Chris , you are amazing . I wish I will have enough time so I will never miss any single moment of all your videos . I feel that I need to watch them and re-watch many time as they very useful and rich of details . Thanks a lot
I have watched your almost all the videos, and now i have learned so much from it. using it for troubleshooting my clients network issues some are solved and some not, but honestly i have learnet so much thanks to you. always waiting for the new informative video to come out. this one is great too thank you so much for sharing.
Good video, I just got into learning Wireshark about a week ago and I am learning quite a bit from these videos. Got a long way to go, but these little tips and tricks really help out!
Hi Chris, Thanks for this lecture, It was very Nice, I just have a query for you, If in case in Wireshark it is showing Incomplete with Data(15), So i understood it is because it is missing FIN that's why it is giving incomplete, So basically what could be the reason for this issue? I mean why FIN got missed? where we can check, any idea, Thanks in advance
Hello Chris I have a question, I have client that send a frame with conversation completeness: Complete , with data (47) but in the server received conversation completeness: Incomplete, established (7) it means without data, right? Do you have any idea? There are a firewall in the middle. THANKS I appreciate your videos
Hi @chris, nice video as usual. I'm planning to attend sharkfest US, so are you participating by giving some lectures? I hope so. I'm a big fan of you.
Hello Chris, it was great. I've seen you've added TCP Completennes Value into Columns, but me does not have this Type of predefined value to add into Appearance-Columns. I have the latest release of WireShark. // I'm new on this your YT channel, have you mentioned in past also other additional values as 'Expert Info Severity' or what/how to add 'FW-1 monitor if/direction' for CheckPoint admins... That would be great. Thank you, double when you will mention it...
hi Chris. I have a question. I have a pcap and it was captured from running a malware sample. can we find the hash or the data of the sample from the traffic or which packet is from which sample?
Hey there is a whole lot to it. So you have traffic captured from running malware. That will give you conversations, protocols, and other IoC's about how the malware works. But the corrupted file that infected the machine, or the code that was embedded in an application may not show up in the traffic for us to extract a hash. It also is difficult to tell which packets came from the malware vs the system. I would start by looking for any conversations/dns calls/http requests/country codes that are not normal behaviors.
Hi chris, syn,syn-ack,ack, client hellow ,ack and (fin-ack from both end) tcp completeness data 31 is it normal, i mean y server is not sending server hellow and TLS whole process after client hellow
Hey! This means that you captured the handshake and some data, but you missed the FIN or RST packets that shut the connection down. No problems, just an indicator that you stopped capturing before the shutdown happened.
hi chris i asking help to educate us about decrypting the SSL TLS connection applications... for example let say client will be browser and sending connection to the server application which protected by TLS.. i have private key on my hand of my applications which could be different types format. not aware about how to import those different format of private keys in wireshark and decrypt it for troubleshooting purpose..
Modern TLS uses a different key pair for every connection. So even if you have a private key from an older conversation, it won't (typically) be able to decrypt. You would have to store the session keys. ruclips.net/video/5qecyZHL-GU/видео.html
Combine this field with the new display filter math capabilities in Wireshark 4.0 (discussed at 8:23 in Chris' interview with Gerald Combs ruclips.net/video/O5tW7ShNlkk/видео.html ), and you can do a quick assessment on a variety of network problems and network attacks.
Hi Chris, A pcap TCP stream of FTP data channel has syn, syn ack, ack, data, and proper connection termination with fin ack from both sides. Conversation completeness shows incomplete (30). Why? Wireshark version 3.6.5
That's a great question! I am a network analyst more than anything. I don't administrate or engineer any specific networks because I am a consultant. Mostly I get called on issues that involve the transport layer, which is why you see so much TCP related content on my channel!
Hi Chris Just to share with u. I passed my CCNA. Your lessons were very helpful.
Congrats!!
Chris , you are amazing . I wish I will have enough time so I will never miss any single moment of all your videos . I feel that I need to watch them and re-watch many time as they very useful and rich of details . Thanks a lot
I have watched your almost all the videos, and now i have learned so much from it. using it for troubleshooting my clients network issues some are solved and some not, but honestly i have learnet so much thanks to you. always waiting for the new informative video to come out.
this one is great too thank you so much for sharing.
Good video, I just got into learning Wireshark about a week ago and I am learning quite a bit from these videos. Got a long way to go, but these little tips and tricks really help out!
Thanks again. I am watching all your series.
Thanks! Enjoy!
Yet another insightful video, thank you so much for sharing the knowledge with the community! 🙏
Thanks for the comment!
Hey Chris, could you do a video on SSH packets and talk about tunneling and how it's different than TLS/SSL?
Hi Chris, Thanks for this lecture, It was very Nice, I just have a query for you, If in case in Wireshark it is showing Incomplete with Data(15), So i understood it is because it is missing FIN that's why it is giving incomplete, So basically what could be the reason for this issue? I mean why FIN got missed? where we can check, any idea, Thanks in advance
Thanks Chris for this tip ! Is this new from version 4.x ?
Hello Chris
I have a question, I have client that send a frame with conversation completeness: Complete , with data (47) but in the server received conversation completeness: Incomplete, established (7) it means without data, right? Do you have any idea? There are a firewall in the middle.
THANKS I appreciate your videos
Hi @chris, nice video as usual.
I'm planning to attend sharkfest US, so are you participating by giving some lectures? I hope so.
I'm a big fan of you.
Helpful information 🙂
thanks, Chris. This was great.
Glad you enjoyed it!
Hey ! Thank for your videos! help me alot.
Glad you like them! Ok
Hello Chris, it was great. I've seen you've added TCP Completennes Value into Columns, but me does not have this Type of predefined value to add into Appearance-Columns. I have the latest release of WireShark. // I'm new on this your YT channel, have you mentioned in past also other additional values as 'Expert Info Severity' or what/how to add 'FW-1 monitor if/direction' for CheckPoint admins... That would be great. Thank you, double when you will mention it...
Thank you.
Hi Chris in wireshark statistic field we have packet length and service response time ..can you do vlog on this option to deep dive and use case
Great suggestion!
hi Chris. I have a question. I have a pcap and it was captured from running a malware sample. can we find the hash or the data of the sample from the traffic or which packet is from which sample?
Hey there is a whole lot to it. So you have traffic captured from running malware. That will give you conversations, protocols, and other IoC's about how the malware works. But the corrupted file that infected the machine, or the code that was embedded in an application may not show up in the traffic for us to extract a hash. It also is difficult to tell which packets came from the malware vs the system. I would start by looking for any conversations/dns calls/http requests/country codes that are not normal behaviors.
Hi chris, syn,syn-ack,ack, client hellow ,ack and (fin-ack from both end) tcp completeness data 31
is it normal, i mean y server is not sending server hellow and TLS whole process after client hellow
Hi Chris, "Conversation completeness: Incomplete, DATA (15)" message is in the TCP field. Where should I look for the problem? Please help me out.
Hey! This means that you captured the handshake and some data, but you missed the FIN or RST packets that shut the connection down. No problems, just an indicator that you stopped capturing before the shutdown happened.
hi chris i asking help to educate us about decrypting the SSL TLS connection applications... for example let say client will be browser and sending connection to the server application which protected by TLS.. i have private key on my hand of my applications which could be different types format. not aware about how to import those different format of private keys in wireshark and decrypt it for troubleshooting purpose..
Modern TLS uses a different key pair for every connection. So even if you have a private key from an older conversation, it won't (typically) be able to decrypt. You would have to store the session keys. ruclips.net/video/5qecyZHL-GU/видео.html
Combine this field with the new display filter math capabilities in Wireshark 4.0 (discussed at 8:23 in Chris' interview with Gerald Combs ruclips.net/video/O5tW7ShNlkk/видео.html ), and you can do a quick assessment on a variety of network problems and network attacks.
Hi Chris, A pcap TCP stream of FTP data channel has syn, syn ack, ack, data, and proper connection termination with fin ack from both sides. Conversation completeness shows incomplete (30). Why?
Wireshark version 3.6.5
any way that we missed the SYN?
@@ChrisGreer followed the TCP stream, SYN is there, TCP three ways handshake looks good.
@@jackkk88888 Please upload your capture on cloudshark or open a bug at wireshark and I'll check it
❤️
So how we can describe your job. You're network administrator or network analyst or maybe something else?
That's a great question! I am a network analyst more than anything. I don't administrate or engineer any specific networks because I am a consultant. Mostly I get called on issues that involve the transport layer, which is why you see so much TCP related content on my channel!
@@ChrisGreer Thanks buddy! God bless you