Traffic analysis using tcpdump and wireshark

Useful capture filters

To and from a particular IP
host x.x.x.x

All traffic in a particular subnet
net 192.168.0.0/24

Focus on a particular mac
ether dst xx:xx:xx:xx:xx

To a particular IP
dst host x.x.x.x

Capture traffic on particular port only
port 53

Capture all traffic except DNS and ARP traffic
port not 53 and not arp

Useful wireshark display filters

Focus on traffic between x.x.x.x and y.y.y.y
(ip.src == x.x.x.x and ip.dst == y.y.y.y) || (ip.src = y.y.y.y and ip.dst == x.x.x.x)

Focus on particular port
tcp.port eq 25

Focus on particular protocol
icmp

See if there are any retransmitted packets (due to previous loss)
tcp.analysis.retransmission or tcp.analysis.fast_retransmission

Look at ip traffic only
ip

Look at vlan traffic only
vlan

Parts of packets to look at 

14:02:09.181190 specto.ksl.com.33248 > quasi.ksl.com.ftp: S 1191864640:1191864640(0) win 5840 (DF)

win * 2^wscale: receive buffer size. You could find them in SYN and SYN/ACK packets that the parties use to exchange maximum available buffer for the communication session.

Packet flow to look at

If you see a TCP session can't be established, check whether the three-way handshake packets (SYN, SYN/ACK, ACK) can pass through the channel. Some firewall rules may block these packets essential to establish a TCP connection.
A ---   SYN   --> B
A <-- ---="" b="" span="" syn="">
A ---   ACK   --> B 
established

Reference

https://www.varonis.com/blog/how-to-use-wireshark/
https://wiki.wireshark.org/CaptureFilters 

Comments

Post a Comment

Popular posts from this blog

Using PlayStation 1 Densha de Go controller on emulators

Image
Items needed Arduino Leonardo (or equivalent). Note that it has to have at least one 3.3V power output. A standard PlayStation 1 controller A Densha de Go controller 6 male-to-female jumper cables Procedure Initial Cabling Using the jumper cable, connect the typical PlayStation 1 controller with the Arduino Leonardo. PlayStation 1 controller pin numbers --------------------- \ 1 2 3 4 5 6 7 8 9 /  ------------------- Connection to Arduino Leonardo * PlayStation 1 controller pin 1 (DATA) --> Arduino Leonardo digital port 12  * PlayStation 1 controller pin 2 (CMD) --> Arduino Leonardo digital port 11  * PlayStation 1 controller pin 4 (GND) --> Arduino Leonardo port GND  * PlayStation 1 controller pin 5 (VCC) --> Arduino Leonardo port 3.3V  * PlayStation 1 controller pin 6 (ATT) --> Arduino Leonardo digital port 5  * PlayStation 1 controller pin 7 (CLK) --> Arduino Leonardo digital port 4 Set up Arduino IDE Install the IDE is avail...
Read more

Using PS1/PC Densha de Go! controller SLPH-00051/TCPP-20001/DGOC-44U on PS4/Switch Densha de Go!!

Image
Items needed A Densha de Go! controller (PS1 original version SLPH-00051, the one-handle version TCPP-20001, or the USB PC version DGOC-44U) A Titan Two A few micro USB cables A PlayStation 4 with controller/A Nintendo Switch with a USB controller A PlayStation 4/Nintendo Switch Densha de GO!! game [Required for SLPH-00051 and TCPP-20001 only]: Either Arduino Leonardo (or equivalent). Note that it has to have at least one 3.3V power output 6 male-to-female jumper cables or a  Mayflash SS/N64/PS2 Controller Adapter for PC USB  (which has issue setting P0 and P4 correctly if the player switches between these two states quickly) Adding a USB interface for the PS1 Densha de Go! controller Do this if you are using PS1 Densha de Go! controller. Arduino approach Cabling Using the jumper cable, connect the Densha de Go! controller with the Arduino Leonardo. PlayStation 1 controller pin numbers --------------------- \ 1 2 3 4 5 6 7 8 9 /  ------------------- Connection to Arduino ...
Read more

Play octoshape stream on windows with VLC player

Install windows octoshape plugin at http://www.octoshape.com/files/octosetup.exe Install VLC player at http://www.videolan.org/vlc/download-windows.html . Use the installer so later octoshape can pick it as the preferred player. (Updated 12/26/2010: A dirty way to make sure windows associate all media files to vlc player is to explicitly set in vlc's Tool -> Preferences -> Interface -> Set up associations, select all file types. Then in Octoshape Settings (right click on the Octoshape system tray icon and select Settings), select use "System player") Create a bat file named stream.bat. In Windows XP, type in the bat file. "C:\Documents and Settings\ [user]\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -url:[octostream] In Windows Vista/7 "C:\Users\[user] \AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -url:[octostream] Replace [user] with your current user name, [octostream] w...
Read more