Why is the output of tshark `http.file_data` different from the Content Length? [migrated]

I’ve got a PCAP file that has 3,445 HTTP "206 Partial Content" packets for the application/pdf media type. Each of these requests is for the same file, different Content-Ranges are being requested each time as a covert means of d… Continue reading Why is the output of tshark `http.file_data` different from the Content Length? [migrated]

Community ID support for Wireshark

By Christian Kreibich, Principal Engineer, Corelight The past few weeks have seen several developments around Community ID, our open standard for rendering network traffic flow tuples into a concise textual representation. I’d like to summarize them in… Continue reading Community ID support for Wireshark

Community ID support for Wireshark

By Christian Kreibich, Principal Engineer, Corelight The past few weeks have seen several developments around Community ID, our open standard for rendering network traffic flow tuples into a concise textual representation. I’d like to summarize them in… Continue reading Community ID support for Wireshark

Tshark: 7 Tips on Wireshark’s Command-Line Packet Capture Tool

If your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You a… Continue reading Tshark: 7 Tips on Wireshark’s Command-Line Packet Capture Tool