SYN-bit's profile - activity

Wireshark is a network monitoring tool, it works by capturing the data traffic as it passes the network. If there are (c

Yes, just open "Capture -> Options", select all the interfaces you want to capture on and then click 'OK'

@MahmutAydin I reopened the question, changed the comments to an answer stream and accepted that answer. This way the qu

Thanks for providing pcap files @casper, the pattern in them is very interesting. First of all, it is not a memory probl

Any news from the Firewall team?

My goal is is to be able to see how much traffic (in proportion) my protocol is creating. With the Protocol Hie

Can anyone tell me if i have interpreted the Wireshark capture correctly. Without looking at the capture, it is qui

As you are capturing on M2, the ping from or to M2 will always be visible, whether or not the span/mirror port is workin

If the ping was done from the wireshark system (M2), then it was not in the packet capture because of the port mirror, b

I assume either M1 or M2 is the Moquitto server? Are you using any capture filters? Is there vlan tagging involved? Are

That is not how Wireshark works, Wireshark hands over data to the next dissector, based on tables and heuristics. If the

Can you see the ping (icmp) traffic in the packet capture?

Did you check whether there is a (checkpoint) firewall in between the AppServer and the Proxy? And if there is, does the

Thanks for the packet capture. Am I right in assuming that 10.133.192.95 is the application server and 172.16.223.11 is

From a quick glance on the pcap files, I suspect the following: There is quite a bit of packet reordering of the data

Also, when making new packet captures, please start your capture before doing the tests so that the 3-way handshake will

Wireshark is using a two-pass process. On the first pass every packet will be seen in packet order. The second pass happ

Please supply the output of About Wireshark (under the Help menu for Windows/Linux or the Wireshark menu for MacOS) as t

Maybe syslog message re-assembly is confusing you. When syslog messages are spanning multiple TCP segments, all the segm

If it works on many different WIFIs, then can you tell me more about the network on which you see these retransmissions

Are you able to use a VPN like Cloudflare Warp or any other. If so, does HTTPS access to https://dns.google work over th

A scapy script might be easier perhaps...

Not in one one, but you could write a script to do it packet for packet. Or maybe split up the file in files with the sa

The retransmissions are all SYN packets to outside IP addresses on port 443. I can reach these IP addresses on port 443

Thank you!

The file is not publicly readable, could you change permissions?

How can we make Wireshark perform its 'TCP Analysis' with an IP-length field instead of using 'packet capture length

When capturing, the libpcap/npcap library will record how many bytes it has seen on the wire and how many bytes it has s

Ah, my mistake, I misread the original question, it says the rightclick option is not there and I read it as it is greye

I backported the fix to the release-4.2 branch, should be fixed in 4.2.8

I'm not sure you're on the right track @chuckc, I can rightclick on dns.time and Apply as column is not greyed out. Not

It seems that MR-8988 introduced this issue and MR-14587 fixed it, but this was only applied to master (ie 4.4 and beyon

Without checking all the commits on the TCP dissector, I would assume there was a code change in 4.2.x that changed this

If you filter in ipv6.src == 2001:8003:5133:6700:4582:92cd:d481:6143, you can see that every packet has a bad checksum.

What I got was: Duplicate TCP handshake on incremented ports This is normal behavior of web browsers, they open mul

Nothing as ambiguous as the word session, as it could be seen from the user perspective, the application perspective, th

Does this filter do want you want it to do? udp.port == 5355 && dns.flags.response == True && ( upper(i