First time here? Check out the FAQ!

Ask Your Question

alohawireshark's profile - activity

Oct 28 '3 received badge  Famous Question (source)
Jan 1 '2 received badge  Notable Question (source)
Jan 1 '2 received badge  Popular Question (source)
Jun 27 '1 received badge  Famous Question (source)
Jun 27 '1 received badge  Famous Question (source)
Jun 27 '1 received badge  Notable Question (source)
Jun 27 '1 received badge  Popular Question (source)
Jun 25 '1 received badge  Popular Question (source)
Mar 2 '1 received badge  Notable Question (source)
Mar 2 '1 received badge  Popular Question (source)
Apr 17 '0 received badge  Famous Question (source)
Apr 17 '0 received badge  Notable Question (source)
Apr 17 '0 received badge  Popular Question (source)
Apr 12 '0 asked a question Missing data patterns and inferences

Missing data patterns and inferences I'm a data scientist new to Wireshark/networking data. I pulled some fields from a

Apr 10 '0 marked best answer tshark: tls.resumed field isn't valid

I have a 130 MB .pcap file. I tried running the following command:

tshark -r C:\Users\asdf\Desktop\tls_research\4_4_2020.pcap -T fields ^
-e tls_resumed ^
-E header=y -E separator=, -E quote=d -E occurrence=a > C:\Users\asdf\Desktop\tls_research\4_4_2020_10April2020.csv

But I get the error message:

tshark: Some fields aren't valid:
        tls_resumed

I know this field should exist based on the official documentation: https://www.wireshark.org/docs/dfref/...

So how do I proceed if I want the information contained within this field? Is the documentation outdated? Is this a data collection issue? Are there one or more other fields I can use instead? I am attempting to stitch together multiple packets into a single "conversation."

Apr 10 '0 commented answer tshark: tls.resumed field isn't valid

that would do this trick. i guess this is a very bad question -- just a typo. i will delete it. thanks!

Apr 10 '0 asked a question tshark: tls.resumed field isn't valid

tshark: tls.resumed field isn't valid I have a 130 MB .pcap file. I tried running the following command: tshark -r C:\U

Apr 7 '0 commented answer tcp.flags.str explanation

thank you. your answer was helpful as well. i lack the reputation to upvote it though.

Apr 7 '0 marked best answer tcp.flags.str explanation

Is there an explanation or mapping of TCP flags (tcp.flags.str) somewhere? I have Googled and searched the RFCs without luck. I am a data scientist without a networking background, working with networking data.

For example, what does xc2 mean in the following?

<field name="tcp.flags.str" showname="TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" size="2" pos="46" show="\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" value="5010"/>
Apr 7 '0 asked a question tcp.flags.str explanation

tcp.flags.str explanation Is there an explanation or mapping of TCP flags (tcp.flags.str) somewhere? I have Googled and

Apr 4 '0 asked a question why is tshark printing output to console?

why is tshark printing output to console? I have some tshark command that is printing the output to console instead of s

Apr 3 '0 edited question Wireshark/tshark: calculating Windows 10 desktop uptime

Wireshark/tshark: calculating Windows 10 desktop uptime I'm interesting in tracking/calculating the uptime of a Windows

Apr 3 '0 asked a question Wireshark/tshark: calculating Windows 10 desktop uptime

Wireshark/tshark: calculating Windows 10 desktop uptime I'm interesting in tracking/calculating the uptime of a Windows

Apr 2 '0 commented answer Wireshark equivalent of TSecr?

Hi. The reason I ask is because my .pcap file doesn’t contain a TSVal or TSecr or tcp.options.timestamp.tsecr field, whe

Apr 2 '0 asked a question Wireshark equivalent of TSecr?

Wireshark equivalent of TSecr? Does Wireshark capture the equivalent of TSecr or provide the information needed to calcu

Apr 2 '0 marked best answer Wireshark Filter explanations/guide

I am a data scientist analyzing packet data from Wireshark but I do not have a networking background. It's been a laborious process of Googling each filter from the tsharkoutput to build an intuitive understanding of each field, two fields just to illustrate my point: "ip.flags.rb" or "ip.flags." While the shorthand of such fields may have more meaning to an experienced network engineer, most is lost on me. I have reviewed the Wireshark documentation (https://www.wireshark.org/docs/dfref/...) and the definitions are:

ip.flags            Flags   Unsigned integer, 2 bytes   1.0.0 to 3.2.2
ip.flags.rb Reserved bit    Boolean                     1.0.0 to 3.2.2

Such a definition doesn't answer critical questions like, "what is the range of integers for ip.flags and what would be the significance of each? Or, "what is the significance of a 1 for ip.flags.rb as opposed to a 0, i.e. why might it matter if a bit is reserved or not?"

My question is, is there a cheat sheet for newbies/non-network engineers with such information? Thus far, it seems like in-depth explanations can occasionally be found in the Wireshark documentation, albeit spread across many chapters. I can also find discussion of individual fields on forums/blogs, but with 273+ fields to try to understand, I'm wondering if there is a better resource I haven't yet found that is available.

Apr 2 '0 received badge  Scholar (source)
Apr 2 '0 asked a question TLS Handshake Ciphersuite: how to extract `showname` string using tshark?

TLS Handshake Ciphersuite: how to extract `showname` string using tshark? I am trying to extract sensible information fr

Apr 2 '0 asked a question Wireshark Filter explanations/guide

Wireshark Filter explanations/guide I am a data scientist analyzing packet data from Wireshark but I do not have a netwo

Mar 25 '0 asked a question Why do JSON and PDML exports have different data from the same session?

Why do JSON and PDML exports have different data from the same session? I am new to Wireshark. I filtered my captured pa

May 16 '19 commented answer Infer machine boot time/up-time from network packets?

Thanks Bob. I could test NMAP's uptime calculation using known devices and see how well it performs. However, the popula

May 15 '19 commented answer Infer machine boot time/up-time from network packets?

it looks like NMAP captures exactly the information I am looking for. Is there a way to get/make an uptime guess from Wi

May 15 '19 commented answer Infer machine boot time/up-time from network packets?

it looks like NMAP captures exactly the information I am looking for. Is there a way to get/make an uptime guess from Wi

May 15 '19 commented answer Infer machine boot time/up-time from network packets?

NMAP is actually exactly what I was looking for. Is there a way to get/make an uptime guess from Wireshark packets? We o

May 15 '19 commented answer Infer machine boot time/up-time from network packets?

NMAP is actually exactly what I was looking for. Is there a way to get/make an uptime guess from Wireshark packets? We o

May 14 '19 commented answer Infer machine boot time/up-time from network packets?

Sounds like a lot of conditions must be met for boot time information to be captured. I have heard that such information

May 14 '19 commented question Infer machine boot time/up-time from network packets?

by boot time, I mean the wall-clock time when the machine booted. and yes, by up-time, i mean how long the machine has b

May 14 '19 commented question Infer machine boot time/up-time from network packets?

I am doing a research project in partnership with a company. The company has authoritative DNS servers.

May 14 '19 asked a question Infer machine boot time/up-time from network packets?

Infer machine boot time/up-time from network packets? Is it possible to infer machine boot time/up-time from network pac

May 14 '19 commented answer How to capture RTP packets?

thank you. that is helpful information

May 14 '19 commented answer How to capture RTP packets?

thank you. that is helpful information for me to unpack there

May 13 '19 received badge  Editor (source)
May 13 '19 edited question How to capture RTP packets?

How to capture RTP packets? I am trying to find the clock drift information for each of the machines (e.g. my work lapto

May 13 '19 asked a question How to capture RTP packets?

How to capture RTP packets? I am trying to figure out the clock drift of the machines using my router/Internet. Based on