Questions tagged [wireshark]
The network protocol analyzer developed and maintained by the Wireshark Foundation
890
questions
74
votes
8
answers
34k
views
Mac Homebrew and Wireshark
I've installed Wireshark(.org) using Homebrew.
brew install wireshark
at the end the script says
==> ./configure --prefix=/usr/local/Cellar/wireshark/1.2.7 --disable-dependency-tracking --disable-...
- 841
38
votes
5
answers
103k
views
How can I see 127.0.0.1 traffic on Windows using Wireshark?
Every time I try to filter to just show a specific IP address, I get an error indicating that it is "not an interface or a field." I have no idea what that means. Furthermore, I don’t really see any ...
- 493
32
votes
3
answers
50k
views
How to set up wireshark to run without root on Debian?
I'm trying to use wireshark on a Debian machine, but when I run it with my non-root user account, it doesn't detect any network interface.
I also tried running wireshark as root, but wireshark tells ...
- 471
26
votes
3
answers
69k
views
Show only HTTP traffic in Wireshark
How can I filter out traffic that is not HTTP in Wireshark, so that it shows me only HTTP traffic, but not, TCP, DNS, SSDP, etc.
- 4,060
20
votes
5
answers
59k
views
Filter in Wireshark for TLS's Server Name Indication field
Does wireshark have a filter for TLS's Server Name Indication field?
- 511
18
votes
2
answers
187k
views
What's all this deploy.akamaitechnologies.com traffic?
I happened to do a tcpdump while leaving my Mac idle, and when I came back after a mere half-hour there were something like 5000 packets involving deploy.akamaitechnologies.com, in which my computer ...
- 269
18
votes
6
answers
77k
views
Capture traffic for specific application
I have an application which communicates with some server. I want to know what the IP of this server is. How can I capture all the traffic from a specific application and not just all the traffic like ...
- 309
16
votes
2
answers
29k
views
wireshark usb traces explanations
I am trying to reverse engineer an usb (HID) device and cannot really figure out how what I see on wireshark (usbmon + wireshark on linux, or windows) relates to the usb protocol?. I have looked at ...
- 163
15
votes
1
answer
35k
views
SSL protocol seems to be missing in Wireshark
SSL protocol seems to be missing for me. It doesn't show up in the preferences menu and Wireshark doesn't capture any SSL packets from any program I try. I also had a failed handshake trying to just ...
- 251
14
votes
4
answers
34k
views
How do I return just the Http header from tshark?
I'm using tshark to sniff my packets and I'm only concerned with the http header (preferably in the form its sent, but I'll take what I can get).
I tried using:
tshark tcp port 80 or tcp port 443 -V ...
- 389
14
votes
2
answers
32k
views
How do I decrypt WPA2 encrypted packets using Wireshark?
I am trying to decrypt my WLAN data with Wireshark. I have already read and tried eveything on this page but without any success (well, I tried the example dump on that page and succeeded, but I fail ...
- 295
14
votes
4
answers
43k
views
Wireshark WPA 4-way handshake
From this wiki page:
WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won'...
- 21.9k
13
votes
4
answers
36k
views
Why do I see "The NPF driver isn't running. You may have trouble capturing or listing interfaces." when starting Wireshark?
When I start up Wireshark, why do I see this message?
"The NPF driver isn't running. You may have trouble capturing or listing interfaces."
- 639
13
votes
5
answers
61k
views
Wireshark cannot see traffic from a VirtualBox guest on Windows 7
I have been trying to use Wireshark to capture some traffic that comes from a virtual machine.
The setup is:
Windows 7 host
Ubuntu guest
VirtualBox 4
I send some packets from the guest to the host ...
- 245
12
votes
1
answer
1k
views
Is my connection really encrypted through VPN?
I am checking that my VPN is really encrypting connection, using wireshark.
When I capture from the WiFi interface the data is encrypted by openvpn protocol, but when I capture Local Area Connection (...
- 125
11
votes
4
answers
72k
views
How to filter by protocol in Wireshark 2.2.7?
I am trying to show only HTTP traffic in the capture window of Wireshark but I cannot figure out the syntax for the capture filter.
I have tried suggestions for old versions of Wireshark but with no ...
- 327
11
votes
1
answer
11k
views
How to determine what program send the packet recorded in Wireshark?
I was taking some tutorials on Wireshark in order to analyze the packets sent and received when talking to a web server for purposes of learning.
When I start listening/recording packets in Wireshark,...
- 879
11
votes
3
answers
17k
views
Chrome browser sending Keep-Alive packets?
I ran Wireshark on my PC and found that my chrome browser was sending LOTS of Keep-alive packets even when there are no sites loaded in the browser, and even when there are no extensions installed!! ...
- 237
11
votes
2
answers
14k
views
How can I diff two network dumps from tcpdump or Wireshark?
I'm having a problem with one of our customers' embedded computers. They seem to discard some network packets which they should not. I can capture the TCP communication from a managed switch outside ...
- 2,328
10
votes
3
answers
6k
views
usbmon (wireshark, tshark) for regular user
I have libpcap set up with the newest cvs version.
Regular users can run Wireshark and tshark.
Specifically, they have been added to the wireshark group and can capture from
1. eth0
2. br0
3. nflog ...
- 299
10
votes
1
answer
10k
views
In Wireshark where can I find the TLS Server's Certificate
I'm looking at a TLS v1.3 headers in Wireshark and I'm not sure where I would find the server certificate that is used to confirm that the server is who they claim to be.
The Client Sends Hello then ...
- 357
10
votes
4
answers
122k
views
How to block the Whatsapp Android application in a network
I need to block the users from accessing Whatsapp Android application who have logged in to my network. I tried to take Wireshark logs and tried to find the server's IP Address and port number, but I ...
- 201
10
votes
1
answer
33k
views
Capturing traffic by HTTP host name, not by IP, via WireShark
I'm trying to filter traffic only to a given HTTP host name. I have a server, and I have dozens of websites on it. It only has one interface and one IP address. Thus filtering to my IP address is not ...
- 1,763
9
votes
2
answers
45k
views
Only shown problematic packets in WireShark
I am using WireShark to analyse millions of packets. Is there a filter which will only show those packets which have errors?
By "error", I mean an IP error (e.g. incorrect IP header checksum), an TCP ...
- 3,485
9
votes
3
answers
8k
views
Concern over running Wireshark as root
I started Wireshark on my Ubuntu machine and discovered that there were no interfaces I could listen to. So I launched it as root. This gave me access to all the interfaces, but gave me a warning:
...
- 2,772
9
votes
4
answers
127k
views
How to get the URL from a internet radio station so I can stream it from VLC
How do I could get the embedded URL from this internet radio? http://wp.1045radiolatina.com/escucha-en-vivo/
What I meaning by URL from where is the radio is streamed.
I have been trying to use URL ...
- 93
9
votes
1
answer
2k
views
Capturing Internet Connection Sharing (ICS) traffic using Fiddler
How can we capture HTTP traffic that goes through an ICS connection?
Full details:
I have a PC connected to internet via Ethernet.
PC has set up a Wifi Hotspot using Internet Connection Sharing (ICS)...
- 489
8
votes
1
answer
3k
views
Why, if I am connected via Wi-Fi and send a packet to another device in the same Wi-Fi, the dest MAC address in the link layer is not the AP's?
In the IEEE 802.11 protocol, in the link frame, the second address is the sender MAC address, and the first address is the receiver MAC address, which is the AP address if the sender is a station, and ...
- 254
8
votes
2
answers
5k
views
How many TCP retransmissions Internet traffic is considered normal for a basic home setup?
Out of curiosity, I connected my laptop with an ethernet cable to the router and fired up Wireshark to understand and 'visualize' what's going on.
Some packets caught my attention.
I was having some ...
- 81
8
votes
6
answers
6k
views
Lightweight tool for viewing raw HTTP messages?
I'm investigating differences in behaviour between a couple of Web servers. I need to see raw response data from the servers (i.e. before the response is de-chunked if it has "Transfer-Encoding:...
- 405
8
votes
2
answers
38k
views
Wireshark - How do i filter the TCP[RST] packet?
I am looking for filter out the TCP[RST] packets on wireshark.
I have tried tcp.analysis.flag but it didn't help.
user2633903
8
votes
1
answer
36k
views
How to find HTTP GETs in Wireshark
How can I use the filter in Wireshark to find only those lines that have HTTP GET in them?
- 14.5k
8
votes
3
answers
8k
views
Wireshark - how can I observe little endian big endian difference in byte order using Wireshark?
I wrote a simple application which communicates using UDP sockets (in C). Application is simple: clients sends numbers to server, and server computes the sum of them.
Now, I know how can I capture ...
- 217
8
votes
1
answer
36k
views
Capturing wireless traffic (using Wireshark)
When I run wireshark on a wired network it works fine and reports all of the packets.
When I run it on a wireless network though I only see my own traffic. The wireless card I have is supposed to ...
- 6,011
7
votes
2
answers
41k
views
How can I get the actual TCP sequence number in Wireshark?
In Wireshark, TCP sequence numbers are displayed as relative sequence numbers by default. How can I get the actual TCP sequence number?
- 2,134
7
votes
1
answer
3k
views
ICMP packet with TCP?
For some time now I have found myself interested in packet analyzing and I try to figure out all kinds of stuff that I see in network captures. I hope you guys might want to help me find out this one.
...
- 73
7
votes
4
answers
10k
views
What's the difference between wlan.sa, wlan.ra, wlan.ta and wlan.da?
Tshark/wireshark (CLI) has several fields to display for WLAN, including these four (+ description from manual):
wlan.sa: Source address
wlan.ra: Receiver address
wlan.ta: Transmitter address
wlan....
- 145
7
votes
3
answers
18k
views
How can I capture traffic to localhost using Wireshark?
I am using Wireshark on Windows Vista and I would like to capture http traffic to localhost (127.0.0.1), for debugging purposes, but I have some questions.
How can I do this?
What capture interface ...
- 27.8k
7
votes
1
answer
18k
views
Capture Only HTTP traffic in tshark
I am new to tshark tool usage. I am trying to use tshark tool for capturing only HTTP traffic but i am unable to do it. Here is the cmd i run to get the all traffic:
tshark -c 1000 -w packetFile.pcap ...
- 173
7
votes
3
answers
16k
views
X11/XQuartz won't auto-launch after upgrading to OS X Mavericks?
I can't use Wireshark on latest OS X 10.9 Mavericks.
Previously, I was using XQuartz to run X11 applications like Wireshark.
But, yesterday, after I upgraded my iMac operating system to OS X 10.9, I ...
- 183
7
votes
1
answer
9k
views
Why do i see Ethernet II protocol in wireshark in wireless connection?
I have a small network in my home that consists of one network device named airties rt-205 and clients. Clients connect to this device via wireless and send its packet to the internet through this ...
- 105
7
votes
1
answer
45k
views
What does a sequence of retransmissions with PSH,ACK flags mean (and a spurious retransmission back)?
I am on server 192.168.0.2 and want to make an HTTP call to 192.168.0.1(both servers are RPis and run Linux (raspbian)).
curl -XGET http://192.168.0.1:8081/api
The API on 192.168.0.1 (which I am ...
- 3,253
7
votes
2
answers
30k
views
TCP segment of a reassembled PDU
In wireshark sometimes I see this:
478195 5738.896809 192.168.1.79 61.213.44.124 TCP [TCP segment of a reassembled PDU]
What is a PDU? Was it reassembled? What does this mean?
- 14.5k
7
votes
2
answers
11k
views
How to write a filter in Wireshark/Ethereal that displays only packets with a specific string?
Wireshark supports filters like this:
ip.addr == 192.168.0.1
What is the syntax to check the packet content?
(C# equivalent of what I want)
content.Contains("whateverYouWant")
- 16.1k
7
votes
5
answers
18k
views
How to test Bit Error Rates on Ethernet Networks?
I need a tool software or otherwise (preferably software) that will allow me to test Bit Error Rates on an Ethernet Network.
I am using a software tool that I did not write and do not have access to ...
- 333
7
votes
1
answer
3k
views
Determine current USB address of device in Windows
TL;DR: How did my Win10 system arrive at a USB source address of 2.5.5 for my mouse (in Wireshark) when USBPcapCMD lists it as hub 2, port 6?
Can I determine the 2.5.5 address without guessing?
...
- 1,104
6
votes
1
answer
41k
views
How do I get Wireshark to filter for a specific web host?
I'm using Wireshark on OSX, but I can't make any sense out of the filtering system.
I have this filter set up:
But when I hit that server, I don't see anything show up in the capture log. If I ...
- 431
6
votes
2
answers
6k
views
running wireshark inside a centOS docker container
I installed wireshark using yum (RUN yum install -y wireshark wireshark-qt) - and cannot run it when I ssh into the container.
# tshark
tshark: Couldn't run /usr/sbin/dumpcap in child process: ...
- 271
6
votes
2
answers
64k
views
How to capture "dropped packets" in tcpdump
I have a problem with my networking performance. I am using Ubuntu 16.04 on VMware Cloud Server with NIC E1000. But I see some packets dropped in sections of ifconfig command:
root@ubuntu:~# ifconfig ...
- 783
6
votes
2
answers
17k
views
Sniff traffic coming from one particular application?
Basically I'd like to sniff HTTP requests made by an .exe on Windows. I tried using wireshark, but it's somewhat unhandy since it sniffs all traffic on the interface. Are there any alternatives?
- 254