Posts Tagged With ‘analysis’
TCP Server slamming the door
After doing a lot of analysis sessions on TCP connections there are some patterns that you see again in a trace every once in a while. And often it comes in handy to remember what the situation was and what the circumstances were that led to the trace showing what it did.
IPv6 DHCP flood
A few days ago I took a capture for some reason and saw something unexpected that had nothing to do with what I wanted to check: there were tons and tons of DHCPv6 packets trying to renew an IPv6 address in a never ending stream of packets, and really fast, too.
Tweaking Wireshark Columns and Decodes
It’s a funny thing about using Wireshark – I think I am pretty good at using it in an efficient way, but there are always some new tricks that I learn every once in a while. The Multi IP layer problem Maybe you have seen this in a trace before: some packets contain more than […]
Update: since Wireshark version 1.12 is out, lots of people look for the meaning of “tcp spurious retransmission” info message, so I changed the post a little to make it easier to find what you’re looking for. Today, while doing a lot of testing of my trace handling code as well as in preparation for […]
Name Resolution Denial of Service
Today I was using a combination of dumpcap and Wireshark to run a network forensics investigation against a server that may have been compromised. A couple of malicious files had been reported by the virus scanner, so I had to take a closer look at what it was doing in the network. Actually, dumpcap was […]
Wireshark GeoIP resolution setup
One of the many features Wireshark provides is the name resolution for various protocol layers, and I have to admit that – at least for me – some of them are really helpful while others (well, one of them, to be more specific) annoy the hell out of me. I really like MAC layer resolution, […]
Capturing packets of VMware machines, part 2
In the first post I described how to capture packets in VMware vSphere environments when dealing with standard vSwitches. While that works fine, some larger installations have an even better way of doing network captures of virtual machine traffic, provided by the so-called Distributed vSwitches. Unfortunately, those special vSwitches require a Enterprise Plus license, so […]
Capturing packets of VMware machines, part 1
I have always been the guy in our network analysis team responsible for the actual capture of network packets. I bought all the recording hardware we used, acquired network TAPs of all sorts and speeds, and did most of the planning of where to put which engine.