I am constantly trying to add more protocols to the Ultimate PCAP. Hence I used some time in my (old) Cisco lab to configure and capture the following protocols: IS-IS, GLBP, and VRRP. And since Alexis La Goutte sent me some CAPWAP traffic, this protocol is also added. All packets are now found in another update of the Ultimate PCAP. Here are some details:
To get a first impression of a trace file I used Wireshark’s protocol hierarchy – and boy, that’s a lot of protocols. This was not exactly what I was looking for: This single trace file holds snippets from 2014 to 2020 with a myriad of protocols and IP networks. Unfortunately, it’s nothing like the protocol mix found in a network analysis project.
Nevertheless, the trace file caught my interest as a long time Wireshark user. After nearly 20 years of network analysis, I had my own collection of traces with a few odd frames. To my big surprise, I had recorded a few protocols that are not yet part of the Ultimate PCAP.
So here is my small contribution to this collection:
Uh, I wasn’t aware of so many different printing protocols. Do you? While I was trying to solve a little printing problem I took a packet capture of three different printing variants over TCP/IP: Raw via TCP port 9100, LPD/LPR via TCP port 515, and Apple’s AirPrint which uses the Internet Printing Protocol IPP. As always, you can download this pcap and have a look at it by yourself.
I gave a session about IPv6 at SharkFest’19 EUROPE, the annual Wireshark developer and user community conference, named “IPv6 Crash Course: Understanding IPv6 as seen on the wire“. The talk is about the IPv6 basics, which are: IPv6 addresses & address assignment, link-layer address resolution, and ICMPv6. Tips for using Wireshark coloring rules and display filters round things up.
As I have not yet published the slides, here they are. Unfortunately, we were not able to record the session due to technical problems. Neither the video nor the audio. ;( Hence, here are only mere slides.
In the previous post, I released my Ultimate PCAP which includes every single pcap I had so far on my blog. But that’s not all: I have some packets in there that were not yet published up to now. That is, here are some more details about those (probably well-known) protocols. These are:
For the last couple of years, I captured many different network and upper-layer protocols and published the pcaps along with some information and Wireshark screenshots on this blog. However, it sometimes takes me some time to find the correct pcap when I am searching for a concrete protocol example. There are way too many pcaps out there.
This is supposed to change now:
I am using the WHOIS client a lot these days since I am migrating some RIPE objects such as ASes, inetnum/inet6num, etc. Meanwhile, I recognized that I have never captured this TCP port 43 protocol, nor looked at it with Wireshark. That’s what this post is all about, incl. a downloadable pcap for your own analysis.
VoIP calls, using the network protocols SIP/SDP and RTP, are the de-facto standard when it comes to voice calls. Wireshark offers some special features to analyze those calls and RTP streams – even with a nice “Play Streams” option, which discretely decodes your calls. Ouch. Again and again, frightening which privacy-related protocols are completely unencrypted on the Internet!
Here are some hints for Wireshark as well as a downloadable pcap with three calls in there. ;) Have fun!
Some time ago I published a post called DNS Test Names & Resource Records which lists many different FQDNs with lots of different RRs. You can use those public available DNS names to test your DNS servers or the like. However, I was missing a packet capture showing all these resource records as they appear on the wire. So now, here it is. If you are searching for some packets to test your tools for whatever reason, feel free to download this pcap.
As you might have noticed, I am playing a lot with NTP these days. Having a networking background I also like Power over Ethernet. So what’s more obvious than using a PoE-powered NTP display for test purposes? ;D
This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.
In the previous posts, I already introduced the Network Time Security (NTS) protocol and described the most important features. Although the specification process has not been completed, there are already some independent NTS implementations and public time servers (IETF106). NTPsec is one of the important representatives of this series and already offers an advanced NTS solution. In this post, I’ll give you a short guide to setting up an NTS-secured NTP client/server with NTPsec.
I am currently working on a network & security training, module “OSI Layer 4 – Transport”. Therefore I made a very basic demo of a TCP and UDP connection in order to see the common “SYN, SYN-ACK, ACK” for TCP while none of them for UDP, “Follow TCP/UDP Stream” in Wireshark, and so on. I wanted to show that it’s not that complicated at all. Every common application/service simply uses these data streams to transfer data aka bytes between a client and a server.
That is: Here are the Linux commands for basic lab, a downloadable pcap, and, as always, some Wireshark screenshots:
During my analysis of NTP and its traffic to my NTP servers listed in the NTP Pool Project I discovered many ICMP error messages coming back to my servers such as port unreachables, address unreachables, time exceeded or administratively prohibited. Strange. In summary, more than 3 % of IPv6-enabled NTP clients failed in getting answers from my servers. Let’s have a closer look:
Running your own NTP server(s) is usually a good idea. Even better if you know that they’re working correctly and serve their answers efficiently and without a significant delay, even under load. This is how you can use Wireshark to analyze the NTP delta time for NTP servers: