Re: [Wireshark-dev] time
Yikes! Sorry about that! On Thu, Apr 10, 2008 at 7:39 PM, Sake Blok <[EMAIL PROTECTED]> wrote: > On Thu, Apr 10, 2008 at 04:31:57PM +0200, Maria de Fatima Requena wrote: > > The website itself > > > > http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSect > > > > this page doesn???t work for me > > That's probably because the URL should be: > > > http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html > > :-) > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] GTK1: code cleanup status and some open points
On Thu, Apr 10, 2008 at 01:33:03AM +0200, Ulf Lamping wrote: > Lot's of stuff already done for the GTK1 cleanup, but we could still > need a helping hand ... > OPEN: > > Unix build process: finished? Yes, it's done as far as I can tell. > gtk/STATUS.gtk2: very old content (remove items marked as "Done" - or > remove the whole file?) Let's just get rid of that old file :). > compat_macros.h: GTK1 specific code removed, but a lot more cleanup > needed (macro removal throughout the gtk code is now possible) - > Stephen Fisher seems to be working on this Yup. Unfortunately, there are thousands of instances where a macro from compat_macros.h is used throughout the gtk directory so it will take a while :(. I wrote a Perl script to help, but it misses so many of them because of the arguments to the macro being split across lines and similar issues. They can't just simply be renamed because some need cast/type checking macros added as seen below. The most commonly used macros need to change as follows: OBJECT_SET_DATA(widget, key, data); to: g_object_set_data(G_OBJECT(widget), key, data); OBJECT_GET_DATA(widget, key); to: g_object_get_data(G_OBJECT(widget), key); SIGNAL_CONNECT(widget, name, callback, arg); to: g_signal_connect(widget, name, G_CALLBACK(callback), arg); (depending on the type of arg, it may need to be cast to a gpointer) > However, seems we're making good progress on this whole topic, and > some gtk files already look *a lot* nicer ... Indeed:). I think the next step is to get rid of GTK1 features that have been deprecated in GTK2, such as the CList (which should be possible for all instances except the packet list). Of course, this will take plenty of work to port the code to the new APIs. Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
On Thu, Apr 10, 2008 at 11:03 PM, Guy Harris <[EMAIL PROTECTED]> wrote: > Luis EG Ontanon wrote: [snip] > > I did not notice the load-peak while playing with it but I believe I > > should have felt it in my very slow PPC mac... do pcap_dispatch works > > differently in linux and bsds? (Guy?) > > The main difference is that Linux, unless you're using the memory-mapped > capture mechanism (supported by the under-development libpcap 1.0), you > get one packet per recvfrom() call, while in OS X and *BSD, BPF will > buffer up packets until the buffer fills up or the timeout expires, so > you can get multiple packets per read(). > Which makes me wonder: Can we get the autoconf script to understand if we can get multiple or single packets per read given the fact that we cannot dare pcap_open_live() in them? Or Is it better to use select() in all unix platforms? Luis -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] expert info indicator icons
Stephen Donnelly schrieb: > Rebuilt today (24884), the icon is certainly bigger and fills the > available space more completely. The positioning looks okay. > > Shapewise it looks slightly octagonal, possibly an alpha/aliasing issue. > Exactly, your screenshots looks like on my Windows machine. The png icon looks "perfectly round", so this would be the way to go ... Regards, ULFL ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] expert info indicator icons
On Wed, 2008-04-09 at 07:36 +0200, Ulf Lamping wrote: > > The current icon versions do look better than before. > > > It's still a bit "pixel like", the reason seems that xpm doesn't support > alpha channels. Maybe I can motivate myself to implement using png > instead of xpm, as the png looks better. > > In Linux at least it looks like they could be a few pixels taller, but > > this may depend on the font selection for the status bar? > Unsure, I've resized it to 14*14 pixels, maybe that looks ok now? Rebuilt today (24884), the icon is certainly bigger and fills the available space more completely. The positioning looks okay. Shapewise it looks slightly octagonal, possibly an alpha/aliasing issue. Otherwise fine. > > It also looks > > somewhat squeezed between the left of the bar and the first text field > > (File information). It might look better spaced if it was centered in a > > square space > > > On Win32 it looks good, could you provide a small screenshot of that > bottom left area with the recent icon(s)? Hopefully the list allows this, if not I can send them direct. > > Does GTK2 support SVG in the UI directly? > Not that I know of. But IIRC this is discussed for GTK V3 > > This would address any scaling > > issues. > > > Unfortunately not in all cases. Scaling a complex SVG content down to > 16*16 pixels or even lower resolutions can blurr the content completely. > For openstreetmap.org I've drawn lot's of map icons in SVG, and it > wasn't uncommon that they were useless when scaled down to 16*16 - so I > also had to draw a simplified SVG for low resolutions. Okay, this is probably sufficient for this application anyway. Regards, Stephen. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 --- <><>___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] buildbot failure in Solaris-8-SPARC
The Buildbot has detected a new failure of Solaris-8-SPARC. Full details are available at: http://buildbot.wireshark.org/trunk/Solaris-8-SPARC/builds/2568 Buildbot URL: http://buildbot.wireshark.org/trunk/ Build Reason: Build Source Stamp: HEAD Blamelist: etxrab,lego,morriss BUILD FAILED: failed compile sincerely, -The Buildbot ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
Gianluca Varenni wrote: > It works (even with AirPcap adapters), with a caveat. The handle doesn't get > signalled immediately. It gets signalled when at least mintocopy bytes have > been stored in the WinPcap kernel buffer. By default mintocopy is 16k, so if > you receive less than 16k packets, the event never gets signalled. You can > use WaitForSingleObject/WaitForMultipleObjects, *but* you need to use a > timeout to avoid a deadlock if less than mintocopy bytes are received. Wow, it's BSD-compatible! :-) (That's the equivalent of the bug that various BSDs have, wherein a select() wakeup doesn't occur until the BPF store buffer fills up, regardless of the timeout. The workaround is similar - add a timeout to the select(), and make sure the BPF device is in non-blocking mode, so that if the timeout expires and there are *no* packets available, you won't block forever. The fix is to, in the BPF code, catch attempts to select() or poll() on the descriptor, and start a timer when that happens, and when that timer expires, indicate that the descriptor is readable. I don't know whether that can be done in Windows, as I don't know whether a device can have a "call me when somebody does a 'wait for' on a handle for me" routine. Now, if the way the timeout worked was that it caused a read to finish if more than the specified amount of time elapsed *between packets*, this wouldn't be an issue; the code would do a wakeup if either the buffer fills up or it's been too long since the last packet arrived. That would also have two other advantages: 1) it arguably does what's *really* wanted here, which is to do batching of packets when they're arriving at a high rate without waiting too long - or forever - if they're arriving at a slow rate; a fairly short timeout might work, as the timer doesn't start until a packet arrives, and it resets on each packet, and a short timeout means you don't have a high latency when packets are arriving slowly. 2) it means that people wouldn't have gotten confused and thought that the libpcap timeout somehow guaranteed that a pcap_dispatch() call would return after a given period of time, even if no packets were processed. Solaris's timer in bpfmod doesn't start until at least one packet arrives, but it doesn't get reset on each packet. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
Guy Harris wrote: > Luis EG Ontanon wrote: >> Windows does not implement it as does not even have selectable fds or >> at least the one select() in winsock does not work on FDs so for >> WinPcap another approach should be taken (Gianluca?) > > I *should* be possible to get the handles for the capture streams with > pcap_getevent(), and WaitForMultipleEvents(). > > I don't know whether that works with AirPcap adapters, however. Yes, it should. PacketGetReadEvent() in packet.dll returns the read event exported by the Airpcap driver. As an alternative, you can use pcap_get_airpcap_handle() and then AirpcapGetReadEvent(). Loris ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
- Original Message - From: "Guy Harris" <[EMAIL PROTECTED]> To: "Developer support list for Wireshark" Sent: Thursday, April 10, 2008 2:03 PM Subject: Re: [Wireshark-dev] Triggers > Luis EG Ontanon wrote: >> I did not notice those replies to the bug.. Nice... I'll take a look... >> >> I wasn't neither aware of pcap_get_selectable_fd() and that may be >> because >> http://gd.tuwien.ac.at/infosys/security/tcpdump.org/pcap3_man.html >> does not show it... (Guy?) > > I added it; I forget which release I added it in. > > The problem is that the FD for the capture is not always selectable - > for example, the DAG driver doesn't support select(). That's why I > added it; it could well return -1, which means "sorry, you can't do > select on this". > > I've added notes on that to the bug. > >> Windows does not implement it as does not even have selectable fds or >> at least the one select() in winsock does not work on FDs so for >> WinPcap another approach should be taken (Gianluca?) > > I *should* be possible to get the handles for the capture streams with > pcap_getevent(), and WaitForMultipleEvents(). > > I don't know whether that works with AirPcap adapters, however. It works (even with AirPcap adapters), with a caveat. The handle doesn't get signalled immediately. It gets signalled when at least mintocopy bytes have been stored in the WinPcap kernel buffer. By default mintocopy is 16k, so if you receive less than 16k packets, the event never gets signalled. You can use WaitForSingleObject/WaitForMultipleObjects, *but* you need to use a timeout to avoid a deadlock if less than mintocopy bytes are received. Have a nice day GV > >> I did not notice the load-peak while playing with it but I believe I >> should have felt it in my very slow PPC mac... do pcap_dispatch works >> differently in linux and bsds? (Guy?) > > The main difference is that Linux, unless you're using the memory-mapped > capture mechanism (supported by the under-development libpcap 1.0), you > get one packet per recvfrom() call, while in OS X and *BSD, BPF will > buffer up packets until the buffer fills up or the timeout expires, so > you can get multiple packets per read(). > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Lots of Header Packets, but No Data Packets?
Perhaps you have more than one interface? If you're running on Linux, try capturing on the "any" interface. If you're running on Windows or some other OS that doesn't allow you to capture on all interfaces at the same time, try running 2 instances of Wireshark, one on each interface, then merge the captures together into one file with mergecap. There might be an easier way. Or this might not be relevant at all. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 09, 2008 12:53 PM To: wireshark-dev@wireshark.org Subject: [Wireshark-dev] Lots of Header Packets, but No Data Packets? I've spent a few hours now trying various Wireshark options, Googling, etc. - but I just can't seem to get WireShark to show me any DATA packets. I see lots of header packets associated with my http: request and response, just no Data packets. I'm simply displaying various small .htm web pages using http://. I'm logged into the server (through Terminal Server) as Administrator. I can see Data packets in the sample capture files listed on your website, just not in any of the captures I do using my server's own traffic. I've tried it with and without capture filters. I have no display filters enabled. ...I just can't seem to get there. I know data is being sent because I can see it in the web page on my client PC. Attached is a PDF showing my capture. If you can give me some ideas to pursue to further diagnose I would be grateful. Thanks, Craig Barton [EMAIL PROTECTED] ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
Luis EG Ontanon wrote: > I did not notice those replies to the bug.. Nice... I'll take a look... > > I wasn't neither aware of pcap_get_selectable_fd() and that may be > because http://gd.tuwien.ac.at/infosys/security/tcpdump.org/pcap3_man.html > does not show it... (Guy?) I added it; I forget which release I added it in. The problem is that the FD for the capture is not always selectable - for example, the DAG driver doesn't support select(). That's why I added it; it could well return -1, which means "sorry, you can't do select on this". I've added notes on that to the bug. > Windows does not implement it as does not even have selectable fds or > at least the one select() in winsock does not work on FDs so for > WinPcap another approach should be taken (Gianluca?) I *should* be possible to get the handles for the capture streams with pcap_getevent(), and WaitForMultipleEvents(). I don't know whether that works with AirPcap adapters, however. > I did not notice the load-peak while playing with it but I believe I > should have felt it in my very slow PPC mac... do pcap_dispatch works > differently in linux and bsds? (Guy?) The main difference is that Linux, unless you're using the memory-mapped capture mechanism (supported by the under-development libpcap 1.0), you get one packet per recvfrom() call, while in OS X and *BSD, BPF will buffer up packets until the buffer fills up or the timeout expires, so you can get multiple packets per read(). ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
Luis EG Ontanon wrote: ... > Windows does not implement it as does not even have selectable fds or > at least the one select() in winsock does not work on FDs so for > WinPcap another approach should be taken (Gianluca?) No idea. > I did not notice the load-peak while playing with it but I believe I > should have felt it in my very slow PPC mac... do pcap_dispatch works > differently in linux and bsds? (Guy?) I didn't feel it either (good scheduler?). If you have gkrellm or other system monitor running, it's plain as day, though. Any thoughts on the script running bits? thx, Jason. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
I did not notice those replies to the bug.. Nice... I'll take a look... I wasn't neither aware of pcap_get_selectable_fd() and that may be because http://gd.tuwien.ac.at/infosys/security/tcpdump.org/pcap3_man.html does not show it... (Guy?) Windows does not implement it as does not even have selectable fds or at least the one select() in winsock does not work on FDs so for WinPcap another approach should be taken (Gianluca?) I did not notice the load-peak while playing with it but I believe I should have felt it in my very slow PPC mac... do pcap_dispatch works differently in linux and bsds? (Guy?) Thanks Luis On Thu, Apr 10, 2008 at 10:13 PM, Jason <[EMAIL PROTECTED]> wrote: > Luis EG Ontanon wrote: > > > As far as triggers go a while ago I checked in trigcap.c. > > > > Nice. > > > > > It's an experiment I wrote that works with capture filters as > > start/stop triggers, I have not added it to the build process because > > I do not know if it works on anything other than my mac. > > it should not be difficult to mimic its mechanics in dumpcap. > > > > It builds and runs on linux just fine. > > > > > it pcap_open_live()s a listener and a capturer (if a filter is given ) > > it then enters a loop pcap_dispatch()ing a listener_handler and a > > capturer_handler > > > > This monopolized the processor. See the patches I wrote against trigcap.c > attached to bug 2039 [1]. > > The main goal of the patches were to run a specified program or script (eg > tshark with a read filter) at the start event and another program (eg > killall tshark) at the stop event. > > The patches are just PoC, but seem to work for me. Let me know what you > think... > > thx, > > Jason. > > [1] - http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2039 > > -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Sharkfest roadmap sessions summary
On Fri, Apr 04, 2008 at 10:50:14AM -0700, Gerald Combs wrote: > * - Rename Epan I assume the new name would be Wpan (Wireshark packet analyzer?), is that correct? Cheers, Eloy Paris.- ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Triggers
Luis EG Ontanon wrote: > As far as triggers go a while ago I checked in trigcap.c. Nice. > It's an experiment I wrote that works with capture filters as > start/stop triggers, I have not added it to the build process because > I do not know if it works on anything other than my mac. > it should not be difficult to mimic its mechanics in dumpcap. It builds and runs on linux just fine. > it pcap_open_live()s a listener and a capturer (if a filter is given ) > it then enters a loop pcap_dispatch()ing a listener_handler and a > capturer_handler This monopolized the processor. See the patches I wrote against trigcap.c attached to bug 2039 [1]. The main goal of the patches were to run a specified program or script (eg tshark with a read filter) at the start event and another program (eg killall tshark) at the stop event. The patches are just PoC, but seem to work for me. Let me know what you think... thx, Jason. [1] - http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2039 ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Is there a way to change the path (location) of wireshark PLUGINs?
yenan wrote: > My main concern is, I am willing to build a wireshark plugin dissector > outside of wireshark directory, in Linux. > For example, my wireshark source code is in $home/wireshark/ , but want > to include the plugin in $home/plugin/ which is independant from > wireshark directory, can I use the configure option:--with-plugins[=DIR] > , to achieve my goal? That will probably work, as long as you're willing to have *ALL* of Wireshark's plugins installed in $HOME/plugin. Given that Wireshark already looks in $HOME/.wireshark/plugins, I'm not sure what the advantage of using $HOME/plugin as the system plugin directory would be. > System plugin = plugin install in wireshark/plugin, personalplugin > directory = $HOME/.wireshark/plugins, is that what you mean? Yes. Those are your two choices for where to put plugins. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Redback Lawful Intercept Dissector
On Thu, Apr 10, 2008 at 10:27:50AM -0500, Michael A. McCartney wrote: > Florian, > > There is a existing bug ticket open for this: > > http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376 I took a look and cooked an even more strict patch than there was in the bug report and attached it to the bug. It correctly does not touch the klive capture but does correctly decode the redbackli cap ... It should even refuse to claim the packet if there is e.g. a byte combination of: 0x01 0x04 0xAA 0xBB 0xCC 0xDD 0x00 0x00 at the beginning - currently this would be a legal AVP_SEQNO with a 4 byte integer and than an AVP_EOH. With the more strict patch it would at least 2 more AVPs with correct length and correct number of bytes inbetween so much less likely to trigger accidentally. Flo -- Florian Lohoff [EMAIL PROTECTED] +49-171-2280134 Those who would give up a little freedom to get a little security shall soon have neither - Benjamin Franklin signature.asc Description: Digital signature ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] wslua: reading raw file?
Hi Luis and Guy, now I have a better understaning of the difference between dissector and file format. I think currently for my current needs using a converter script and using one of the USR_DLTs will fit the best. Márton Németh Luis EG Ontanon wrote: > So, That's not called a dissector but a file format. > > And NO, lua cannot be used to describe file formats. That would had > been simply sluggish (at least the attemt I gave to it besides being > an ugly hack it was simply unusable). > > If the file format is of general interest would be probably better > written in C anyway. In the other case the best solution is to write a > script to convert those files into libpcap format, and use one of the > USER_DLTs. > > Luis > > On Wed, Apr 9, 2008 at 7:00 PM, Németh Márton <[EMAIL PROTECTED]> wrote: >> Guy Harris wrote: >> > Németh Márton wrote: >> > >> >> I started to use wslua and succeed to write a simple dissector on >> >> ethernet level. I created a .pcap header and copied my raw file after >> >> it. >> >> >> >> Is it possible using wslua to open a raw file which is not supported >> >> by Wireshark, yet? >> > >> > Creating a libpcap-format file header and writing after it packets that >> > don't have libpcap-format packet headers is a waste of time; if you want >> > to write a file that programs that read libpcap format can read, put the >> > libpcap-format file header at the beginning of the file and then put >> > libpcap-format packet headers in front of the packet data for each >> > packet, and if you just want a raw file, just write out the raw file >> > without the libpcap-format headers - without libpcap-format per-packet >> > headers, the libpcap-format file header won't help you. >> >> I don't really understand your point, maybe I did not describe well what >> I would like to do. I would like to write a dissector which is similar to >> how Wireshark can open .mp3 files. The .mp3 files don't have libpcap headers >> at all, but Wireshark can handle them. >> >> My question is that is it possible to create a dissector which reads a >> raw file without libpcap header? >> >> Márton Németh >> ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] time
Wireshark.org has not been working either (it was not easy no enroll this list, for instance) and just today I have suffer some other problems (e.g. trying to get that famous link from home) María de Fátima Requena Cabot (2488) +34 91 787 23 00 alhambra-eidos.es -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Sake Blok Enviado el: jueves, 10 de abril de 2008 17:40 Para: Developer support list for Wireshark Asunto: Re: [Wireshark-dev] time On Thu, Apr 10, 2008 at 04:31:57PM +0200, Maria de Fatima Requena wrote: > The website itself > > http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSect > > this page doesn???t work for me That's probably because the URL should be: http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html :-) ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] time
On Thu, Apr 10, 2008 at 04:31:57PM +0200, Maria de Fatima Requena wrote: > The website itself > > http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSect > > this page doesn???t work for me That's probably because the URL should be: http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html :-) ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Redback Lawful Intercept Dissector
Florian, There is a existing bug ticket open for this: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376 Thanks-Mike Florian Lohoff wrote: > On Thu, Apr 10, 2008 at 10:21:28AM -0400, Jeff Morriss wrote: > >> Andrew Feren wrote: >> >>> I've recently started getting a number of false positive hits from the new >>> Redback Lawful Intercept heuristic. I was going to try and tighten up the >>> heuristic a bit, but I can't find any sort of protocol specification. >>> >>> Basically I use some protocols that start with a 32 bit version number. >>> However since the version numers are all well below 65,535 the first two >>> bytes are always 0. The Redback heuristic sees this as an end of header >>> marker and returns true. >>> >>> My thought was to return false if the first avptype is an end of header >>> marker, but without a protocol spec I can't be sure that this is actually >>> an >>> invalid redback packet. >>> >>> Anyone have any more details? >>> >> The dissector came in via >> http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2320 >> >> I'm not sure if Florian is a member of this list or not. Florian, can >> you provide some pointers? (What about the Wiki page I asked for after >> checking in the dissector?) >> > > I thought about packets beeing all zero after the patch got added > and that might end up beeing taken by the redbackli dissector > accidentally. > > I'll try to cook up a patch tonight which checks for the existance of some > "essential" avp's ... > > Basically the protocol is non published and i reverse engineered it > from traces. Its a packet header for forwarding lawful intercept traffic > from a RedBack Smartedge Router to some device which passes the traffic > onto some government bodies. To differentiate the different lawful > intercept session one can either use a "label" and/or a "lawful intercept > id". At least one of those two and a sequence number should be present > before an "eoh" avp ... > > Attached a simple trace - the traffic is artificial which is the cause > for the udp packet encapsulated being broken ... > > Flo > > > > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Redback Lawful Intercept Dissector
On Thu, Apr 10, 2008 at 10:21:28AM -0400, Jeff Morriss wrote: > Andrew Feren wrote: > >I've recently started getting a number of false positive hits from the new > >Redback Lawful Intercept heuristic. I was going to try and tighten up the > >heuristic a bit, but I can't find any sort of protocol specification. > > > >Basically I use some protocols that start with a 32 bit version number. > >However since the version numers are all well below 65,535 the first two > >bytes are always 0. The Redback heuristic sees this as an end of header > >marker and returns true. > > > >My thought was to return false if the first avptype is an end of header > >marker, but without a protocol spec I can't be sure that this is actually > >an > >invalid redback packet. > > > >Anyone have any more details? > > The dissector came in via > http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2320 > > I'm not sure if Florian is a member of this list or not. Florian, can > you provide some pointers? (What about the Wiki page I asked for after > checking in the dissector?) I thought about packets beeing all zero after the patch got added and that might end up beeing taken by the redbackli dissector accidentally. I'll try to cook up a patch tonight which checks for the existance of some "essential" avp's ... Basically the protocol is non published and i reverse engineered it from traces. Its a packet header for forwarding lawful intercept traffic from a RedBack Smartedge Router to some device which passes the traffic onto some government bodies. To differentiate the different lawful intercept session one can either use a "label" and/or a "lawful intercept id". At least one of those two and a sequence number should be present before an "eoh" avp ... Attached a simple trace - the traffic is artificial which is the cause for the udp packet encapsulated being broken ... Flo -- Florian Lohoff [EMAIL PROTECTED] +49-171-2280134 Those who would give up a little freedom to get a little security shall soon have neither - Benjamin Franklin redbackli-example.pcap Description: application/cap signature.asc Description: Digital signature ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Redback Lawful Intercept Dissector
Thanks. I tried to check the bugs this morning, but unfortunately the site was not working for me. I'll check again in a bit. -Andrew Feren [EMAIL PROTECTED] - Original Message From: Michael A. McCartney <[EMAIL PROTECTED]> To: Developer support list for Wireshark Sent: Thursday, April 10, 2008 10:04:57 AM Subject: Re: [Wireshark-dev] Redback Lawful Intercept Dissector Andrew, See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376 There is a proposed one line fix for that EOH issue, and I had same question about where is the protocol specs. Thanks-Mike Andrew Feren wrote: > I've recently started getting a number of false positive hits from the new > Redback Lawful Intercept heuristic. I was going to try and tighten up the > heuristic a bit, but I can't find any sort of protocol specification. > > Basically I use some protocols that start with a 32 bit version number. > However since the version numers are all well below 65,535 the first two > bytes are always 0. The Redback heuristic sees this as an end of header > marker and returns true. > > My thought was to return false if the first avptype is an end of header > marker, but without a protocol spec I can't be sure that this is actually an > invalid redback packet. > > Anyone have any more details? > > -Andrew > > -Andrew Feren > [EMAIL PROTECTED] > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] time
Abhik Sarkar wrote: > Do you mean that the website wireshark.org doesn't work, or the > instructions found at wireshark.org don't work? The web site was swamped earlier this morning. Things have calmed down (for now, at least). ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] time
The website itself http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSect this page doesn’t work for me María de Fátima Requena Cabot (2488) +34 91 787 23 00 alhambra-eidos.es -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Abhik Sarkar Enviado el: jueves, 10 de abril de 2008 12:38 Para: Developer support list for Wireshark Asunto: Re: [Wireshark-dev] time Do you mean that the website wireshark.org doesn't work, or the instructions found at wireshark.org don't work? On Thu, Apr 10, 2008 at 12:36 PM, Maria de Fatima Requena <[EMAIL PROTECTED]> wrote: > Well, i have found the option in the view menu, but I have also found that it > is usual for Wireshark.org pages not to work > > > > María de Fátima Requena Cabot (2488) > +34 91 787 23 00 alhambra-eidos.es > > > > -Mensaje original- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Abhik Sarkar > Enviado el: jueves, 10 de abril de 2008 9:21 > Para: Developer support list for Wireshark > Asunto: Re: [Wireshark-dev] time > > > > Does this chapter > > (http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html) > of the user guide provide the answer? > > Best regards, > Abhik. > > On Thu, Apr 10, 2008 at 11:16 AM, Maria de Fatima Requena > <[EMAIL PROTECTED]> wrote: > > Hi > > > > What is time column expressed in? Milliseconds maybe? > > > > > > María de Fátima Requena Cabot (2488) > > +34 91 787 23 00 alhambra-eidos.es > > > > > > ___ > > Wireshark-dev mailing list > > Wireshark-dev@wireshark.org > > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Redback Lawful Intercept Dissector
Andrew Feren wrote: > I've recently started getting a number of false positive hits from the new > Redback Lawful Intercept heuristic. I was going to try and tighten up the > heuristic a bit, but I can't find any sort of protocol specification. > > Basically I use some protocols that start with a 32 bit version number. > However since the version numers are all well below 65,535 the first two > bytes are always 0. The Redback heuristic sees this as an end of header > marker and returns true. > > My thought was to return false if the first avptype is an end of header > marker, but without a protocol spec I can't be sure that this is actually an > invalid redback packet. > > Anyone have any more details? The dissector came in via http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2320 I'm not sure if Florian is a member of this list or not. Florian, can you provide some pointers? (What about the Wiki page I asked for after checking in the dissector?) ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Redback Lawful Intercept Dissector
Andrew, See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376 There is a proposed one line fix for that EOH issue, and I had same question about where is the protocol specs. Thanks-Mike Andrew Feren wrote: > I've recently started getting a number of false positive hits from the new > Redback Lawful Intercept heuristic. I was going to try and tighten up the > heuristic a bit, but I can't find any sort of protocol specification. > > Basically I use some protocols that start with a 32 bit version number. > However since the version numers are all well below 65,535 the first two > bytes are always 0. The Redback heuristic sees this as an end of header > marker and returns true. > > My thought was to return false if the first avptype is an end of header > marker, but without a protocol spec I can't be sure that this is actually an > invalid redback packet. > > Anyone have any more details? > > -Andrew > > -Andrew Feren > [EMAIL PROTECTED] > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] time
Do you mean that the website wireshark.org doesn't work, or the instructions found at wireshark.org don't work? On Thu, Apr 10, 2008 at 12:36 PM, Maria de Fatima Requena <[EMAIL PROTECTED]> wrote: > Well, i have found the option in the view menu, but I have also found that it > is usual for Wireshark.org pages not to work > > > > María de Fátima Requena Cabot (2488) > +34 91 787 23 00 alhambra-eidos.es > > > > -Mensaje original- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Abhik Sarkar > Enviado el: jueves, 10 de abril de 2008 9:21 > Para: Developer support list for Wireshark > Asunto: Re: [Wireshark-dev] time > > > > Does this chapter > > (http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html) > of the user guide provide the answer? > > Best regards, > Abhik. > > On Thu, Apr 10, 2008 at 11:16 AM, Maria de Fatima Requena > <[EMAIL PROTECTED]> wrote: > > Hi > > > > What is time column expressed in? Milliseconds maybe? > > > > > > María de Fátima Requena Cabot (2488) > > +34 91 787 23 00 alhambra-eidos.es > > > > > > ___ > > Wireshark-dev mailing list > > Wireshark-dev@wireshark.org > > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] goitom kahsay wants to chat
--- goitom kahsay wants to stay in better touch using some of Google's coolest new products. If you already have Gmail or Google Talk, visit: http://mail.google.com/mail/b-11e6c1c95d-6538511893-b4e75781bef52d40 You'll need to click this link to be able to chat with goitom kahsay. To get Gmail - a free email account from Google with over 2,800 megabytes of storage - and chat with goitom kahsay, visit: http://mail.google.com/mail/a-11e6c1c95d-6538511893-4f92c50bca Gmail offers: - Instant messaging right inside Gmail - Powerful spam protection - Built-in search for finding your messages and a helpful way of organizing emails into "conversations" - No pop-up ads or untargeted banners - just text ads and related information that are relevant to the content of your messages All this, and its yours for free. But wait, there's more! By opening a Gmail account, you also get access to Google Talk, Google's instant messaging service: http://www.google.com/talk/ Google Talk offers: - Web-based chat that you can use anywhere, without a download - A contact list that's synchronized with your Gmail account - Free, high quality PC-to-PC voice calls when you download the Google Talk client Gmail and Google Talk are still in beta. We're working hard to add new features and make improvements, so we might also ask for your comments and suggestions periodically. We appreciate your help in making our products even better! Thanks, The Google Team To learn more about Gmail and Google Talk, visit: http://mail.google.com/mail/help/about.html http://www.google.com/talk/about.html (If clicking the URLs in this message does not work, copy and paste them into the address bar of your browser). ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] Redback Lawful Intercept Dissector
I've recently started getting a number of false positive hits from the new Redback Lawful Intercept heuristic. I was going to try and tighten up the heuristic a bit, but I can't find any sort of protocol specification. Basically I use some protocols that start with a 32 bit version number. However since the version numers are all well below 65,535 the first two bytes are always 0. The Redback heuristic sees this as an end of header marker and returns true. My thought was to return false if the first avptype is an end of header marker, but without a protocol spec I can't be sure that this is actually an invalid redback packet. Anyone have any more details? -Andrew -Andrew Feren [EMAIL PROTECTED] ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Using glib 2.14.6-2 with gtk+ 2.12.8 on 1.0.0?(win32)
The released version uses 2.14.6-2 for GTK2 and 2.14.5 for GTK1 due to some problem that I can't recall at the moment. (It had something to do with libgmodule, and I think this was the bug reported for it, although I can't verify it right now because the wireshark website is not responding: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2357.) Anyway, I'm not seeing the missing symbol problem. Probably an obvious question, but did you run a distclean first before trying to build it? Here's my build configuration from the Help->About window: Version 1.0.0 Copyright 1998-2008 Gerald Combs <[EMAIL PROTECTED]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GTK+ 2.12.8, with GLib 2.14.6, with WinPcap (version unknown), with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio V19-devel, with AirPcap. Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.1 beta3 (packet.dll version 4.1.0.1124), based on libpcap version 1.0 branch 20080129, without AirPcap. Built using Microsoft Visual C++ 6.0 build 8804 - Chris From: Stig Bjørlykke Sent: Thu 4/10/2008 2:46 AM To: Developer support list for Wireshark Subject: [Wireshark-dev] Using glib 2.14.6-2 with gtk+ 2.12.8 on 1.0.0?(win32) Hi. I have tried compiling 1.0.0 on a offline windows machine with glib 2.14.6-2 and gtk+ 2.12.8, as used in Makefile.nmake. When running the installed binary I get an error message about a missing symbol g_assertion_message, and wireshark does not start. Upgrading to glib 2.16.1 solves this problem. Am I the only one getting this error with 1.0.0? Which glib is used in the released version? -- Stig Bjørlykke ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] time
Well, i have found the option in the view menu, but I have also found that it is usual for Wireshark.org pages not to work María de Fátima Requena Cabot (2488) +34 91 787 23 00 alhambra-eidos.es -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Abhik Sarkar Enviado el: jueves, 10 de abril de 2008 9:21 Para: Developer support list for Wireshark Asunto: Re: [Wireshark-dev] time Does this chapter (http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html) of the user guide provide the answer? Best regards, Abhik. On Thu, Apr 10, 2008 at 11:16 AM, Maria de Fatima Requena <[EMAIL PROTECTED]> wrote: > Hi > > What is time column expressed in? Milliseconds maybe? > > > María de Fátima Requena Cabot (2488) > +34 91 787 23 00 alhambra-eidos.es > > > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] how to build standalone plugin dll
Hi all, solved i needed to do : mt.exe -manifest bip.dll.manifest -outputresource:bip.dll;#2 Copying the bip.dll to plugins directory to fresh installed wireshark then works.. Thanks, Jorge On Wed, Apr 9, 2008 at 5:13 PM, jorge sanchez <[EMAIL PROTECTED]> wrote: > Hi , > > it was just typo sorry for that. I mean that the plugins name is > bip.dll and i copied this file to correct directory. > > Maybe the problem is that I modified the VERSION_EXTRA in config.nmake > to "jorge" so the plugin shoul be > expected in %WIRESHARK\plugins\0.99.8jorge\bip.dll instead of > %WIRESHARK\plugins\0.99.8\bip.dll . > > I removed the VERSION_EXTRA and I am currently rebuilding the wireshark.. > > Thanks, > > Jorge Sanchez > > > > On Wed, Apr 9, 2008 at 5:01 PM, Maynard, Chris > <[EMAIL PROTECTED]> wrote: > > And just to clarify, you typed below that "If I > > > > copy the plugin.dll to %WIRESHARK\plugins\0.9.88\plugin.dll then I > > get following error." > > > > You should be copying the bip.dll to > > "%WIRESHARK%\plugins\0.9.8\bip.dll". > > > > Were those just 2 typos on your part, or is your script incorrect? > > - Chris > > > > > > > > -Original Message- > > [snip] > > ___ > > Wireshark-dev mailing list > > Wireshark-dev@wireshark.org > > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] buildbot failure in Windows-XP-x86
The Buildbot has detected a new failure of Windows-XP-x86. Full details are available at: http://buildbot.wireshark.org/trunk/Windows-XP-x86/builds/4192 Buildbot URL: http://buildbot.wireshark.org/trunk/ Build Reason: Build Source Stamp: HEAD Blamelist: jake BUILD FAILED: failed shell_5 sincerely, -The Buildbot ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] time
Does this chapter (http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html) of the user guide provide the answer? Best regards, Abhik. On Thu, Apr 10, 2008 at 11:16 AM, Maria de Fatima Requena <[EMAIL PROTECTED]> wrote: > Hi > > What is time column expressed in? Milliseconds maybe? > > > María de Fátima Requena Cabot (2488) > +34 91 787 23 00 alhambra-eidos.es > > > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] time
Hi What is time column expressed in? Milliseconds maybe? María de Fátima Requena Cabot (2488) +34 91 787 23 00 alhambra-eidos.es ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
