Author Archive for Jasper

  1. IPv6 DHCP flood

    A few days ago I took a capture for some reason and saw something unexpected that had nothing to do with what I wanted to check: there were tons and tons of DHCPv6 packets trying to renew an IPv6 address in a never ending stream of packets, and really fast, too.
  2. A creative way of refusing connections

    A few days ago, Olli, one of our team members, sent me a funny trace that he’d taken while configuring the security settings on a Netoptics Bypass kit. This device has an SNMP and HTTP management service, and when he disabled the HTTP service he verified if the setting was accepted (like you should). Usually, […]
  3. Tweaking Wireshark Columns and Decodes

    It’s a funny thing about using Wireshark – I think I am pretty good at using it in an efficient way, but there are always some new tricks that I learn every once in a while. The Multi IP layer problem Maybe you have seen this in a trace before: some packets contain more than […]
  4. Installing Tomahawk IPS test tool on Debian 7

    For a current IPS/IDS project I was looking for a test system to benchmark various IDS/IPS engines. The idea was to record network captures carrying malware samples in HTTP, SMTP or other protocols, and replaying them against the various detection engines. Problem with that is that tools like tcpreplay, bittwist or Ostinato all replay the […]
  5. It’s been a while…

    …before I found some time to post something on this blog. Mostly because of the summer break, but also because I was attending DefCon 2013 in Las Vegas, after a break of 3 years. I used to be at DefCon every year while it was held at the Riviera, working for the hotel as a […]
  6. Happy Birthday, Wireshark!

    15 years ago, Wireshark was “born”, so happy birthday! Take a look at the official Wireshark Blog for Gerald’s post. And watch Gerald’s keynote he did at Sharkfest 2013. And, of course, the funny video about how it was all Karen’s idea – which Gerald, at the time it was shown at Sharkfest, had no […]
  7. PCAP and PCAPng sanitization tool for network analysts

    Trace file anonymization, trace file sanitization… it seems like I can’t decide whether to call it “Sanitization” or “Anonymization” – even in my code base it is sometimes called the first, sometimes the latter. Of course there is a small difference between the two – one is removing sensitive data by cutting it away, while […]
  8. Sharkfest 2013 Recap

    Yesterday I returned from the annual Wireshark conference, Sharkfest 2013, and once again it has been a great conference. I had four talks (well, actually I had three, but one was scheduled to run twice and it looks like I never do a talk the same way), and one of them I did together with […]
  9. Spurious Retransmissions

    Update: since Wireshark version 1.12 is out, lots of people look for the meaning of “tcp spurious retransmission” info message, so I changed the post a little to make it easier to find what you’re looking for. Today, while doing a lot of testing of my trace handling code as well as in preparation for […]
  10. Name Resolution Denial of Service

    Today I was using a combination of dumpcap and Wireshark to run a network forensics investigation against a server that may have been compromised. A couple of malicious files had been reported by the virus scanner, so I had to take a closer look at what it was doing in the network. Actually, dumpcap was […]