA (indicating the SNAP extension is in use), if the Control field in the IEEE 802.3 LLC header is anything other than 0x03, Wireshark breaks out the LLC/SNAP header correctly, but it treats the upper layer as a data block, not the specified protocol.
|
2017-11-29 01:36:33 +0000 | received badge | ● Scholar (source) |
2017-11-27 00:10:14 +0000 | received badge | ● Editor (source) |
2017-11-27 00:10:14 +0000 | edited question | What is a valid LLC SNAP indicator? What is a valid LLC SNAP indicator? I'm trying to solidify some things in my head. Wikipedia indicates that a SNAP exte |
2017-11-26 22:52:26 +0000 | asked a question | What is a valid LLC SNAP indicator? What is a valid LLC SNAP indicator? I'm trying to solidify some things in my head. Wikipedia indicates that a SNAP exte |