Re: [Wireshark-dev] Enable extcap by default or not

[Steve Karg]

Hi Roland,

For the BACnet mstpcap (RS485 serial packetizer, third party, open source),
the users currently just drag-n-drop the mstpcap.exe file into the extcap
folder, and it starts working as it should when Wireshark is launched. It
only adds interfaces if the PC has serial ports detected/connected. Having
it enabled by default avoids the hassle and support emails since it "just
works", so that is what I prefer.

Best Regards,

Steve


On Fri, Sep 9, 2016 at 12:42 AM, Roland Knall  wrote:

> Hello List
>
> There is currently a discussion going on in https://code.wireshark.org/
> review/#/c/17498 in regard to enabling extcap features by default or not.
>
> There are basically two sides to the argument:
>
> Cons - extcap interfaces are advanced features, which will not be used by
> a majority of users. As more and more of those interfaces emerge, it
> clutters up the list. Therefore disabling them by default and enabling them
> when needed is ok.
>
> Pros - There are users out there, who use Wireshark solely together with
> extcap interfaces. Lots of those users are not very familiar with Wireshark
> in general. extcap was intended to bring capture device support to
> Wireshark where otherwise it would not be present or very complicated to do
> so. For those users to enable the support before using it seems like an
> unnecessary hassle.
>
> I just wanted to get the meaning of the list, on how we should proceed
> here, and if three are other arguments for or against enabling extcap by
> default.
>
> To clarify, I am a Pro guy as I fear 3rd party users will not understand
> this and this will lead to support cases which will generate the opinion
> "Wireshark is overly complicated, let's use something else".
>
> regards
> Roland
>
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Lightweight markup for release notes

[Steve Karg]

I've been using Markdown for a lot of my recent documentation, since
it is one of the plain-text markups understood by doxygen and also
displayed on GitHub:
https://help.github.com/articles/github-flavored-markdown

Steve

On Mon, Mar 4, 2013 at 4:33 PM, Jaap Keuter jaap.keu...@xs4all.nl wrote:
 On 03/04/2013 08:45 PM, Gerald Combs wrote:
 Would anyone object to using a lighter-weight markup language for the
 release notes such as Markdown or reStructuredText?

 I myself have been looking into AsciiDoc, for use with the Users and 
 Developers
 Guide. It seems to me that the two projects you mentioned are a bit stale?
 AsciiDoc seems more capable of being used throughout as Wireshark's
 documentation format, maybe.

 Thanks,
 Jaap
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: Creating subdirectories in epan/dissectors/

[Steve Karg]

Hello Joerg,

[snip]
 What I'd like to do is put these dissectors that belong *to a single protocol*
 into a subdirectory of that name, i.e. move them to
[snip]
 xmpp/packet-other.c
 xmpp/packet-other.h
 xmpp/packet-utils.c
 xmpp/packet-utils.h

These kind of file names could be in every protocol...

 What do you think?

Based on experience with another open source C project where I did
segregate files into sub-folders and tried to simplify the file names
by utilizing sub-directories, you will likely have file naming
conflicts between protocols if you remove the protocol name from the
file.  C file names must be unique in the build (for most compilers
and linkers that I have used).

Best Regards,

Steve
-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] real time capture with a different application

[Steve Karg]

Hello Vijay,

 Im trying to do a live capture of 802.15.4 tinyos traffic using
 wireshark/tshark. I use another application which captures the traffic and
 writes to a file.

Sounds interesting.

 I used a pipe to display the traffic on tshark. It did display the traffic
 but stopped after displaying the capture file. Now, I will write new
 captures as it comes,
 So is there an option to tell tshark/wireshark to listen on the pipe
 continuously and display the capture as it gets written to the pipe?

I wrote a serial packet conversion utility that uses pipes and saves
to a pcap file concurrently.  Wireshark listens continuously.  It was
written in C and is ported to Linux and Windows:
https://bacnet.svn.sourceforge.net/svnroot/bacnet/trunk/bacnet-stack/demo/mstpcap/main.c

In my first try, I was saving 65535 packets at a time to the file, and
that would cause the pipe to Wireshark to stop since I rewrote the
header to the pipe.  But I changed it to only rewrite the header to
the file and not rewrite the header to the pipe, and that allowed the
packets to go to the pipe and Wireshark continuously.

Good luck!

Steve

-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] [Wireshark-commits] rev 38106: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-bacapp.c

[Steve Karg]

Hi Guy and Chris,

 Assuming the reporter of bug 5769 is correct and the Info column displays 
 the values of the low and high limits correctly, then the protocol is 
 ENC_BIG_ENDIAN.  All of the fields affected by r38106 are either FT_UINT8's 
 or FT_BOOLEAN's spanning 1 byte, so endian-ness really doesn't matter, but 
 if someone does the old copy-and-paste thing later on, [s]he might 
 incorrectly copy an ENC_LITTLE_ENDIAN when it should be ENC_BIG_ENDIAN.

I have access to the BACnet standard, and need to update the dissector
to expand some enumerations and value strings soon (the standard keeps
expanding, for some reason). Most likely the conversions are Big
Endian as most encodings in BACnet are network byte order, and most
likely the cause of TRUE in the fields is from copy-paste (I'm sure
I'm guilty of that).  I'll review the changes and submit a patch if it
is needed.  Is there any other cleanup in the BACnet dissector that
needs attention?

Best Regards,

Steve
-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] [Wireshark-commits] rev 36639: /trunk/epan/wslua/ /trunk/epan/wslua/: wslua_proto.c

[Steve Karg]

You could now add Guy to the Wikipedia article (under Variations by others):
http://en.wikipedia.org/wiki/Rose_is_a_rose_is_a_rose_is_a_rose

(and it took me awhile to figure out the reference)

Steve

On Thu, Apr 14, 2011 at 8:45 AM, Graham Bloice
graham.blo...@trihedral.com wrote:
 On 14/04/2011 14:39, Maynard, Chris wrote:

 -Original Message-

 http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=revrevision=36639

 User: guy
 Date: 2011/04/13 11:28 PM

 Log:
  Zero is zero is zero, as Gertrude Stein didn't say.

 So besides being incredibly smart, you are also a very funny guy, guy. :)

 Guy's little nuggets have to be watched for carefully, savoured and
 treasured.

 --
 Regards,

 Graham Bloice
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] ett

[Steve Karg]

Hello Andreas,

 What stands 'ett' for? I found it as subtree array index, but can it
 somehow proniounced? Is it an abbreviation?

Gerald posted last year about ett on this list:

Gerald
I _think_ it originally stood for Ethereal tree type. The first
implementation used a set of #defines in packet.h, like so from revision 2:

/* Tree types.  Each dissect_* routine should have one for each
  add_subtree() call. */

#define ETT_IEEE8023  0
#define ETT_ETHER21
#define ETT_LLC   2
#define ETT_TOKEN_RING3
 [ ... ]

I think expansion tree type is a much better definition.
/Gerald

Best Regards,

Steve
-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Fwd: rs485

[Steve Karg]

Hello Agustin,

 I think it´s not possible to capture live data from rs485 using wireshark
 directly but if anyone have worked in it I'll be grateful for any help.

I have been using the Wireshark pipe method to capture RS-485
traffic[1] - but it would be nicer if there was a generic IP method
for incoming packets (i.e. sending the packets remotely over IP to the
Ethernet interface from the capture utility).  I have also used SNAP
to send packets[2], but it doesn't work without root access (on
Linux).

Best Regards,

Steve
[1] 
https://bacnet.svn.sourceforge.net/svnroot/bacnet/trunk/bacnet-stack/demo/mstpcap/main.c
[2] 
https://bacnet.svn.sourceforge.net/svnroot/bacnet/trunk/bacnet-stack/ports/linux/mstpsnap.c
-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Feeding data to Wireshark in real time

[Steve Karg]

Hello Kahou,

 Does that mean the file header of the pcap file is incorrect? The pcap
 file can be displayed on wireshark if I load it manually tho.

There is a complete example of using a named pipe in C along with the
pcap header and packet data at:
https://bacnet.svn.sourceforge.net/svnroot/bacnet/trunk/bacnet-stack/demo/mstpcap/main.c

Best Regards,

Steve
-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Abillity to sniff serial line with wireshark?

[Steve Karg]

Hello J.Büsch,

 Is there any chance to let wireshark open a specific serial port and
 sniff whatever comes on that link?

You can use a named pipe for sniffing serial, but you need to
packetize the serial data first.

Here is the Wiki page about pipes:
http://wiki.wireshark.org/CaptureSetup/Pipes

I wrote a command line utility in C to packetize BACnet MS/TP serial
data, save in pcap format to a file, and forward to a named pipe on
Linux or Windows:
https://bacnet.svn.sourceforge.net/svnroot/bacnet/trunk/bacnet-stack/demo/mstpcap/main.c

Best Regards,

Steve
-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RADIUS dissector changes

[Steve Karg]

Hello Armen,

 I wanted to get some tips on the best quick and dirty dev environment to 
 setup to get this to a tested patch stage.

See the following URL from the Developer Guide
http://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html

 -  Development Environment
 -  Compiler (no idea gcc?)

Microsoft Visual C++ 2008 Express Edition

 -  SVN client (thinking tortoiseSVN)

Yes.
 -  Diff tool (WinMerge looks appropriate as it has patch/diff file 
 creation available)

Yes. (and integrates into TortoiseSVN

Good luck!

Steve
--
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Wireshark and Windows 7

[Steve Karg]

FYI

A colleague of mine downloaded wireshark-win32-1.2.2.exe yesterday
from Wireshark.org, and the Winpcap installer did not work in Windows
7.  He checked on Winpcap's website and the new version of the
installer worked fine, and that solved his problem.

Best Regards,

Steve
-- 
http://steve.kargs.net/
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] [PATCH] BACnet Network Layer decoding fixes

[Steve Karg]

Hello Developers,

For the BACnet dissector:
1. Moved all the network layer message type decodings under the
network layer control bit check to prevent malformed packets.

2. Added the decoding of the optional network number for the
Who-Is-Router-To-Network message type.

3. Added the decoding for the Establish-Connection-To-Network and
Disconnect-Connection-To-Network network layer messages.

4. Corrected Initialize-Routing-Table and
Initialize-Routing-Table-Ack decoding.

5. Added Network layer info under Column Info.

I validated the results using a capture generated by VTS3, a BACnet
test tool from http://vts.SourceForge.net.  I also fuzz tested with
my captures.

Best Regards,

Steve


packet-bacnet.patch.gz
Description: GNU Zip compressed data
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] [PATCH] BACnet Network Layer decoding fixes

[Steve Karg]

Hi Richard,

 Please can you attach the patch to a bug as detailed in the developers'
 guide - http://www.wireshark.org/docs/wsdg_html/#ChSrcSend - such that
 it doesn't get lost?

Sure!  See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1760

Sorry about that.  Infrequent Wireshark contributors/maintainers like me
don't always keep up with the latest developer process rules.

Best Regards,

Steve
-- 
http://steve.kargs.net/

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] [PATCH] BACnet bacapp fixes for bug 1670

[Steve Karg]

Hello Developers,

Attached is a patch that fixes bug 1670 and related issues.

For the BACnet GetEventInformation-ACK request dissector:
1. Corrected BitString decoding for acknowledgedTransitions and eventEnable.

2. Corrected the ability to decode more than one event.

3. Grouped each item of the sequence using subtrees.  Added more informative
text to Priority and Timestamp.

4. Corrected eventState to use BACnetEventState enumeration instead of
BACnetEventStateFilter.

I validated the results with the capture attached to the bug report.  I also
fuzz tested for awhile with my captures with no failures.

Best Regards,

Steve
-- 
http://steve.kargs.net/

packet-bacapp.patch.gz
Description: GNU Zip compressed data
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Introduction and first questions/suggestions

[Steve Karg]

Hi Simon,

I help maintain the BACnet (bacnet, bacapp, bvlc) dissectors in 
WireShark.  Sorry I didn't see your post sooner - I normally just scan 
the subject lines for BACnet or BACapp or BVLC.

 Either under Chapter GUI or Dissection:
 When a protocol is used on another port than Wireshark expects it to  
 be (such as BACnet on UDP port 48560) the context sensitive menu Item  
 Decode as... is GREAT, but finding what I need is not so great  
 since only an abreviation (in above example BVLC) can be selected  
 without any way of help. I suggest a tooltip when hovering over a  
 selected protocol item with the same content as in help -- Supported  
 Protocols  (in above example BVLC: BACnet Virtual Link Control).

Do you have a capture for this?  If so, I can look at what is required 
for WireShark to analyze BACnet/IP on a UDP/IP port other than 47808.

 Dissector specific
 Item 19. What's the reason, the APDU part of BACnet/IP is not  
 dissected? Is it just the workload (for which a solution can be  
 found) or there a technical reason such as variable length, the  
 BACnet specific solution of segmenting or other?

The APDU portion is dissected and mostly complete since Ethereal 
0.10.11.  I will update the wishlist:
http://wiki.wireshark.org/WishList

Best Regards,

Steve

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] [PATCH] BACnet bacapp additions

[Steve Karg]

Hi Developers,

I added some text for enumerations that were added with addenda recently 
approved for the BACnet standard.  I compiled the changes using 
Linux/GCC.  The patch is a diff made using svn diff.


Best Regards,

Steve




bacapp.patch.gz
Description: GNU Zip compressed data
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] [PATCH] BACnet bacapp additions

[Steve Karg]

Hi Sebastien,

   Can you share a pcap trace of BACnet?

There is a directory of unorganized BACnet captures in a directory on my 
website:
http://kargs.net/captures/

You can use them for whatever you want.

Arbitrary BACnet traces can also be generated using the BACnet VTS tool 
(vts.sourceforge.net) or by using BACnet stack demo applications 
(bacnet.sourceforge.net), or commercial tools from Polarsoft, Cimetrics, 
or SCADA Engine.

Best Regards,

Steve
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] [PATCH] BACnet bacapp signed value and priority

[Steve Karg]

Hello Developers!

I made a small change in packet-bacapp.c to fix the following:

1. Corrected Signed value decoding for a one octet value.

2. Corrected Priority values to decode as Unsigned values.

Best Regards,

Steve


packet-bacapp.c.patch.gz
Description: application/gzip
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev