Ask Your Question

grahamb's profile - activity

2020-05-25 20:50:06 +0000 commented question Can't capture packets in Kali 2020.1

I've fixed up the image links so they display correctly.

2020-05-25 20:49:43 +0000 edited question Can't capture packets in Kali 2020.1

Can't capture packets in Kali 2020.1 Hi guys, I am writing this post after having been researching over the internet fo

2020-05-25 09:02:06 +0000 edited answer extract file from FTP stream with tshark

The tshark equivalent is the -z follow,prot,mode,filter[,range] option described in the man page here. You'll probably

2020-05-25 09:01:46 +0000 commented answer extract file from FTP stream with tshark

Add the -q flag to suppress the "normal" output and then post-process it. See this answer from the old site.

2020-05-25 08:31:39 +0000 commented answer Change frame/tcp length on sliced packets

I would think so. Most tools expect the information in the capture file to be correct.

2020-05-25 08:21:28 +0000 edited answer extract file from FTP stream with tshark

The tshark equivalent is the -z,follow,prot,mode,filter[,range] option described in the man page here. You'll probably

2020-05-25 08:18:39 +0000 commented answer extract file from FTP stream with tshark

The above command will get you raw data. Redirect it to a file or pipe it to another processor.

2020-05-25 07:40:06 +0000 commented answer Change frame/tcp length on sliced packets

TraceWrangler probably uses the IP length field to fix up the frame length metadata in the capture file. I'm not aware

2020-05-25 07:25:46 +0000 received badge  Rapid Responder (source)
2020-05-25 07:25:46 +0000 answered a question extract file from FTP stream with tshark

The tshark equivalent is the -z,follow,prot,mode,filter[,range] option described in the man page here. You'll probably

2020-05-22 20:28:52 +0000 commented answer Change frame/tcp length on sliced packets

OK, then the capture file should have "1092 bytes on the wire" for that frame to be a valid capture file.

2020-05-22 20:28:26 +0000 commented answer Change frame/tcp length on sliced packets

OK, then the capture file should have "1092 bytes on the wire" for that frame.

2020-05-22 20:24:52 +0000 edited answer BPF boolean logic

If you look at the compiled BPF (using the Compile BPFs button in the Capture Options dialog) for each filter you can co

2020-05-22 20:23:34 +0000 edited answer BPF boolean logic

If you look at the compiled BPF (using dftest) for each filter you can compare the result: tcp && ((port 56 &am

2020-05-22 20:22:51 +0000 received badge  Rapid Responder (source)
2020-05-22 20:22:51 +0000 answered a question BPF boolean logic

If you look at the compiled BPF for each filter you can compare the result: tcp && ((port 56 && host 1.

2020-05-22 15:53:15 +0000 commented answer Tshark -d option to format date doesn't work with -T fields

And in the question I linked @cmaynard has added another answer that uses a Lua post-dissector to add another field with

2020-05-22 15:52:57 +0000 commented answer Tshark -d option to format date doesn't work with -T fields

And in the question I linked @cmaynard has added another answer that uses a Lua post-dissector to add another filed with

2020-05-22 15:39:28 +0000 commented answer Tshark frame.time format

Good option Chris, I keep forgetting about post-dissectors. I presume performance would be affected if using larger cap

2020-05-22 15:17:33 +0000 edited question Tshark -d option to format date doesn't work with -T fields

Tshark -d option to format date doesn't work Tshark's driving me mad! I want to parse a trace and output as csv with he

2020-05-22 15:04:52 +0000 commented answer Tshark -d option to format date doesn't work with -T fields

Oops, yes -t not -d. I've amended the answer. Yes, by "normal" I mean regular column output as opposed to -T fields ou

2020-05-22 14:59:58 +0000 edited answer Tshark -d option to format date doesn't work with -T fields

The -t option only works on "normal" tshark output. When you use -T fields and select a particular time field, i.e. fra

2020-05-22 14:31:32 +0000 edited question DNS Delay, ICMP message sent from query sender.

DNS Delay, ICMP message sent from query sender. An image of the issue: 10.1.60.27 = client sending query for google.

2020-05-22 14:25:22 +0000 edited answer Change frame/tcp length on sliced packets

From your output: Frame 71: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits) This tells Wireshark that t

2020-05-22 14:23:08 +0000 answered a question Change frame/tcp length on sliced packets

From your output: Frame 71: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits) This tells Wireshark that t

2020-05-22 14:23:08 +0000 received badge  Rapid Responder (source)
2020-05-22 13:34:56 +0000 commented answer Tshark -d option to format date doesn't work with -T fields

See the answer to this question which was so similar to yours I thought it was also for Splunk. TLDR; the format for fra

2020-05-22 11:33:08 +0000 commented answer Tshark -d option to format date doesn't work with -T fields

I believe, by using Google and looking at the docs for Splunk (I have never used Splunk), you can specify a time format

2020-05-22 11:32:38 +0000 commented answer Tshark -d option to format date doesn't work with -T fields

I believe, by using Google and looking at the docs for Splunk (I have never used Splunk), you can specify a time format

2020-05-22 11:31:34 +0000 commented answer Tshark frame.time format

OK, I mistakenly thought it was a follow on from this question.

2020-05-22 10:39:08 +0000 edited answer Command Line port filter

It depends on where you put the capture filter in the argument list. See the man page entry for the -f option: This

2020-05-22 10:35:44 +0000 received badge  Rapid Responder (source)
2020-05-22 10:35:44 +0000 answered a question Command Line port filter

It depends on where you put the capture filter in the argument list. See the man page entry for the -f option: This

2020-05-22 09:44:50 +0000 commented question Command Line port filter

In what way is it not working, does it exclude traffic you want or include traffic you didn't want? Do you have VLAN ta

2020-05-22 09:41:40 +0000 answered a question Tshark frame.time format

You would have to recompile Wireshark to do so, currently the format is hard-coded, see abs_time_to_str() in epan\to_str

2020-05-22 09:41:40 +0000 received badge  Rapid Responder (source)
2020-05-22 09:21:04 +0000 commented answer Could NOT find GLIB2 (missing: GLIB2_LIBRARY GLIB2_MAIN_INCLUDE_DIR. Trying to build Wireshark 3.0 on Windows.

That's the correct CMake invocation for Wireshark 3.0 which was built with VS2017.

2020-05-21 16:54:02 +0000 answered a question Tshark -d option to format date doesn't work with -T fields

The -d option only works on "normal" tshark output. When you use -T fields and select a particular time field, i.e. fra

2020-05-21 16:54:02 +0000 received badge  Rapid Responder (source)
2020-05-21 07:58:37 +0000 received badge  Rapid Responder (source)
2020-05-21 07:58:37 +0000 answered a question winflexbison installer has malware?

Thank you for your observation, you should note that the Wireshark project does not supply winflexbison, that is an exte

2020-05-19 07:24:16 +0000 received badge  Rapid Responder (source)
2020-05-19 07:24:16 +0000 answered a question I can't decrypt my TLS traffic

I'm not 100% sure about this but from your SSL log: ssl_set_cipher found CIPHER 0x1302 TLS_AES_256_GCM_SHA384 This is

2020-05-17 11:27:48 +0000 commented answer Dissector that decodes payload on another layer

Nope, the changes would be in the Asterisk dissector, it has the DSAP preference which is specific to asterisk and it re

2020-05-16 11:07:06 +0000 commented answer Dissector that decodes payload on another layer

As noted by Guy, your capture uses many different DSAP values so which one(s) should be used for Asterisk? How is this

2020-05-15 20:13:41 +0000 commented answer Could NOT find GLIB2 (missing: GLIB2_LIBRARY GLIB2_MAIN_INCLUDE_DIR. Trying to build Wireshark 3.0 on Windows.

That's correct for 3.0 which was built with VS2017.

2020-05-15 20:12:50 +0000 commented question Could NOT find GLIB2 (missing: GLIB2_LIBRARY GLIB2_MAIN_INCLUDE_DIR. Trying to build Wireshark 3.0 on Windows.

That's the correct build command for Wireshark 3.0, but we'll need to see the full output from the command. Please redi

2020-05-15 15:26:35 +0000 commented answer Can I Capture Mesh Network Traffic?

Looks to me to be the general steps to make a WLAN capture, ascertain channel, restart the client connection either by d

2020-05-15 15:22:31 +0000 answered a question {RST, ACK} ports 61820 >28130

I seem to have two streams there, one is from 10.203.205.210 to pmdvportal and looks like RDP traffic and probably isn't

2020-05-15 15:22:31 +0000 received badge  Rapid Responder (source)