Archive for the ‘Protocol Analysis’ Category

How to Determine which Process or Application uses a TCP Connection

May 14th, 2015 2 comments

This recipe shows how to determine which process or application uses a TCP connection which you saw listed in your netstat output.  The exampe below is for Linux.  Windows is further down in the post:

In this example, I have a small ARM Linux device being remotely managed via the “Dataplicity” service. To use the service you install a script which runs on startup. It seems that the script sets up an SSH connection from the managed ARM device to the dataplicity server, so that when you login to their Admin portal and choose the “terminal” option, you access the Linux terminal which is already setup.

The netstat output shows a session outbound from the ARM machine ( to the dataplicity server ( on TCP/22 (SSH):

root@raspberrypi:/# netstat -an | grep ‘:443’

the next step is to find which process(es) use the (source) TCP port 46098:

Read more…

AS/400 Ethernet Type May Cause Problems

March 13th, 2015 No comments

After a core network switch reload, a strange problem occured for 5250 terminal sessions to an AS/400. Sometimes they worked and sometimes not. The same behaviour was observed using ping from within the same IP subnet.

The problem appeared to be the Ethernet framing on the AS/400. The ARP replies kept changing between type SNAP and ARPA. An ARP entry on the core routers showed the mac address of the AS/400 but using Ethernet “SNAP” encapsulation, rather than “ARPA”, the latter of which is the default encapsulation type for the Cisco 6500’s which we were using. Read more…

Using nMap to Identify Applications

March 3rd, 2015 No comments

nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports.  To see the “real” application execute nMap using the “-sV” option. Read more…

Cisco ASA Debug, Syslog and Logging Lists

April 10th, 2014 No comments

When troubleshooting and using debug, it is possible to create logging lists to filter out messages which are unrelated to your problem.

%ASA-2-106016: Deny IP spoof from ( to on interface Inside

logging enable
logging timestamp
logging buffered warnings
logging buffer-size 65000
logging list ACL-MESSAGES_LOG-LIST message 106023
logging console ACL-MESSAGES_LOG-LIST
logging monitor ACL-MESSAGES_LOG-LIST
show log

Categories: CISCO, Protocol Analysis Tags:

tshark – Capturing Packets from the Windows Command Line

April 9th, 2014 No comments

A quick aide-memoir about how to go about capturing traffic from the Windows command line.  You must be in the Wireshark directory (or have the location in your PATH environment settings):

1. Find interface Index:

C:\Program Files (x86)\Wireshark>tshark -D
1. \Device\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft)
2. \Device\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun)
3. \Device\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit
Network Connection) Read more…

Categories: Protocol Analysis Tags:

FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL

October 18th, 2013 No comments

FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL / Active mode vs Passive mode

Explicit SSL:
– A connection to the server is made on TCP/21 (ftp-control channel)
– A connection to the server is made on TCP-20 (ftp-data). Read more…

Categories: Protocol Analysis Tags:

Understanding HTTP Pipelining and Connection Jumping

August 10th, 2013 No comments

Browsers can setup two or more TCP connections to an HTTP server to facilitate parallel downloads. As the browser parses the Web page it is aware of which objects it needs to download.

Rather than send the requests in series over a single connection, the requests are sent over parallel connections to enable faster downloading of the Web page. Another technique used by browsers to improve the performance is “HTTP pipelining”. Read more…

Juniper ScreenOS – Troubleshooting using Debug Flow

June 21st, 2013 No comments

Debug flow basic
shows the flow of traffic through the firewall, allowing for troubleshooting route selection, policy selection, any address translation and whether the packet is received or dropped by the firewall. Read more…

Decrypting WEP using Wireshark and AirPcap

May 17th, 2013 No comments

1. You must have Wireshark successfully installed on capturing host

2. You must have the AirPcap Wireless Capture Adapter successfully installed on capturing host Read more…

Categories: Protocol Analysis Tags:

Installing Wireshark on Ubuntu Linux

May 2nd, 2013 No comments

Another aide-memoir:

daren@Shimla:~$ sudo apt-get install wireshark

[sudo] password for daren:
Reading package lists… Done Read more…

Categories: linux, Protocol Analysis Tags: