| 2024-04-26 15:58:28 +0000 | commented answer | Using Lua to tag SYN-ACK followed by a RST Oh, and after re-reading your question, you only want to see the SYN/ACK packets, so you can filter with tcp.completenes |
| 2024-04-26 15:58:11 +0000 | commented answer | Using Lua to tag SYN-ACK followed by a RST Oh, and after re-reading your question, you only want to see the SYN/ACK packets, so you can filter with tcp.completenes |
| 2024-04-26 15:56:04 +0000 | answered a question | Using Lua to tag SYN-ACK followed by a RST Apart from the (very flexible) Lua solution, you could also use the TCP completeness filter to achieve (kind of) the sam |
| 2024-04-26 15:56:04 +0000 | received badge | ● Rapid Responder (source) |
| 2024-04-26 11:24:32 +0000 | commented answer | Specific website loading slow, can my wireshark log help? You are correct in that it needs to be 1052 (so my 1024 above was not correct, although it could not hurt for the test). |
| 2024-04-26 10:30:36 +0000 | received badge | ● Rapid Responder (source) |
| 2024-04-26 10:30:36 +0000 | answered a question | Specific website loading slow, can my wireshark log help? A quick analysis shows that there is a huge amount of packet-loss. It does not seem to be MTU related, as the advertised |
| 2024-04-26 10:25:13 +0000 | commented question | Specific website loading slow, can my wireshark log help? Thanks for adding the link to the pcapng file! |
| 2024-04-26 07:41:36 +0000 | commented question | Specific website loading slow, can my wireshark log help? Could you please share the file in PCAP or PCAPNG format instead of text output, we love using Wireshark for a reason ;- |
| 2024-04-25 21:45:24 +0000 | answered a question | Feature request: Dynamic Colorization Rules Have you seen the "Conversaton Coloring" functionality (FKA Temporary Coloring)? It let's you colorize TCP/UDP/IP/Eth co |
| 2024-04-25 21:45:24 +0000 | received badge | ● Rapid Responder (source) |
| 2024-03-28 21:05:43 +0000 | commented answer | a Window Scale value on a client of "-1" On top of that, a scaling factor of -2 means the SYN and SYN/ACK were indeed seen, but no WS option was seen in the SYN |
| 2024-03-18 17:52:01 +0000 | commented answer | Do ICMP packets have ports? @johnthacker In this case the behavior is inconsistent. While I do agree on all other types of multiple IP layers, in th |
| 2024-03-18 17:46:01 +0000 | commented answer | Do ICMP packets have ports? @johntacker In this case the behavior is inconsistent. While I do agree on all other types of multiple IP layers, in thi |
| 2024-03-18 06:44:50 +0000 | commented answer | Do ICMP packets have ports? As the IP addresses are not overwritten by the inner included IP header, I can see benefit in not overwriting/filling th |
| 2024-03-15 16:38:00 +0000 | answered a question | Tshark does not save files in a ring That is the output of the file creation, tshark does not log file deletion to stdout, so most probably if you look on di |
| 2024-03-15 16:38:00 +0000 | received badge | ● Rapid Responder (source) |
| 2024-03-10 07:57:00 +0000 | commented answer | How can I filter a column to show only one instance of each wep initialization vector found? While the new column features are really great, they won't help in this case, as each packet will only have one IV, so t |
| 2024-02-26 19:38:36 +0000 | commented answer | Wireshark Version - Expert Info Perfect, thanks! |
| 2024-02-26 09:56:27 +0000 | answered a question | Wireshark Version - Expert Info Thank you for providing a capture file that shows the issue. I can confirm that I see the same behavior. I did a quick c |
| 2024-02-24 09:36:50 +0000 | commented question | Wireshark Version - Expert Info And a pcap file instead of a screenshot helps us help you even (a lot!) better :-) |
| 2024-02-24 09:36:01 +0000 | commented question | Wireshark Version - Expert Info And a pcap file instead of a screenshot helps us help you even (a lot!) better :-) |
| 2024-02-06 15:43:41 +0000 | edited question | Having trouble saving Office files to the network, works but is slow Having trouble saving Office files to the network, works but is slow I ran a wireshark capture, this is the output. I am |
| 2024-02-03 17:45:51 +0000 | received badge | ● Rapid Responder (source) |
| 2024-02-03 17:45:51 +0000 | answered a question | Some ICMP packets captured but not others? Are yu by any chance using a VPN? That would make the ping traffic encapsulated (and encrypted) so you would not be able |
| 2024-02-01 08:54:02 +0000 | commented answer | Citrix client disconnection from MPLS link, [TCP RST, ACK] I'm sorry you got this feedback, as it is not a proper analysis and they are sending you in the wrong direction. I'm n |
| 2024-01-26 21:33:53 +0000 | commented answer | Citrix client disconnection from MPLS link, [TCP RST, ACK] @hugo.vanderkooij Good to know about Citrix sending small segments, did not know that... As for the window size not dro |
| 2024-01-25 22:22:46 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-25 22:22:46 +0000 | answered a question | Citrix client disconnection from MPLS link, [TCP RST, ACK] I seems both the telecom operator as well as the Palo Alto administrator are right, the problem does not lie in those do |
| 2024-01-22 12:59:22 +0000 | commented answer | tcp socket for communication with hardware Often when people analyze TCP traffic, a capture is made near/on the client and another one near/on the server. So I ass |
| 2024-01-21 20:23:22 +0000 | answered a question | tcp socket for communication with hardware In your provided captures there is not a real problem. One TCP segment did not get an ACK in time, so the 200ms RTO time |
| 2024-01-21 20:23:22 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-21 20:04:27 +0000 | answered a question | TCP header length 20 bytes with Timestamps There is a TCP option called "Timestamps" which are indeed extra bytes in the TCP header. These are generated by the end |
| 2024-01-21 20:04:27 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-10 23:26:05 +0000 | commented answer | TCP analysis on packets captured with smaller snaplength Glad my answer helped you in solving your issue. I reopened the question and selected my answer as the one that answere |
| 2024-01-10 08:27:14 +0000 | commented question | TCP analysis on packets captured with smaller snaplength The TCP dissector usually works just fine without the payload, as long as you have the complete TCP header, which you sh |
| 2024-01-09 14:22:32 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-09 14:22:32 +0000 | answered a question | how to filter pcap file with time range as display filter using tshark Easiest way I think is to extract the epoch timestamps from the first capture and then use them with editcap to extract |
| 2024-01-08 21:44:50 +0000 | answered a question | Sudden issue with name resoution using hosts file There are quite a view elements involved in the name resolution process. Maybe my Sharkfest 2021 US virtual presentation |
| 2024-01-08 21:44:50 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-08 11:26:18 +0000 | commented answer | filtered original file with rtpevent to separate pcap file, but packets showing as UDP Are the rtpevent packets shown as UDP in the info column, or maybe as some other protocol. In my case they were show as |
| 2024-01-08 09:33:31 +0000 | answered a question | How to filter by item? I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the lay |
| 2024-01-08 09:33:31 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-05 12:36:17 +0000 | commented answer | filtered original file with rtpevent to separate pcap file, but packets showing as UDP Or use the --enable-heuristic option like this tshark -r rtpevent.pcap --enable-heuristic rtp_udp |
| 2024-01-05 12:25:15 +0000 | commented answer | filtered original file with rtpevent to separate pcap file, but packets showing as UDP You can also look at the port numbers with tshark -r rtpevent.pcap -qz conv,udp and then use decode as to decode the spe |
| 2024-01-04 22:37:21 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-04 22:37:21 +0000 | answered a question | filtered original file with rtpevent to separate pcap file, but packets showing as UDP Another solution is to save the SDP packets in the new file too, as they contain the mapping of the dynamic payload type |
| 2023-12-28 19:16:46 +0000 | received badge | ● Rapid Responder (source) |
| 2023-12-28 19:16:46 +0000 | answered a question | conversation completeness incomplete 60 TCP conversation completeness is a bitwise field where the occurance of certain flags over the conversation is recorded |
| 2023-12-18 20:40:26 +0000 | answered a question | Bytes accumulation in an ICMP packet There is no timestamp field in the ICMP header, so the time comes from the ICMP data part. Some ping implementations ad |
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.