dokucama

User Tools

Site Tools

Trace:
network_stuff:wireshark

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:wireshark [2025/06/18 22:40] jotasandokunetwork_stuff:wireshark [2025/07/10 21:21] (current) jotasandoku
Line 35: Line 35:
  
 __Analyse__\\ __Analyse__\\
-FIRST THING determine in which end of the conversation we are capturing the packets <<+FIRST THING determine in which end of the conversation we are capturing the packets << (a) by just checking src/dst IPs. (b) by checking the TTL of the packet (eg: if TTL = 128 is not routed, so local)
 \\ \\
  
Line 50: Line 50:
 \\ \\
 __Tcptrace graph__: (statistics>tcp stream>time-sequence) : long flat areas might mean end system and/or human user processing time. __Tcptrace graph__: (statistics>tcp stream>time-sequence) : long flat areas might mean end system and/or human user processing time.
- 
- 
- 
----- 
-*** DECRYPT A TLS SESSION *** 
-Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark->Preferences->Protocols->TLS and set the pathname for "(Pre)-Master-Secret log filename" to /tmp/tlskeys. 
 \\ \\
 __Window Scaling__ (Statistics > TCP Streams > Window Scaling): It graphs bytes in flight together with rwnd. The latter must always be over the bytes in flight otherwise there's a problem. Also note that we need to capture from the point of the sender, otherwise bytes in flight might be wrong. __Window Scaling__ (Statistics > TCP Streams > Window Scaling): It graphs bytes in flight together with rwnd. The latter must always be over the bytes in flight otherwise there's a problem. Also note that we need to capture from the point of the sender, otherwise bytes in flight might be wrong.
Line 147: Line 141:
   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
      
 +
 +----
 +*** DECRYPT A TLS SESSION ***
 +Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark->Preferences->Protocols->TLS and set the pathname for "(Pre)-Master-Secret log filename" to /tmp/tlskeys.
 +
 +\\
 +
 +both Chrome and Firefox honor the SSLKEYLOGFILE environment variable, making dissecting packets nice and easy.
 +
 +  $ export SSLKEYLOGFILE=/tmp/tlskeys
 +  $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome http-123.test.netmeister.org
  
  
network_stuff/wireshark.1750286419.txt.gz · Last modified: by jotasandoku

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki