Useful Wireshark filter for analysis of SSL Traffic. Client Hello: ssl.handshake.type == 1 Server Hello: ssl.handshake.type == 2 NewSessionTicket: ssl.handshake.type == 4 Certificate: ssl.handshake.type == 11 CertificateRequest ssl.handshake.type == 13 ServerHelloDone: ssl.handshake.type == 14 Note: "ServerHellpDone" means full-handshake TLS session. Cipher Suites: ssl.handshake.ciphersuite I found the below from Wiki. All these SSL handshake message types …
Category: Packet
Perform Packet Capture on VMware ESXi Host for NSX Troubleshooting
VMware offers a great and powerful tool pktcap-uw to perform packet capture on ESXi host. Pktcap-uw offers a lot of options for packet capture. https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2051814 Here I show most common used in my daily life here for your reference. I normally perform a packet based on vSwitch port ID or DV filter (NSX DFW) To do …
Continue reading Perform Packet Capture on VMware ESXi Host for NSX Troubleshooting
Using TShark Filter for Packet Capture on Vyatta 5600
Vyatta 5600 provides Tshark as the packet capture tool. To capture your interested traffic and remove unnessary nosiy traffic, you need to use the capture filter when you perform the packet capture. Here I show you a few real world example for tshark capture filter, which hope can save you a bit of time. Capture …
Continue reading Using TShark Filter for Packet Capture on Vyatta 5600
NSX Edge Packet Capture on Multi-vNics simultaneously
In NSX 6.1.4, I tried to perform packet capture to analysis the end to end connectivity restoration during Edge HA failover. But I only can capture packet for a single vNic at one time. Somebody may say this can be worked around by performing another packet capture on another vNIC in ESXi hosts by use of …
Continue reading NSX Edge Packet Capture on Multi-vNics simultaneously
Packet Analysis for Troubleshooting-SSH server slow response
Symptom: customer complains about slow response to SSH server running on one Centos box Method: perform packet capture on the SSH server. Finding: DNS query fails during establishing SSH session When folllow the TCP session for SSH login packet caoture, see the below: During packet 17 and 24, there is about 10 seconds gap. Go …
Continue reading Packet Analysis for Troubleshooting-SSH server slow response
Packet Analysis for Troubleshooting-Slow response of AD home directory
Symptom: virtual desktop end users complain the performance issue: the end users can access their AD home directory quickly at the first time. After a little while, they have to wait for over 30 seconds before they can reach their home directory. Method: perform packet capture on one of end users and successfully capture the …
Continue reading Packet Analysis for Troubleshooting-Slow response of AD home directory
Read the Citrix nstrace packet capture by wireshark
The NetScaler has two separate mechanisms available to capture the network traffic through the appliance: nstrace.sh and nstcpdump.sh. NStrace records network packets trace in the native NetScaler trace format, which provides specific NIC device information including device number and whether the packet was transmitted or received. However, the current stable version of wireshark can't read …
Continue reading Read the Citrix nstrace packet capture by wireshark
Duplicate Packet or TCP retransimission?
When you analyse the packet capture in wireshark, you sometimes see the similar/nearly same packets more than 1 time. It is maybe due to duplicate packet or TCP retransimission. If it is TCP retransmission, you have to pay more attention on it. The difference between duplicate packet and TCP restransmission is IP ID. For …
F5 packet capture CLI
F5 offers the capacity for packet capture by use of tcpdump command. In version 10.x, F5 doesn't support you to perform tcpdump in the non-default route domain. F5 recommends that you run the tcpdump command from the default route domain (route domain 0), and specify interface 0.0 as below: tcpdump -s0 -w /var/tmp/WOI1.pcap -fnni 0.0:nnn host x.x.x.x …
InsidePacket 