PCAP Surgery blogs
Published notes and SEO planning for PCAP Surgery.
Asymmetric Routing and One-Sided PCAP Analysis: Missing Replies, Half Conversations, NAT, Firewall, and Capture Point Mistakes
How to analyze asymmetric routing and one-sided packet captures, missing replies, NAT/firewall paths, half conversations, capture point mistakes, and misleading retransmission evidence.
2026-06-03IPv6 DAD and Neighbor Solicitation PCAP Analysis: Duplicate Address Detection, SLAAC, Missing NA, and No IPv6 Connectivity
How to analyze IPv6 Duplicate Address Detection, Neighbor Solicitation, Neighbor Advertisement, SLAAC failures, missing NA responses, duplicate IPv6 addresses, and no IPv6 connectivity in packet captures.
2026-06-03TCP ECN PCAP Analysis: CE Marks, ECE, CWR, Congestion Without Loss, and Middlebox Compatibility
How to analyze TCP ECN in packet captures, CE marks, ECE and CWR flags, congestion notification without packet loss, ECN negotiation, and middlebox compatibility issues.
2026-06-03TCP Nagle and Delayed ACK PCAP Analysis: Small Packet Latency, 40ms Stalls, and Slow Request/Response Apps
How to analyze TCP Nagle algorithm and delayed ACK interactions in packet captures, small packet latency, request/response stalls, interactive protocol delays, and TCP_NODELAY evidence.
2026-06-03TCP SACK and DSACK PCAP Analysis: Selective ACK, Duplicate SACK, Packet Loss, Reordering, and Spurious Retransmissions
How to analyze TCP SACK and DSACK options in packet captures, selective acknowledgments, packet loss recovery, reordering, duplicate ACKs, and spurious retransmissions.
2026-06-03VLAN Tag Missing in PCAP Analysis: 802.1Q Tags, Native VLAN, Trunk Ports, Driver Stripping, and Wrong Capture Point
How to analyze missing VLAN tags in packet captures, 802.1Q tagging, native VLAN behavior, trunk port mistakes, driver tag stripping, capture filters, and VLAN mismatch failures.
2026-06-02ARP Duplicate IP Address Conflict PCAP Analysis: Finding Gratuitous ARP, MAC Changes, and Gateway Confusion
How to diagnose duplicate IP address conflicts, ARP storms, gratuitous ARP, wrong MAC mappings, gateway confusion, and intermittent LAN failures in packet captures.
2026-06-02Anonymize and Sanitize PCAP Files: Removing Sensitive Data Without Destroying the Evidence
How to think about PCAP anonymization, packet slicing, payload removal, checksum recalculation, and evidence preservation before sharing captures.
2026-06-02DHCP Failure PCAP Analysis: Discover, Offer, Request, ACK, NAK, and No IP Address Problems
How to troubleshoot DHCP failure, no IP address, DHCP Discover without Offer, DHCP NAK, relay problems, VLAN issues, and packet capture evidence.
2026-06-02DNS Retransmission and Timeout PCAP Analysis: Finding Slow Resolvers, Lost Queries, and Broken Responses
How to diagnose DNS timeout, retransmission, no response, SERVFAIL, UDP loss, TCP fallback, resolver latency, and application delay with packet captures.
2026-06-02DNS Timeout, NXDOMAIN, and SERVFAIL in PCAP: How to Tell Slow DNS from a Slow Server
How to diagnose DNS timeouts, NXDOMAIN, SERVFAIL, repeated queries, and slow application startup using packet capture evidence.
2026-06-02HTTP 502 and 504 Gateway Timeout PCAP Analysis: Proxy, Load Balancer, Upstream, or Network?
How to diagnose HTTP 502 Bad Gateway and 504 Gateway Timeout with packet captures, including proxy-to-upstream TCP, TLS, request timing, backend resets, and stalled responses.
2026-06-02HTTP Slow Request and TTFB in PCAP: Proving Whether the Delay Is DNS, TCP, TLS, or Server Time
How to diagnose slow HTTP requests in packet captures by separating DNS delay, TCP handshake, TLS handshake, request upload, server processing, and time to first byte.
2026-06-02HTTP/2 GOAWAY and RST_STREAM PCAP Analysis: Debugging Reset Streams, Proxy Limits, and gRPC Failures
How to diagnose HTTP/2 GOAWAY, RST_STREAM, gRPC unavailable errors, proxy stream limits, TLS ALPN negotiation, connection reuse, and packet capture evidence.
2026-06-02ICMP Destination Unreachable and Packet Too Big PCAP Analysis: What the Network Is Telling You
How to analyze ICMP Destination Unreachable, Port Unreachable, Host Unreachable, Fragmentation Needed, Packet Too Big, policy filtering, and path MTU evidence in PCAP files.
2026-06-02MTU Black Hole and Fragmentation PCAP Analysis: Finding PMTUD Failures, MSS Problems, and Stalled TCP
How to diagnose MTU black holes, path MTU discovery failure, TCP MSS mismatch, fragmentation, ICMP blocked messages, VPN tunnels, and stalled connections in packet captures.
2026-06-02NTP Clock Drift Packet Capture Analysis: Time Sync Failures, Offset, Delay, Jitter, and Firewall Issues
How to analyze NTP time synchronization failures in packet captures, including offset, delay, jitter, missing responses, wrong servers, firewall blocks, and clock drift symptoms.
2026-06-02PCAP Checksum Errors Are Not Always Bad Packets: Understanding Offload Evidence
Why TCP, UDP, and IP checksum errors in packet captures can be caused by checksum offload, and how to avoid rewriting good evidence.
2026-06-02PCAP Timestamp Problems: When to Inspect, Normalize, or Rewrite Capture Time
How to reason about bad PCAP timestamps, clock drift, capture ordering, and controlled timestamp rewrites without losing evidence.
2026-06-02PCAPNG vs PCAP: Why Interface Metadata and Timestamp Resolution Matter
A practical explanation of PCAPNG versus PCAP for engineers who need capture metadata, timestamp resolution, and reproducible packet evidence.
2026-06-02Packet Loss PCAP Analysis: Retransmissions, Duplicate ACKs, and Where Packets Disappeared
How to use packet captures to diagnose packet loss, TCP retransmissions, duplicate ACKs, capture-point bias, and whether loss happened on the network or host.
2026-06-02QUIC and HTTP/3 Packet Capture Troubleshooting: What You Can Still Learn from UDP
How to troubleshoot QUIC and HTTP/3 with packet captures by inspecting UDP flows, handshake timing, connection IDs, loss, fallback, and encrypted traffic boundaries.
2026-06-02Repairing a Corrupt PCAP File Starts with Evidence, Not Blind Conversion
How protocol engineers should approach truncated or corrupt PCAP files before editing, converting, or handing them to another tool.
2026-06-02Split a Large PCAP and Extract One Conversation Without Losing Troubleshooting Context
How to split large PCAP files, extract one TCP or UDP conversation, and preserve enough context for protocol troubleshooting.
2026-06-02TCP CLOSE_WAIT and FIN_WAIT PCAP Analysis: Finding Connection Leaks, Half-Closes, and Shutdown Bugs
How to analyze TCP CLOSE_WAIT, FIN_WAIT, TIME_WAIT, half-close behavior, connection leaks, missing close calls, FIN packets, RST packets, and shutdown timing in packet captures.
2026-06-02TCP Keepalive and Idle Timeout PCAP Analysis: Firewalls, NAT, Load Balancers, and Long-Lived Connections
How to analyze TCP keepalive packets, idle timeout, NAT session expiry, firewall connection drops, load balancer resets, long-lived API connections, and packet capture evidence.
2026-06-02TCP MSS Clamping and VPN PCAP Analysis: Finding Oversized Segments, MTU Mismatch, and Slow Tunnels
How to analyze TCP MSS clamping problems in VPNs and tunnels, including SYN MSS values, MTU mismatch, oversized segments, retransmissions, fragmentation, and packet capture evidence.
2026-06-02TCP Out-of-Order vs Retransmission in PCAP: How to Tell Reordering from Packet Loss
How to distinguish TCP out-of-order packets, retransmissions, duplicate ACKs, SACK blocks, delayed packets, packet loss, and capture artifacts in PCAP analysis.
2026-06-02TCP RST and Connection Reset PCAP Analysis: Who Closed the Connection and Why
How to analyze TCP RST, connection reset by peer, reset after SYN, reset during TLS, firewall resets, application closes, and packet capture evidence.
2026-06-02TCP Retransmissions and Duplicate ACKs in PCAP: How to Read the Pattern Before Blaming the Server
How to interpret TCP retransmissions, duplicate ACKs, fast retransmits, and out-of-order packets in packet captures without jumping to the wrong owner.
2026-06-02TCP SYN Retransmission and No SYN-ACK PCAP Analysis: Firewall, Routing, Server Down, or Asymmetric Path?
How to analyze TCP SYN retransmissions, missing SYN-ACK, SYN_SENT, server unreachable, firewall drops, routing problems, asymmetric paths, and connection timeout in PCAP files.
2026-06-02TCP Window Scaling and Throughput PCAP Analysis: Receive Window, Zero Window, Window Full, and Slow Transfer Debugging
How to analyze TCP window scaling, receive window limits, zero window, window full events, slow throughput, bandwidth delay product, and packet capture evidence.
2026-06-02TCP Zero Window PCAP Analysis: Finding Receiver Bottlenecks and Application Stalls
How to read TCP Zero Window, Window Update, retransmission, and stalled application behavior in packet captures without blaming the wrong side.
2026-06-02TLS ALPN and HTTP/2 Negotiation PCAP Analysis: h2 vs http/1.1, Handshake Evidence, and Protocol Fallback
How to analyze TLS ALPN negotiation in packet captures, HTTP/2 h2 vs HTTP/1.1 fallback, ClientHello extensions, ServerHello behavior, proxy termination, and failed protocol upgrades.
2026-06-02TLS Certificate and Handshake Failure PCAP Analysis: Expired Certs, Alerts, SNI, and Connection Resets
How to analyze TLS handshake failures in packet captures, including expired certificates, unknown CA, SNI mismatch, TLS alerts, ClientHello, ServerHello, and TCP resets.
2026-06-02TLS Handshake Failure in PCAP: ClientHello, ServerHello, Certificate, Alert, and Reset Evidence
How to diagnose TLS handshake failures in packet captures by reading ClientHello, ServerHello, certificate, alert, and TCP reset evidence.
2026-06-02TLS SNI Mismatch PCAP Analysis: Wrong Certificate, Wrong Host, Proxy Routing, and Handshake Failure
How to diagnose TLS SNI mismatch, wrong certificate, hostname mismatch, reverse proxy routing errors, ClientHello SNI, certificate validation failures, and packet evidence.
2026-06-02WebSocket Upgrade Failure PCAP Analysis: 101 Switching Protocols, Proxy Headers, TLS, and Connection Drops
How to troubleshoot WebSocket upgrade failures with packet captures, including HTTP 101, Upgrade headers, Connection headers, proxy stripping, TLS, resets, and idle timeouts.