EzDevInfo.com

wireshark interview questions

Top wireshark frequently asked interview questions

Is there an API for Wireshark, to develop programs/plugins that interact with it/enhance it?

Googling didn't give me great results. Is there any sort of API for Wireshark that abstracts away from the main source code so we can develop programs that interact with it and deal with the data it provides?

edit: I appreciate the suggestions for different ways to receive packets, but I want to implement packet injection into Wireshark. Sniffing will be an important part of my project, however I'm not sure that the suggested solution allows for packet injection.


Source: (StackOverflow)

How to debug websockets with wireshark

I have hosted my websocket server using python tornado server on localhost ws://localhost:8001 and client is on another system on 192.168.0.116 so when we try to communicate it works fine but cant debug it using wireshark. My websocket is running on port 8001 so i tried using

tcp.port==8001

but no result found so i then tried it on http my ip in lan is 192.168.0.219 and port 8001. so

http.host == 192.168.0.219 && tcp.port == 8001

but no results found. Is there anything else that i can try to debug my websocket.


Source: (StackOverflow)

Advertisements

Capturing mobile phone traffic on wireshark

How can I capture mobile phone traffic on wireshark?


Source: (StackOverflow)

How to filter by IP address in Wireshark?

I tried dst==192.168.1.101 but only get :

Neither "dst" nor "192.168.1.101" are field or protocol names.

The following display filter isn't a valid display filter:
dst==192.168.1.101

Source: (StackOverflow)

How to concatenate two tcpdump files (pcap files)

How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times.


Source: (StackOverflow)

Wireshark localhost traffic capture

I wrote a simple server app in C which runs on localhost. How to capture localhost traffic using Wireshark?


Source: (StackOverflow)

How can I decode SQL Server traffic with wireshark?

I can capture the packets using wireshark, but I can't decode the stream into anything intelligible. This bug suggests that maybe this isn't possible in SQL Server 2005 or newer... https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3098, but several people on Stack Overflow claimed this was a good method in answers to this question: http://stackoverflow.com/questions/907057/how-can-i-prove-my-sql-server-traffic-is-encrypted. Any help appreciated.


Source: (StackOverflow)

How to throttle network traffic for environment simulation?

I'm trying to test an application that uses a database connection. What I would like to do is throttling the bandwith to, say, 1 MBit or such to get a better feeling for the application under realistic conditions.

I already use Wireshark to have a look at the communication with the DB and I expected Wireshark to have a feature like that but as it seems there is no way to do something like that.

Any suggestions?


Source: (StackOverflow)

What is a TCP window update?

I'm making my own custom server software for a game in Java (the game and original server software were written with Java). There isn't any protocol documentation available, so I am having to read the packets with Wireshark.

While a client is connecting the server sends it the level file in Gzip format. At about 94 packets into sending the level, my server crashes the client with an ArrayIndexOutOfBoundsException. According to the capture file from the original server, it sends a TCP Window Update at about that point. What is a TCP Window Update, and how would I send one using a SocketChannel?


Source: (StackOverflow)

How can I configure Wireshark to see HTTPS traffic?

I'm testing an iOS application and I just want to see when HTTPS traffic is sent. I'm not interested in the contents of the traffic. How can I configure Wireshark to do this?

This is just to verify that an analytics package is working. I don't have any control over the servers that my app is talking to.

Thanks!

Edit #1: My current Wireshark configuration can see traffic to http://www.duckduckgo.com but not https://www.duckduckgo.com


Source: (StackOverflow)

Sniffing an Android app to find API URL

I'm curious as to how I could figure out the API URL an Android application (any app I have installed) uses if it makes API calls to some online server (a RESTful service for example). I presume I have to capture packets on the device and maybe analyse them in Wireshark or something to find the URL? I'm fairly competent in Java/Android development, but a bit lost when it comes to any sort of network analysis business.

Any pointers to useful information or even a brief walk-through would be greatly appreciated.

Thanks


Source: (StackOverflow)

set a filter of packet length in wireshark

I've capture a pcap file and display it on wireshark. I want to analysis those udp packets with 'Length' column equals to 443.

On wireshark, I try to found what's the proper filter.

udp && length 443 # invalid usage
udp && eth.len == 443 # wrong result
udp && ip.len == 443 # wrong result

By the way, could the wireshark's filter directly apply on libpcap's filter?


Source: (StackOverflow)

My ISP is forcing me to buffer tcp data before sending it

I have a Java TCP game server, I use java.net.ServerSocket and everything runs just fine, but recently my ISP did a some kind of an upgrade, where, if you send two packets very fast for the same TCP connexion, they close it by force.

This is why a lot of my players are disconnected randomly when there's a lot of traffic in game (when there is a lot of chance that the server will send 2 packets at same time for the same person)

Here is an example of what I mean: If I do something like this, my ISP will close the connexion for no reason to both client and server side:

tcpOut.print("Hello.");
tcpOut.flush();

tcpOut.print("How are you?");
tcpOut.flush();

But it will work just fine if i do something like this:

tcpOut.print("Hello.");
tcpOut.flush();

Thread.sleep(200);

tcpOut.print("How are you?");
tcpOut.flush();

Or this:

tcpOut.print("Hello.");
tcpOut.print("How are you?");
tcpOut.flush();

This only started a couple of weeks ago when they (the ISP) did some changes to the service and the network. I noticed using Wireshark that you have to have at least ~150ms time between two packets for same TCP connexion or else it will close.

1)Do you guys know what is this called ? does is it even have a name ? Is it legal ?

Now I have to re-write my game server knowing that I use a method called: send(PrintWriter out, String packetData);

2)Is there any easy solution to ask java to buffer the data before it sends it to clients ? Or wait 150ms before each sending without having to rewrite the whole thing ? I did some googling but I can't find anything that deals with this problem. Any tips or information to help about this would be really appreciated, btw speed optimisation is very crucial. Thank you.


Source: (StackOverflow)

What are some good Wireshark tutorials? [closed]

I'm trying to understand how to use Wireshark right now, but the official manual isn't a fun read at all when starting out. Its too detailed, and the details are going right over my head because of the information overloading :)

What are some more didactic tutorials out there?

Thanks!

Edit: WireShark is a network packet sniffer, and it's very useful for debugging network applications. I'm working on networked applications, and plan to use it as a Debugging tool to make my job as a programmer happier. I guess this is about programming related as asking for tutorials about gbd, valgrind or mdb, dtrace, prstat, cat, visual studio or eclipse.


Source: (StackOverflow)

How do I clear the capture window in Wireshark?

Is there a way to clear the capture window in Wireshark without restarting the capture or re-applying the filter? It's difficult to tell one set of traffic from another without looking very closely at the timestamp.


Source: (StackOverflow)