Questions tagged [packet-capture]

Packet capture is the act of capturing data packets crossing a computer network. Packet capture can be: Deep packet capture (headers & payload), or partial packet capture (headers only).

Packet capture is the act of capturing data packets crossing a computer network. Deep packet capture (DPC) is the act of capturing, at full network speed, complete network packets (header and payload) crossing a network with a high traffic rate. Once captured and stored, either in short-term memory or long-term storage, software tools can perform Deep packet inspection (DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.

Partial packet capture can record headers without recording the total content of datagrams. This can reduce storage requirements, and avoid legal problems, but yet have enough data to reveal the essential information required for problem diagnosis.

Source: Wikipedia.

169 questions
76
votes
4 answers

How to make wireshark filter POST-requests only?

How to make wireshark filter POST-requests only?
Ilya Smagin
  • 863
  • 1
  • 6
  • 6
21
votes
4 answers

Monitor number of bytes transferred to/from IP address on port

Can anyone recommend a linux command line tool to monitor the number of bytes transferred between the local server and a specified IP address/port. The equivalent tcpdump command would be: tcpdump -s 0 -i any -w mycapture.trc port 80 host…
Mike
  • 825
  • 2
  • 8
  • 10
18
votes
2 answers

How can I search the info column in Wireshark?

Wireshark | Windows I want to search a packet capture of SMTP traffic for specific addresses/messages. Normally, I just sort the info column and browse but it would be nice if I could just run a search or filter for the specific string I'm looking…
Mike B
  • 11,570
  • 42
  • 106
  • 165
14
votes
1 answer

Why is the "don't fragment" flag set in https and ssh protocols?

I've found a lot of information specifying that this is the case, however, I am really looking for the reason behind this. Why is it necessary? Is it necessary?
13
votes
3 answers

tcpdump: capture one of several vlans

I want tcpdump to capture VLAN 1000 or VLAN 501. man pcap-filter says: The vlan [vlan_id] expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4. When I do: tcpdump…
bstpierre
  • 431
  • 1
  • 3
  • 14
10
votes
6 answers

Copying packets from an interface to another

I have a Linux system (let it be A) with 2 ethernet cards, namely eth0 and eth1 which are attached to two totally unrelated LANs. Basically eth0 is used for normal application traffic and eth1 is used only for debugging purposes. Debugging means…
Emiliano
  • 261
  • 1
  • 2
  • 10
7
votes
2 answers

How can I decrypt STARTTLS communication over SMTP in a packet capture (if I have the private key)?

For the purpose of troubleshooting, I need to see what an email looks like when it's sent to my sendmail server via SMTP. The upstream server requires the SMTP connection to use STARTTLS so a packet capture only shows me encrypted data. Is there a…
Mike B
  • 11,570
  • 42
  • 106
  • 165
6
votes
2 answers

How to determine which process is sending UDP packets once per hour?

I was doing a packet capture as part of a development project and saw some odd traffic coming from my machine in the capture file. About every 3600 seconds, a NAT-PMP request is being sent to the IP "1.1.168.192". (Kind of amusing, looks like…
fdmillion
  • 389
  • 7
  • 14
6
votes
2 answers

Can I use HAProxy's new 'capture' feature to save the remote address in a TCP frontend, and use it as the `X-Forwarded-For` header in an HTTP backend?

Using HAProxy 1.6 and a clever hack, I now have an HAProxy tcp mode frontend, that detects if the browser is capable of SNI, and based on that, routes to a strongly ciphered SSL termination backend, or a weaker one. This ensures A+ grading on SSL…
kvz
  • 402
  • 4
  • 14
6
votes
2 answers

Linux NFLOG - documentation, configuration from C

Several different places (e.g. http://wiki.wireshark.org/CaptureSetup/NFLOG) recommend using Linux's "NFLOG" firewall module to capture packets generated by a particular UID, like this: # iptables -A OUTPUT -m owner --uid-owner 1000 -j CONNMARK…
zwol
  • 1,305
  • 2
  • 12
  • 22
6
votes
2 answers

Capture network traffic simultaneously on three interfaces

I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced…
drcelus
  • 1,233
  • 4
  • 14
  • 27
6
votes
5 answers

Wireshark filter to only capture Incoming Packets?

I am trying to setup a Filter (so my log files aren't massive) that will capture only incoming traffic. I have looked on http://wiki.wireshark.org/CaptureFilters but so far have been unable to find a way to do this. Does anyone know how? Just as a…
5
votes
3 answers

Tcpdump on ec2 not seeing all packets

I'm running tcpdump on an Amazon EC2 instance to monitor HTTP traffic going to Nginx (this is just a test box, the only resource is the example test page). Running tcpdump with the command # tcpdump -vn -i any port 80 shows the packets from a…
5
votes
2 answers

using wireshark/tshark in command line to ignore ssh connections

I'm trying to debug some by looking at the packets and I would like to avoid getting all the SSH traffic to the server. Is there a way to ignore? I tried to do something like tshark -f "port !22" but it stopped listening after the command. [root@vpn…
Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77
5
votes
0 answers

Why does our Windows 7 Desktop keep continually making SMB requests to our SBS2003 server?

Possible Duplicate: How do I deal with a compromised server? One of our desktop machines (Win 7 64 bit) has recently been complaining of slow down, particularly when accessing resources on a SBS2003 server (also a DC). One thing I looked into was…
1
2 3
11 12