Ask Your Question

alohawireshark's profile - activity

2022-01-01 11:29:24 +0000 received badge  Notable Question (source)
2022-01-01 11:29:24 +0000 received badge  Popular Question (source)
2021-06-27 01:18:26 +0000 received badge  Famous Question (source)
2021-06-27 01:18:03 +0000 received badge  Famous Question (source)
2021-06-27 01:18:03 +0000 received badge  Notable Question (source)
2021-06-27 01:18:03 +0000 received badge  Popular Question (source)
2021-06-25 08:12:45 +0000 received badge  Popular Question (source)
2021-03-02 04:27:46 +0000 received badge  Notable Question (source)
2021-03-02 04:27:46 +0000 received badge  Popular Question (source)
2020-04-17 02:38:55 +0000 received badge  Famous Question (source)
2020-04-17 02:38:55 +0000 received badge  Notable Question (source)
2020-04-17 02:38:55 +0000 received badge  Popular Question (source)
2020-04-12 19:55:05 +0000 asked a question Missing data patterns and inferences

Missing data patterns and inferences I'm a data scientist new to Wireshark/networking data. I pulled some fields from a

2020-04-10 14:40:29 +0000 marked best answer tshark: tls.resumed field isn't valid

I have a 130 MB .pcap file. I tried running the following command:

tshark -r C:\Users\asdf\Desktop\tls_research\4_4_2020.pcap -T fields ^
-e tls_resumed ^
-E header=y -E separator=, -E quote=d -E occurrence=a > C:\Users\asdf\Desktop\tls_research\4_4_2020_10April2020.csv

But I get the error message:

tshark: Some fields aren't valid:
        tls_resumed

I know this field should exist based on the official documentation: https://www.wireshark.org/docs/dfref/...

So how do I proceed if I want the information contained within this field? Is the documentation outdated? Is this a data collection issue? Are there one or more other fields I can use instead? I am attempting to stitch together multiple packets into a single "conversation."

2020-04-10 14:40:27 +0000 commented answer tshark: tls.resumed field isn't valid

that would do this trick. i guess this is a very bad question -- just a typo. i will delete it. thanks!

2020-04-10 14:01:52 +0000 asked a question tshark: tls.resumed field isn't valid

tshark: tls.resumed field isn't valid I have a 130 MB .pcap file. I tried running the following command: tshark -r C:\U

2020-04-07 14:13:02 +0000 commented answer tcp.flags.str explanation

thank you. your answer was helpful as well. i lack the reputation to upvote it though.

2020-04-07 14:04:21 +0000 marked best answer tcp.flags.str explanation

Is there an explanation or mapping of TCP flags (tcp.flags.str) somewhere? I have Googled and searched the RFCs without luck. I am a data scientist without a networking background, working with networking data.

For example, what does xc2 mean in the following?

<field name="tcp.flags.str" showname="TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" size="2" pos="46" show="\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" value="5010"/>
2020-04-07 12:51:38 +0000 asked a question tcp.flags.str explanation

tcp.flags.str explanation Is there an explanation or mapping of TCP flags (tcp.flags.str) somewhere? I have Googled and

2020-04-04 12:26:27 +0000 asked a question why is tshark printing output to console?

why is tshark printing output to console? I have some tshark command that is printing the output to console instead of s

2020-04-03 17:20:22 +0000 edited question Wireshark/tshark: calculating Windows 10 desktop uptime

Wireshark/tshark: calculating Windows 10 desktop uptime I'm interesting in tracking/calculating the uptime of a Windows

2020-04-03 17:19:59 +0000 asked a question Wireshark/tshark: calculating Windows 10 desktop uptime

Wireshark/tshark: calculating Windows 10 desktop uptime I'm interesting in tracking/calculating the uptime of a Windows

2020-04-02 21:33:18 +0000 commented answer Wireshark equivalent of TSecr?

Hi. The reason I ask is because my .pcap file doesn’t contain a TSVal or TSecr or tcp.options.timestamp.tsecr field, whe

2020-04-02 20:08:56 +0000 asked a question Wireshark equivalent of TSecr?

Wireshark equivalent of TSecr? Does Wireshark capture the equivalent of TSecr or provide the information needed to calcu

2020-04-02 20:00:15 +0000 marked best answer Wireshark Filter explanations/guide

I am a data scientist analyzing packet data from Wireshark but I do not have a networking background. It's been a laborious process of Googling each filter from the tsharkoutput to build an intuitive understanding of each field, two fields just to illustrate my point: "ip.flags.rb" or "ip.flags." While the shorthand of such fields may have more meaning to an experienced network engineer, most is lost on me. I have reviewed the Wireshark documentation (https://www.wireshark.org/docs/dfref/...) and the definitions are:

ip.flags            Flags   Unsigned integer, 2 bytes   1.0.0 to 3.2.2
ip.flags.rb Reserved bit    Boolean                     1.0.0 to 3.2.2

Such a definition doesn't answer critical questions like, "what is the range of integers for ip.flags and what would be the significance of each? Or, "what is the significance of a 1 for ip.flags.rb as opposed to a 0, i.e. why might it matter if a bit is reserved or not?"

My question is, is there a cheat sheet for newbies/non-network engineers with such information? Thus far, it seems like in-depth explanations can occasionally be found in the Wireshark documentation, albeit spread across many chapters. I can also find discussion of individual fields on forums/blogs, but with 273+ fields to try to understand, I'm wondering if there is a better resource I haven't yet found that is available.

2020-04-02 20:00:15 +0000 received badge  Scholar (source)
2020-04-02 17:22:45 +0000 asked a question TLS Handshake Ciphersuite: how to extract `showname` string using tshark?

TLS Handshake Ciphersuite: how to extract `showname` string using tshark? I am trying to extract sensible information fr

2020-04-02 15:40:33 +0000 asked a question Wireshark Filter explanations/guide

Wireshark Filter explanations/guide I am a data scientist analyzing packet data from Wireshark but I do not have a netwo

2020-03-25 15:54:08 +0000 asked a question Why do JSON and PDML exports have different data from the same session?

Why do JSON and PDML exports have different data from the same session? I am new to Wireshark. I filtered my captured pa

2019-05-16 16:48:58 +0000 commented answer Infer machine boot time/up-time from network packets?

Thanks Bob. I could test NMAP's uptime calculation using known devices and see how well it performs. However, the popula

2019-05-15 09:31:35 +0000 commented answer Infer machine boot time/up-time from network packets?

it looks like NMAP captures exactly the information I am looking for. Is there a way to get/make an uptime guess from Wi

2019-05-15 09:28:03 +0000 commented answer Infer machine boot time/up-time from network packets?

it looks like NMAP captures exactly the information I am looking for. Is there a way to get/make an uptime guess from Wi

2019-05-15 09:27:42 +0000 commented answer Infer machine boot time/up-time from network packets?

NMAP is actually exactly what I was looking for. Is there a way to get/make an uptime guess from Wireshark packets? We o

2019-05-15 09:26:36 +0000 commented answer Infer machine boot time/up-time from network packets?

NMAP is actually exactly what I was looking for. Is there a way to get/make an uptime guess from Wireshark packets? We o

2019-05-14 23:08:43 +0000 commented answer Infer machine boot time/up-time from network packets?

Sounds like a lot of conditions must be met for boot time information to be captured. I have heard that such information

2019-05-14 18:06:36 +0000 commented question Infer machine boot time/up-time from network packets?

by boot time, I mean the wall-clock time when the machine booted. and yes, by up-time, i mean how long the machine has b

2019-05-14 14:25:04 +0000 commented question Infer machine boot time/up-time from network packets?

I am doing a research project in partnership with a company. The company has authoritative DNS servers.

2019-05-14 14:11:44 +0000 asked a question Infer machine boot time/up-time from network packets?

Infer machine boot time/up-time from network packets? Is it possible to infer machine boot time/up-time from network pac

2019-05-14 14:04:38 +0000 commented answer How to capture RTP packets?

thank you. that is helpful information

2019-05-14 14:04:28 +0000 commented answer How to capture RTP packets?

thank you. that is helpful information for me to unpack there

2019-05-13 23:57:31 +0000 received badge  Editor (source)
2019-05-13 23:57:31 +0000 edited question How to capture RTP packets?

How to capture RTP packets? I am trying to find the clock drift information for each of the machines (e.g. my work lapto

2019-05-13 23:56:16 +0000 asked a question How to capture RTP packets?

How to capture RTP packets? I am trying to figure out the clock drift of the machines using my router/Internet. Based on