Re: [Wireshark-dev] Possible New Option for Tshark?
On Oct 22, 2010, at 9:43 PM, Stephen Fisher wrote: On Thu, Oct 21, 2010 at 03:29:36PM -0500, Craig Votava wrote: I wrote a Perl script that feeds pcap data to an instance of tshark running in a child process, then takes the decoded output to present to the user. The problem is that I don't know when tshark is done sending output back to me. How about using pdml or psml with the -T option. ...especially given that the default (-T text) output of TShark is designed for humans, not programs, to read. If your program can read it, great, but if it's easier for it to read PSML or PDML (Yes, I know about the UNIX philosophy with respect to program output. At times, it can lead to output that's suboptimal for humans to read but not *quite* as parsable by software as one might like, i.e. it can sacrifice human readability without gaining sufficient program readability to make up for it - sometimes you might as well just have two separate formats and be done with it.) ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] nmake problem (cl.exe)
Hello, compiling wireshark under windows I get some errors. I'm using the manual from http://www.codeproject.com/KB/IP/custom_dissector.aspx I installed all required programs. There were some errors, where I had to rename some files like which.exe or unzip.exe because they were included in other programs I use. Ok I solved these problems renaming the files but now I don't come any further. when I run nmake -f Makefile.nmake all the command cl -WX -D_U_= /Zi /W3 /MD /D_CRT_SECURE_NO_DEPRECATE /D_CRT_NONSTDC_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /DMSC_VER_REQUIRED=1500 /D_BIND_TO_CURRENT_CRT_VERSION=1 /MP lemon.c causes the error cl: Command line error D8021: invalid numeric arument '/Mplemon.c' NMAKE: fatal error U1077: 'cl': return code '0x2' cl.exe is in the directory C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2\Bin\win64\x86\AMD64 Is this wrong version too? Can you help me? Best regards Jan ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Stripping Dissectors from wireshark.
On Fri, Oct 22, 2010 at 4:32 PM, Hadriel Kaplan hkap...@acmepacket.comwrote: In wireshark, select analyze - enabled protocols... and uncheck everything you don't need. (though you will need to keep the lower layers dissected - e.g., for HTTP you'd need to keep Ethernet, IP, TCP selected, and possibly IPv6, and of course HTTP and possibly SSL, etc) There are so many protocols, that it's useless to even try. Would be nice if they were: (1) grouped by 'families' (example: all the ZigBee protocols) (2) grouped by layers (example: all the ATM stuff) Y. If all you want is HTTP, and only for port 80 or 443 or whatever, you could use a BPF capture filter to only capture the right packets to begin with - that'll speed it up. -hadriel On Oct 21, 2010, at 9:56 PM, rishab gupta wrote: Hi, I want to speed up wireshark. I am concerned with only the major protocols such as http. Will it be a good idea to remove the dissectors that serve no purpose for me? If so how do I go about it, because every dissector seems to have a lot of dependencies wrapped around it... Any help will be much appreciated. Best, Rishabh Gupta ATT1..c ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Seg Fault - Creating new wiretap type
You don't have the following at the beginning of your .c file: #ifdef HAVE_CONFIG_H #include config.h #endif I assume without that, HAVE_LIBZ (and a bunch of other stuff) isn't defined when your .c file includes the remaining header files, and it's doomed. -hadriel On Oct 22, 2010, at 7:50 PM, Alex Lindberg wrote: I have uploaded a patch file and example C and H files to bugzilla that demonstrate the SEG Fault. I sure that I have overlooked something simple. Bug 5333. Thanks as always. Alex Lindberg --- On Fri, 10/22/10, Stephen Fisher st...@stephen-fisher.commailto:st...@stephen-fisher.com wrote: From: Stephen Fisher st...@stephen-fisher.commailto:st...@stephen-fisher.com Subject: Re: [Wireshark-dev] Seg Fault - Creating new wiretap type To: Developer support list for Wireshark wireshark-dev@wireshark.orgmailto:wireshark-dev@wireshark.org Date: Friday, October 22, 2010, 12:34 PM On Thu, Oct 21, 2010 at 02:42:34PM -0700, Alex Lindberg wrote: That was my thought, however I used a debugger and printf statements to watch the file handle passed to the wiretap routines. The file was the same in all cases. This has me stumped. It seems that my string buffer is not allowed during the file_gets routing. Perhaps making the buffer a const for the procedure, but that is not necessary in other modules. It is strange. file_gets() is typically #define as gzgets() when compiled with zlib. The return of gzgets() is the same as fgets() (which is used when zlib isn't present) - a char *. I noticed that you're using an unsigned char (guchar), but a test program I made outside of Wireshark works fine with that too. Want to send a patch of your changes so we can try it also? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.orgx-msg://1522/mc/compose?to=wireshark-...@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.orgx-msg://1522/mc/compose?to=wireshark-dev-requ...@wireshark.org?subject=unsubscribe ATT1..c ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark lua (wslua) and bit fields - how to do it?
The shred_rd field should be defined with a mask, so that it's automatically masked and shifted. I'm assuming it's a bit that represents read only. The Lua below lets you filter with shred.rd == true: -- read-only at bit 1 fields.shred_rd = ProtoField.bool(shred.rd, Read only, base.DEC, nil, 0x02) for shred = 1, num_shreds do subtree:add(- NV Storage Shred .. shred .. -) subtree:add(fields.shred_id, buffer(offset, 8)) subtree:add(fields.shred_flags, buffer(offset+8, 8)) local flags=tonumber(tostring(buffer(offset+8,8):uint64())) local hex=tostring(bit.tohex(bit.band(flags,0x02))) subtree:add(- NV Storage hexflags: .. hex) --[[ Since shred_rd is a bool, the buffer length must be 1. shred_rd's offset (bit 1) is in the lower 8 bits of the 64-bit flags. ]]-- local OFFSET_FLAGS_LSB = offset+8+7 subtree:add(fields.shred_rd, buffer(OFFSET_FLAGS_LSB,1)) offset=offset+inc end -- Message: 1 Date: Thu, 21 Oct 2010 17:46:29 + From: Daniel Lynes dly...@pv-labs.com Subject: [Wireshark-dev] Wireshark lua (wslua) and bit fields - how to do it? To: wireshark-dev@wireshark.org Message-ID: 1287683189.17967.24.ca...@yvorontsov-gpu1 Content-Type: text/plain; charset=us-ascii I'm trying to output some bit values in my wireshark dissector decode. However, I want to be able to filter based on those bit values. I can't seem to use the LUA bitop library to do it, because lua complains that the result is not a uservalue. I've got the following code: for shred = 1, num_shreds do subtree:add(- NV Storage Shred .. shred .. -) subtree:add(fields.shred_id, buffer(offset, 8)) subtree:add(fields.shred_flags, buffer(offset+8, 8)) local flags=tonumber(tostring(buffer(offset+8,8):uint64())) local hex=tostring(bit.tohex(bit.band(flags,0x02))) subtree:add(- NV Storage hex flags: .. hex) local hexba=ByteArray.new(hex) -- The following line complains about a nil uservalue local rdonly=Tvb.new_real(hexba, hex) -- The following line complains about the value being a number instead of a uservalue subtree:add(fields.shred_rd, bit.band(flags, 0x02)) offset=offset+inc end Does anyone happen to have any clues as to what I'm doing wrong? Fwiw, I'm using 1.2.0 (1.3, 1.4, and 1.5 all have video corruption issues, and 1.0 has issues with 64-bit integers). ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] I want to print the string tvb-real_data on the ubuntu terminal
I want to print the string tvb-real_data which at packet-http.c:dissect on the ubuntu terminal .But whatever I add printf(%s\n,tvb-real_data);orprintf(stdout,%s\n,tvb-real_data); into the packet-http:dissect_http function ,nothing to be showed on the terminal. What should I do to display the string tvb-dataon the terminal? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe