How to export the SSL certificate from a Wireshark packet capture
How to obtain the SSL certificate from a Wireshark packet capture: Read more…
How to obtain the SSL certificate from a Wireshark packet capture: Read more…
A quick aide-memoir about how to go about capturing traffic from the Windows command line. You must be in the Wireshark directory (or have the location in your PATH environment settings):
1. Find interface Index:
C:\Program Files (x86)\Wireshark>tshark -D
1. \Device\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft)
2. \Device\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun)
3. \Device\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit
Network Connection) Read more…
Long Fat Pipes
High-capacity packet satellite channels are LFN’s (Delay 4 x 35‘800 km = 470ms RTT) and modern terrestrial long-haul fibre-optic paths will also fall into the LFN class. There are three fundamental performance problems with the current TCP over LFNs:
• Window Size Limit (2^16 or max 65k bytes) – Remedy: TCP option “Window scale”
• Recovery from Segment Losses – Remedy: TCP option “selective acknowledgement”
• Round-Trip Measurement – Remedy: TCP option “Time stamp” Read more…
An aide-memoir:
ScreenOS-> undebug all
ScreenOS-> clear db Read more…
Another aide-memoir:
daren@Shimla:~$ sudo apt-get install wireshark
[sudo] password for daren:
Reading package lists… Done Read more…
Download this capture file: ” IfModifieldSince_and_ETag ”
OR: view it now via Cloudshark
With caching enabled, a web server does not need to send a full response if content has not changed.
If-Modified-Since Allows a 304 Not Modified to be returned if content is unchanged
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
If-None-Match Allows a 304 Not Modified to be returned if content is unchanged,
If-None-Match: "737060cd8c082f209582d"
Read more…
Useful Wireshark filters
To Find Inner channel splice setup: rvbd.sport.setup.type eq 0x1
Using Riverbed Wireshark 1.8.2 you can use a new feature to find all inner channel traffic for a conversation. You can for instance use the Inner channel splice setup filter rvbd.sport.setup.type eq 0x1
to display all splice setups or some other method.
When you have identified the splice connection you are interested in you can then right click on the connection in Wireshark and choose the ‘Find the inner channel’ option to try to locate the entire inner channel connection. You can also right click on any part of an optimised connection to obtain the same result.
Refer to this Wireshark Capture. OR: view it now via Cloudshark
Alternatively, Download: WCCPv2.pcap and continue reading.. Read more…
The TCPDUMP filter to match a DSCP is a little tricky to construct. I need to explain how the filter works and also what TCPDUMP sees in the ToS Byte of the IP header and then how to filter on just the DiffServ extensions.
FIRST THE ANSWER:
(in case it is not important to understand how the filter is constructed)
– an example filtering on DSCP decimal 20 (AF22):
tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 20) -vvv
– An example filtering on DSCP Hex 14 (also decimal 20 or AF22):
tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 0x14) –vvv
Read more…
This post describes typical message exchange sequence for a client connecting to a user level server, opening a file, reading its data, closing the file, and disconnecting from the server. Opportunistic Locking (Oplocks) are also explained.
You can also refer tothis capture: Download smbtorture from Wireshark Wiki to further understand the SMB dialogues. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server. Read more…