Posts Tagged With ‘capture’

  1. A look at a portable USB3 network TAP

    A while ago I wrote a post for LoveMyTool about how I managed to power my Garland Gigabit TAP with a USB cable, which got me into a discussion about the ProfiTap USB3 device on Linkedin. I had used 100Mbit USB2 ProfiTap devices before and had some issues with it on Linux, so I was […]
  2. Determining frame forwarding latency

    In some situations the question arises how much a frame was delayed by a device it has to pass through, e.g. firewalls, loadbalancers and sometimes even routers and switches. Usually, novice network analysts think that for that you need to synchronize the clocks of the capture PCs down to microseconds or even better, but that […]
  3. The trouble with multiple capture interfaces

    The PCAPng file format Starting with Wireshark 1.8, the old PCAP format was replaced by PCAPng as the new default file format for packet captures. I have to admit that I may be one of the people to blame for this – at the end of Sharkfest 2011 we had a panel discussion with Gerald […]
  4. The drawbacks of local packet captures

    Probably the most common way of capturing network data is not a decision between SPAN or TAP – it is Wireshark simply being installed on one of the computers that need to be analyzed. While this an easy way to capture network packets it is also an easy way to get “wrong” results, because there […]
  5. TCP Server slamming the door

    After doing a lot of analysis sessions on TCP connections there are some patterns that you see again in a trace every once in a while. And often it comes in handy to remember what the situation was and what the circumstances were that led to the trace showing what it did.
  6. PCAP and PCAPng sanitization tool for network analysts

    Trace file anonymization, trace file sanitization… it seems like I can’t decide whether to call it “Sanitization” or “Anonymization” – even in my code base it is sometimes called the first, sometimes the latter. Of course there is a small difference between the two – one is removing sensitive data by cutting it away, while […]
  7. Name Resolution Denial of Service

    Today I was using a combination of dumpcap and Wireshark to run a network forensics investigation against a server that may have been compromised. A couple of malicious files had been reported by the virus scanner, so I had to take a closer look at what it was doing in the network. Actually, dumpcap was […]
  8. The notorious Wireshark “Out of Memory” problem

    It is one of the most common question on the Wireshark Q&A site: “I have xyz gigabyte of memory, but still Wireshark crashes when I try to capture data”, with xyz being a more or less impressive (or even ridiculous) amount of memory. This is how a typical crash looks like (your mileage may vary):
  9. Capturing damaged frames

    One of the questions that I often got in my network analysis classes was how to capture damaged frames. It is an obvious thing to ask, since frames with bad checksums will most certainly have to be retransmitted or are at least a nice indicator that something went wrong while transporting the frame.
  10. Capturing packets of VMware machines, part 2

    In the first post I described how to capture packets in VMware vSphere environments when dealing with standard vSwitches. While that works fine, some larger installations have an even better way of doing network captures of virtual machine traffic, provided by the so-called Distributed vSwitches. Unfortunately, those special vSwitches require a Enterprise Plus license, so […]