Posts Tagged ‘wireshark’

How to export the SSL certificate from a Wireshark packet capture

April 10th, 2014 No comments

How to obtain the SSL certificate from a Wireshark packet capture: Read more…

Categories: SSL/TLS Tags:

tshark – Capturing Packets from the Windows Command Line

April 9th, 2014 No comments

A quick aide-memoir about how to go about capturing traffic from the Windows command line.  You must be in the Wireshark directory (or have the location in your PATH environment settings):

1. Find interface Index:

C:\Program Files (x86)\Wireshark>tshark -D
1. \Device\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft)
2. \Device\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun)
3. \Device\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit
Network Connection) Read more…

Categories: Protocol Analysis Tags:

Long Fat Pipes: TCP WSCALE, TCP SACK and Time Stamp Options

October 14th, 2013 No comments

Long Fat Pipes
High-capacity packet satellite channels are LFN’s  (Delay 4 x 35‘800 km = 470ms RTT) and modern terrestrial long-haul fibre-optic paths will also fall into the LFN class. There are three fundamental performance problems with the current TCP  over LFNs:

• Window Size Limit (2^16 or max 65k bytes) – Remedy: TCP option “Window scale”
• Recovery from Segment Losses – Remedy: TCP option “selective acknowledgement”
• Round-Trip Measurement – Remedy: TCP option “Time stamp” Read more…

Running Snoop on Netscreen Firewall

September 26th, 2013 No comments

An aide-memoir:

ScreenOS-> undebug all
ScreenOS-> clear db Read more…

Categories: Juniper, linux, Security Tags: ,

Installing Wireshark on Ubuntu Linux

May 2nd, 2013 No comments

Another aide-memoir:

daren@Shimla:~$ sudo apt-get install wireshark

[sudo] password for daren:
Reading package lists… Done Read more…

Categories: linux, Protocol Analysis Tags:

HTTP Cache Control and the ETag

August 16th, 2012 No comments

HTTP and ETag

Download this capture file:IfModifieldSince_and_ETag

OR: view it now via Cloudshark

With caching enabled, a web server does not need to send a full response if content has not changed.

  • If-Modified-Since is an HTTP request header that the client sends to your browser along with a request for content.
  • Last-Modified is an HTTP response header that the server returns along with the requested content.

If-Modified-Since Allows a 304 Not Modified to be returned if content is unchanged
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

If-None-Match Allows a 304 Not Modified to be returned if content is unchanged,
If-None-Match: "737060cd8c082f209582d" Read more…

Categories: Protocol Analysis Tags: ,

Useful Riverbed SteelHead Wireshark Filters

June 16th, 2012 No comments

Useful Wireshark filters

To Find Inner channel splice setup: eq 0x1

Using Riverbed Wireshark 1.8.2 you can use a new feature to find all inner channel traffic for a conversation. You can for instance use the Inner channel splice setup filter eq 0x1 to display all splice setups or some other method.

When you have identified the splice connection you are interested in you can then right click on the connection in Wireshark and choose the ‘Find the inner channel’ option to try to locate the entire inner channel connection. You can also right click on any part of an optimised connection to obtain the same result.

Read more…

WCCP Protocol plus Wireshark Capture

April 30th, 2012 No comments


Refer to this Wireshark Capture. OR: view it now via Cloudshark 

Alternatively, Download: WCCPv2.pcap and continue reading.. Read more…

Categories: Protocol Analysis Tags: ,

Using TCPDUMP to Filter on DSCP

January 29th, 2012 No comments

The TCPDUMP filter to match a DSCP is a little tricky to construct. I need to explain how the filter works and also what TCPDUMP sees in the ToS Byte of the IP header and then how to filter on just the DiffServ extensions.

The IP ToS Byte (DSCP and IP ECN)

The IP ToS Byte (DSCP and IP ECN)

(in case it is not important to understand how the filter is constructed)

an example filtering on DSCP decimal 20 (AF22):
tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 20) -vvv

An example filtering on DSCP Hex 14 (also decimal 20 or AF22):
tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 0x14) –vvv
Read more…

Categories: Protocol Analysis, QoS Tags: , ,

Server Message Block (SMB) Dialects and Oplocks

July 2nd, 2011 No comments

This post describes typical message exchange sequence for a client connecting to a user level server, opening a file, reading its data, closing the file, and disconnecting from the server. Opportunistic Locking (Oplocks) are also explained.

You can also refer tothis capture: Download smbtorture from Wireshark Wiki to further understand the SMB dialogues. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server. Read more…

Categories: Protocol Analysis Tags: ,