Ask Your Question

grahamb's profile - activity

2023-06-07 10:06:06 +0000 edited question please help me to analyze the network in my place

please help me to analyze the network in my place i use remote desktop for my work. but lately when i ping my pc i often

2023-06-06 16:01:37 +0000 edited question couldn't attach dumpcap to my own defined device

couldn't attach dumpcap to my own defined device Hello out there, a while ago I defined my own device with a kernel modu

2023-06-02 13:44:39 +0000 commented question Missing MAC addresses in pcap.

What do you mean by "missing MACs"? How have you determined the MAC address is missing?

2023-06-02 12:19:45 +0000 commented answer Wireshark 3.2 Some/IP Dissector Payload interpretation

This should be a separate question

2023-05-23 15:59:23 +0000 answered a question web socket decompressing issue

The dissector for websocket is here, maybe the function websocket_uncompress() helps. Note that zlib is a "stream" comp

2023-05-23 15:59:23 +0000 received badge  Rapid Responder (source)
2023-05-23 07:55:16 +0000 answered a question Installed Wireshark and Npcap, but the loopback adaptor is not an option on installation.

The recent npcap installers, for some time, don't have an option to install the loopback adaptor, it's automagically ins

2023-05-23 07:55:16 +0000 received badge  Rapid Responder (source)
2023-05-21 11:00:39 +0000 commented question dtls version 1.3 packet dissector

FYI, see https://gitlab.com/wireshark/wireshark/-/issues/18071

2023-05-21 10:57:32 +0000 answered a question How can i automate my wireshark forensic captures

Wireshark itself doesn't provide this capability. you'll need to use an external application, e.g. a script language, to

2023-05-21 10:57:32 +0000 received badge  Rapid Responder (source)
2023-05-21 10:54:10 +0000 answered a question Is there a simple setup to use Wireshark to track server connections?

You should be able to capture the SMTP traffic by installing and using Wireshark on the system that's using Thunderbird.

2023-05-21 10:54:10 +0000 received badge  Rapid Responder (source)
2023-05-19 08:08:01 +0000 edited question Same notebook - same server to contact - different behavior – different setting parameter [conversation completeness]

Same notebook - same server to contact - different behavior – different setting parameter [conversation completeness] Hi

2023-05-18 07:38:20 +0000 commented answer How to let tshark reassemble the fragments on GRE?

Wireshark will happily reassemble fragmented IP packets, but it MUST see ALL the fragments to complete reassembly. Usin

2023-05-18 07:34:17 +0000 commented answer How to let tshark reassemble the fragments on GRE?

If the IP fragments had been reassembled then wouldn't they show up as SIP?

2023-05-17 08:57:01 +0000 edited question how to decapsulate sdh using editcap

how to decapsulate sdh using editcap Getting error: cannot write pcapng file. I am using: editcap -T sdh --F pcapng

2023-05-17 08:55:04 +0000 received badge  Rapid Responder (source)
2023-05-17 08:55:04 +0000 answered a question How to let tshark reassemble the fragments on GRE?

Seems to be very similar to this question. As the IP reassembly doesn't appear to have completed there will be no attem

2023-05-17 08:53:58 +0000 edited question How to let tshark reassemble the fragments on GRE?

How to let tshark reassemble the fragments on GRE? I have captured on pcap with gre traffic. and could filter out the gr

2023-05-15 12:27:40 +0000 commented answer Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?

I think you mean you can't post it here because of our anti-spam measures. You can share it on a public share, e.g. Goo

2023-05-15 11:32:02 +0000 commented answer Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?

Works for me, although I'm not able to test with your capture file unless you share it. I used the capture file attache

2023-05-15 10:26:21 +0000 commented answer Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?

A -o flag only changes the settings for that script run, not your saved preferences. You can check this by looking at t

2023-05-15 10:24:45 +0000 commented answer Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?

A -o flag only changes the settings for that script run, not your saved preferences. You can check this be checking the

2023-05-15 10:20:50 +0000 commented answer Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?

Thank you so much. I have one more question. I don't want to change general settings of tshark so can i change this opti

2023-05-15 10:02:57 +0000 answered a question Display Filters in TSHARK

tshark -G fields will display all fields that may be used in display filters. To then only see http fields, use your sh

2023-05-15 10:02:57 +0000 received badge  Rapid Responder (source)
2023-05-15 09:47:31 +0000 received badge  Rapid Responder (source)
2023-05-15 09:47:31 +0000 answered a question Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?

All Wireshark preference settings can also be set via tshark options using the -o <setting name>:<value> fla

2023-05-11 14:15:20 +0000 received badge  Rapid Responder (source)
2023-05-11 14:15:20 +0000 answered a question Tcpdump - any experts to explain exactly what the output means?

There's no reply at all in the capture, all the packets are from app01.contoso.com:44531 to 10.11.12.20:1002. The traff

2023-05-11 13:56:07 +0000 commented question tshark command: failed to start process, how to debug this error?

Works for me (Win 10), can you show the full output from tshark -v?

2023-05-11 13:13:53 +0000 edited question tshark command: failed to start process, how to debug this error?

tshark command: failed to start process, how to debug this error? I am using the command line to look through packets in

2023-05-11 13:13:35 +0000 commented question tshark command: failed to start process, how to debug this error?

Does tshark -v show the version info?

2023-05-11 09:11:24 +0000 commented question Win10 computer has some kind of DNS/DHCP issue that only resetting the DNS servers in the router fixes. Other devices on the network unaffected.

Not a Wireshark question, although I'm not sure where to redirect you, maybe a Windows forum?

2023-05-04 07:44:10 +0000 edited question ARP Storming???

ARP Storming??? I am relatively new to Wireshark, recently accepted a new IT position, network seems a bit slow so I did

2023-04-28 15:59:57 +0000 received badge  Rapid Responder (source)
2023-04-28 15:59:57 +0000 answered a question Can wireshark show the source process of an outgoing packet

Unfortunately not on Windows. On Windows, tools such as Process Monitor may help.

2023-04-28 09:51:58 +0000 commented answer time not working - always shows boot time of PC

@LBee, npcap 1.75 is out, seems to work for me. See the changelog here

2023-04-24 13:43:37 +0000 edited answer Is It Possible to Lock an Installed Npcap From Being Used, For Data Security Reasons?

Npcap can be installed in "Admin required" mode but unfortunately that is almost unusable with Wireshark as it then requ

2023-04-24 13:36:03 +0000 commented answer Is It Possible to Lock an Installed Npcap From Being Used, For Data Security Reasons?

Thank you grahamb for your reply. Regarding the first solution ("Admin required") - you are right, that's not going t

2023-04-24 13:35:48 +0000 commented answer Is It Possible to Lock an Installed Npcap From Being Used, For Data Security Reasons?

Thank you grahamb for your reply. Regarding the first solution ("Admin required") - you are right, that's not going t

2023-04-24 12:44:34 +0000 received badge  Rapid Responder (source)
2023-04-24 12:44:34 +0000 answered a question Is It Possible to Lock an Installed Npcap From Being Used, For Data Security Reasons?

Npcap can be installed in "Admin required" mode but unfortunately that is almost unusable with Wireshark as it then requ

2023-04-24 11:32:48 +0000 commented question time not working - always shows boot time of PC

Hi Graham Looks like 1.74 Running on 64-bit Windows (22H2), build 22624, with AMD Ryzen 7 2700 Eight-Core Processor (

2023-04-24 11:32:13 +0000 commented answer time not working - always shows boot time of PC

@Jaap, fixed.

2023-04-24 10:54:20 +0000 commented answer time not working - always shows boot time of PC

You've probably reverted to an older version of npcap. Wireshark 4.0.5 comes with npcap 1.71 that has the "promiscuous m

2023-04-24 10:50:51 +0000 edited answer time not working - always shows boot time of PC

OK, like you I have manually installed npcap 1.74 and have the same issue, timestamps in captures are all identical and

2023-04-24 10:16:53 +0000 answered a question time not working - always shows boot time of PC

OK, like you I have manually installed npcap 1.74 and have the same issue, timestamps in captures are all identical and

2023-04-24 10:16:53 +0000 received badge  Rapid Responder (source)