Ask Your Question

SYN-bit's profile - activity

2024-07-22 08:15:58 +0000 commented answer How do I inject TLS secrets on the fly when capturing with tshark?

I just tried, only the last occurrence of the option is used. If on linux/MacOS, you might do something like this -o tl

2024-07-22 08:14:09 +0000 commented answer How do I inject TLS secrets on the fly when capturing with tshark?

I just tried, only the last occurrence of the option is used. If on linux, you might do something like this -o tls.keyl

2024-07-20 04:30:15 +0000 answered a question How do I inject TLS secrets on the fly when capturing with tshark?

While the answer of @johnthacker is geared towards a (long-term) solution, there might be a workaround for your workflow

2024-07-20 04:30:15 +0000 received badge  Rapid Responder (source)
2024-07-19 08:24:05 +0000 commented answer Spurious Retrasmissions false?

Are you mirroring RX and TX to separate interfaces on the Wireshark PC, capturing on both interfaces? If so, could you t

2024-07-19 06:35:13 +0000 commented answer Spurious Retrasmissions false?

Good to see that my assumption about the timestamps was right, it proves that the packets were in order on the network a

2024-07-18 11:09:46 +0000 answered a question cannot stop capture

First of all, if you kill wireshark from the task manager, the running capture file still exists in the folder pointed t

2024-07-18 11:09:46 +0000 received badge  Rapid Responder (source)
2024-07-18 10:59:24 +0000 received badge  Rapid Responder (source)
2024-07-18 10:59:24 +0000 answered a question Spurious Retrasmissions false?

Wireshark marks a packet as a spurious retransmission when it sees a TCP segment that falls within already acknowledged

2024-07-16 06:12:32 +0000 received badge  Rapid Responder (source)
2024-07-16 06:12:32 +0000 answered a question Slowness of SQL client-server app

If generating the report directly on the server is taking 1 min 30 sec, then chances are high that there are a lot of in

2024-07-12 05:43:57 +0000 commented answer Repetitive issue: TCP Previous Segment was not captured

I'm puzzled by the exact same IP-addresses in your network. Are they really the same as the ones from the original poste

2024-07-08 07:58:57 +0000 answered a question Repetitive issue: TCP Previous Segment was not captured

Not knowing the exact nature of your infrastructure, I can only make some guesses based on the provided information. T

2024-07-08 07:58:57 +0000 received badge  Rapid Responder (source)
2024-07-08 07:41:26 +0000 edited question Repetitive issue: TCP Previous Segment was not captured

Repetitive issue: TCP Previous Segment was not captured Hi There, I am seeing below pattern repeated in my Wireshark c

2024-07-07 14:10:18 +0000 answered a question Filter http packets related to specific Call-ID

To display all SIP packets with the same Call-ID, you can use the filter sip.Call-ID == <call-id>, the easiest way

2024-07-07 14:10:18 +0000 received badge  Rapid Responder (source)
2024-07-05 12:14:33 +0000 received badge  Rapid Responder (source)
2024-07-05 12:14:33 +0000 answered a question Help with tcp previous segment not captured

The VXLAN encapsulation done by NSX-V adds an extra header to each packet, making full-size packets too large for ethern

2024-07-05 11:43:45 +0000 answered a question nextseq and nextseqtime

From a quick run through the source code, I think this is the relevant part: /* Store the highest number seen so far fo

2024-07-05 11:43:45 +0000 received badge  Rapid Responder (source)
2024-07-05 11:36:19 +0000 answered a question discrepancies between flow analysis between version 3.0.5 and 4.2.4

A few questions: Are you using the same system for both versions of Wireshark? Are you using the same settings (try cr

2024-07-05 11:36:19 +0000 received badge  Rapid Responder (source)
2024-06-29 11:21:54 +0000 commented answer Truncate ... in UI on left instead of right for IPv6

We could, but there are quite a few other "advanced" GUI settings that do not appear in other dialogs. Not sure if we sh

2024-06-29 06:01:36 +0000 received badge  Rapid Responder (source)
2024-06-29 06:01:36 +0000 answered a question Truncate ... in UI on left instead of right for IPv6

Yes you can, under preferences -> advanced search for gui.packet_list_elide_mode and then you can select left, middle

2024-06-23 10:16:44 +0000 answered a question capture is not showing all dns traffic

I clear my host cache Did you clear your browser cache or your DNS cache? You might want to clear both I filter

2024-06-22 01:44:49 +0000 received badge  Rapid Responder (source)
2024-06-22 01:44:49 +0000 answered a question Window size drop to 11 with ACK packet

Too bad you were not around for the Packet Doctors session at Sharkfest for which you have submitted this capture, you w

2024-06-13 17:59:49 +0000 received badge  Rapid Responder (source)
2024-06-13 17:59:49 +0000 answered a question Each PC displays the SIP msg in wireshark cut off.

Is the More Fragments bit in the IP header of the SIP packets set? If so, that indicates that fragmentation was needed t

2024-06-04 13:18:26 +0000 commented answer TCP same ack, different payload

Glad my hunch was right! If possible, could you send me the pcap (anonimized, see the link in my answer) of the whole T

2024-06-04 08:02:56 +0000 commented answer TCP same ack, different payload

You could add a column for ip.id (drag it from the packet details on top of the column header of the column you want ip.

2024-06-04 06:52:17 +0000 answered a question TCP same ack, different payload

Only data packets can be retransmissions and the second packet does not contain data, so it can't be a retransmission. B

2024-06-04 06:52:17 +0000 received badge  Rapid Responder (source)
2024-06-04 06:46:40 +0000 edited question TCP same ack, different payload

TCP same ack, different payload I am receiving 2 following tcp packets: 9000 → 34967 [PSH, ACK] Seq=803864717 Ack=34811

2024-05-30 16:42:13 +0000 commented question SAP disconnection issue

Yup, works now... will have a look at the file later...

2024-05-30 07:23:19 +0000 commented question SAP disconnection issue

It helps when you make the file public ;-)

2024-05-28 10:24:10 +0000 answered a question IMAP server has unexpectedly disconnected

Thanks for sharing the file, the RST packets in frame 69/70 are sent after a FIN from both sides, so that should be noth

2024-05-27 22:08:48 +0000 commented question IMAP server has unexpectedly disconnected

The shared file is not public...

2024-05-27 22:08:32 +0000 commented question IMAP server has unexpectedly disconnected

The file is not public...

2024-05-23 19:26:24 +0000 received badge  Rapid Responder (source)
2024-05-23 19:26:24 +0000 answered a question Tshark filter issue

More of a bash question than a tshark question, but my guess (did not test it) is that you need to use: TSHARK_FILTER="

2024-05-22 09:50:48 +0000 commented answer Specific website loading slow, can my wireshark log help?

@fordina1 If you send me an email to [email protected], I can reply with the pcap file. And yes, I'm located in the Nethe

2024-05-21 21:08:11 +0000 commented answer Specific website loading slow, can my wireshark log help?

I just did some more tests and it seems that the packet-loss is there for me too this time. As my RTT is ~30ms, the webs

2024-05-21 20:44:47 +0000 commented answer Specific website loading slow, can my wireshark log help?

Yes, that would help as a comparison. Also, it would help to run the mtr command at a time when it is slow. The packet-l

2024-05-20 07:03:14 +0000 commented answer Specific website loading slow, can my wireshark log help?

The no response on large pings should not be a problem. Is it always slwo for you, or just sometimes? It could be that t

2024-05-20 06:03:05 +0000 edited answer Decrypting my own TLS traffic with tshark

-z "follow,tcp,ascii,7" will output the TCP payload, which is TLS encrypted data, you will have to use -z "follow,tls,as

2024-05-20 06:01:19 +0000 answered a question Decrypting my own TLS traffic with tshark

-z "follow,tcp,ascii,7" will output the TCP payload, which of course is TLS encrypted data, you will have to use -z "fol