Daren Matthews

How to obtain the SSL certificate from a Wireshark packet capture: Read more…

A quick aide-memoir about how to go about capturing traffic from the Windows command line.  You must be in the Wireshark directory (or have the location in your PATH environment settings):

1. Find interface Index:

C:\Program Files (x86)\Wireshark>tshark -D
1. \Device\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft)
2. \Device\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun)
3. \Device\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit
Network Connection) Read more…

Long Fat Pipes
High-capacity packet satellite channels are LFN’s  (Delay 4 x 35‘800 km = 470ms RTT) and modern terrestrial long-haul fibre-optic paths will also fall into the LFN class. There are three fundamental performance problems with the current TCP  over LFNs:

• Window Size Limit (2^16 or max 65k bytes) – Remedy: TCP option “Window scale”
• Recovery from Segment Losses – Remedy: TCP option “selective acknowledgement”
• Round-Trip Measurement – Remedy: TCP option “Time stamp” Read more…

An aide-memoir:

ScreenOS-> undebug all
ScreenOS-> clear db Read more…

Another aide-memoir:

daren@Shimla:~$ sudo apt-get install wireshark

[sudo] password for daren:
Reading package lists… Done Read more…

HTTP and ETag

Download this capture file: ” IfModifieldSince_and_ETag ”

OR: view it now via Cloudshark

With caching enabled, a web server does not need to send a full response if content has not changed.

• If-Modified-Since is an HTTP request header that the client sends to your browser along with a request for content.
• Last-Modified is an HTTP response header that the server returns along with the requested content.

If-Modified-Since Allows a 304 Not Modified to be returned if content is unchanged
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

If-None-Match Allows a 304 Not Modified to be returned if content is unchanged,
If-None-Match: "737060cd8c082f209582d" Read more…

WCCP

Refer to this Wireshark Capture. OR: view it now via Cloudshark 

Alternatively, Download: WCCPv2.pcap and continue reading.. Read more…

The TCPDUMP filter to match a DSCP is a little tricky to construct. I need to explain how the filter works and also what TCPDUMP sees in the ToS Byte of the IP header and then how to filter on just the DiffServ extensions.

The IP ToS Byte (DSCP and IP ECN)

FIRST THE ANSWER:
(in case it is not important to understand how the filter is constructed)

– an example filtering on DSCP decimal 20 (AF22):
tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 20) -vvv

– An example filtering on DSCP Hex 14 (also decimal 20 or AF22):
tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 0x14) –vvv
Read more…

This post describes typical message exchange sequence for a client connecting to a user level server, opening a file, reading its data, closing the file, and disconnecting from the server. Opportunistic Locking (Oplocks) are also explained.

You can also refer tothis capture: Download smbtorture from Wireshark Wiki to further understand the SMB dialogues. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server. Read more…