Re: [Wireshark-users] Exporting raw packet data?

2006-11-14 Thread Pete Fraser 
At 04:59 AM 11/14/2006, Sake Block wrote:



>Based on your challenge, I wrote a little perl-script that I think
>would do the trick.
>
>The perl-script will take all udp-packets from a saved trace-file
>and will extract the udp-payload to a file. If you use (wire|t)shark
>to select only the UDP-stream that you want, I think it will produce
>exactly what you are looking for :)


Thanks very much for doing this. Unfortunately I'm also new to perl.
I downloaded ActivePerl 819, and tried executing your script from a 
command window, but it failed at line 9.
I then downloaded Net-PcapUtils-0.01, NetPacket-0.04 and 
NetPcap-0.14, unpacked them, and placed the folders in 
C:\Perl\site\lib, but that didn't work.
Could somebody point me to a turorial on how to install this stuff?


Pete


___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] MySQL packets showing "unknown/invalid protocol"

2006-11-14 Thread Jaap Keuter 
HI,

From the sourcecode:
* MySQL 4.1+ protocol

So it looks like the protocol changed.

Thanx,
Jaap

On Tue, 14 Nov 2006, Rachel McConnell wrote:

> Hi,
>
> I am using Wireshark to try to analyze some MySQL database traffic on a
> remote network behind a firewall.  I have used tcpdump to get a file
> which I then open in Wireshark for analysis.
>
> I'm using Wireshark 0.99.4 (downloaded and installed yesterday) and
> MySQL 5.0.24.
>
> In the request packets from the client, I can drill down to MySQL
> Protocol > Command and see, for example, "SELECT * FROM foo".  In the
> response packets, however, no data is displayed - I've pasted an example
> below.
>
> Is the MySQL protocol ... plugin, I guess ... unfinished?  Did MySQL
> change their API in version 5?  I haven't tried installing a 4.x version
> locally and sniffing that traffic.  Might I have used some tcpdump flag
> that's changing my data enough that Wireshark doesn't understand it?
>
> I have searched all the wireshark docs I can find, and googled
> unsuccessfully for "wireshark mysql" and variations.  Any ideas on this,
> or suggestions for further research are much appreciated.
>
> Thanks,
> Rachel
>
> response packet example:
> 
>
> MySQL Protocol
>Packet Length: 1
>Packet Number: 1
>Payload: unknown/invalid response
>
> MySQL Protocol
>Packet Length: 63
>Packet Number: 2
>Payload: unknown/invalid response
>
> MySQL Protocol
>Packet Length: 73
>Packet Number: 3
>Payload: unknown/invalid response
>
> MySQL Protocol
>Packet Length: 69
>Packet Number: 4
>Payload: unknown/invalid response
>
> ...
>
> MySQL Protocol
>Packet Length: 5
>Packet Number: 13
>EOF marker (254)
>Warnings: 0
>Server Status: 0x0002
>     ...0 = In transaction: Not set
>     ..1. = AUTO_COMMIT: Set
>     .0.. = More results: Not set
>     0... = Multi query - more resultsets: Not set
>    ...0  = Bad index used: Not set
>    ..0.  = No index used: Not set
>    .0..  = Cursor exists: Not set
>    0...  = Last row sebd: Not set
>   ...0   = database dropped: Not set
>   ..0.   = No backslash escapes: Not set
>
>
>
> ___
> Wireshark-users mailing list
> Wireshark-users@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Interpretting a VoIP call

2006-11-14 Thread Jaap Keuter 
Hi,

First back to the basis.
RTP is a real time transport protocol. This is just for transport of real
time data. How this real time transport is actually used depends on the
application.
The application in this case is a VoIP call, so speech data is send. Then
again there are various ways this is done, mainly depending on the speech
codec used.
A typical PCM codec (G.711) generates 8000 samples per second, usually
packaged in 20 to 30ms RTP packets. The reason for this is a tradeoff
between packatizing delay (delay from first sample, until packet is
compete to send) vs. overhead (RTP packets don't come cheap bytecount
wise)
The PCM codec generates a constant sample stream, so a constant packet
flow. With two parties involved in the call this results in two flows.
Clever suppression techniques avoid 'empty' packets from being
transmitted, but have to be accounted for at both ends.
The bursty nature of the packets you see is not normal, it contradicts the
real time nature of the protocol. It results in a deep jitter buffer and
long playout delay.

Thanx,
Jaap

On Tue, 14 Nov 2006, Razor Ramone wrote:

> Hello,
>
> for my school project, I decided to analyze a VoIP call using wireshark but
> there are some things that are not clear to me.
> below, I am always talking about RTP packets
>
> first of all, in a conversation, I expect that the initiator and the
> receiver take turns talking. Therefore, I expected to see that when the
> initiator is sending packets (talking), the receiver is listening (not
> sending packets), but that is not the case in my Wireshark captures.
> What I see is that the receiver generally sends packets continuously at a
> frequency of 1 packet every 20ms.
> On the other hand, the receiver is simultaneously sending packets in a
> different pattern. The receiver sends 4 to 5 packets almost at instantly (
> 0.0x ms between each packet), then it waits 80 to 100ms during which it
> receives 4 to 5 packets from the initiator, then it sends another burst of
> 4-5 packets.
>
> So my questions so far are
> -Why do initiator and receiver send packets simultaneously?
> -Why do initiator send packets in different patterns? (20ms vs a burst of
> packets followed by a wait)
>
> The answer to my first question, I suspect, would be noise, or synhetic
> noise was introduced into the conversation on purpose (comfort noise) but I
> am not sure about this.
>
> My final question is:
> -If it is true that the reasons initiator and receiver send packets at the
> same time, why, then, are there times that they do not send packets at the
> same time? (in one conversation, the initiator is talking for an extensive
> period of time during which the receiver sends no packets)
>

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Problem interpreting message

2006-11-14 Thread Jaap Keuter 
Hi,

Sure looks like it.

Thanx,
Jaap

On Tue, 14 Nov 2006, William Grayson wrote:

> Dear Wireshark Team:
>
>
>
> I've attached a trace of a single test transaction from Shaws. This is
> one transaction out of a run of 1000 that they did. Please
> confirm/correct my interpretation of this trace.
>
>
>
> What I see is them taking 2 seconds to ACK the handshake, and then they
> send the transaction (line 33626). We turn the transaction around in
> about 70ms (33656). It then takes about 2 seconds to get their FIN/ACK
> (34150), resulting in an overall time of a little over 4 seconds to that
> point.  So from what I can see the time they see of 4+ sec is almost
> entirely network/Shaws delay. Do you see anything that indicates a
> possibility that we are introducing a delay?
>
>
>
> We are monitoring more than one port - so you grab the packet twice,
> once at the internal firewall interface, and once at the server.
>
>
>
>
>
> Will Grayson
>
> Senior Network Engineer
>
>
>
> inComm
>
> 250 Williams Street
>
> Suite M-100
>
> Atlanta, GA 30303
>
>
>
> Office # (678) 367-6462
>
> Cell #: (908) 477-4799
>
> Email: [EMAIL PROTECTED] 
>
> Web: http://www.incomm.com 
>
>
>
>

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Tethereal ring capture file with 0 bytes

2006-11-14 Thread Jaap Keuter 
Hi,

I think I remember trouble with ring buffers and such with the last few
versions of Ethereal/first few versions of Wireshark. I don't think this
is solved with the Debian stable version.

Thanx,
Jaap

On Tue, 14 Nov 2006, Tiago Gomes da Silva Mendo wrote:

> Hi
>
> i'm using tethereal with this command line:
>
> \_ supervise sonda-tethereal
>  1872 ?SN 0:01  |   \_ /usr/bin/tethereal -n -q -w 
> /var/sonda/caps/current/1163502308_cap -a filesize:51200 -b 0:600 -i eth0 ip 
> proto \tcp and (host ip1 or host ip2 or host ip3 (etc) ) or arp
>
> the problem is that when there's no packets matching the capture file is 
> wrote with 0 bytes instead of the normal file with 24 bytes and zero packets.
>
>
> # dpkg -l tethereal* libpcap*
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
> |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: 
> uppercase=bad)
> ||/ Name   Version
> Description
> +++-==-==-
> ii  tethereal  0.10.10-2sarge9
> network traffic analyzer (console)
> un  libpcap-dev 
> (no description available)
> un  libpcap-ruby
> (no description available)
> un  libpcap-ruby1.6 
> (no description available)
> ii  libpcap-ruby1.80.6-5  
> libpcap interface for scripting language Ruby 1.8
> ii  libpcap0.7 0.7.2-7
> System interface for user-level packet capture
> un  libpcap0.7-dev  
> (no description available)
> ii  libpcap0.8 0.8.3-5
> System interface for user-level packet capture
> pn  libpcap0.8-dev  
> (no description available)
> #
>
> # uname -a
> Linux pulso-dc-041 2.6.10power-edge-2850-750 #1 SMP Fri Feb 25 10:36:50 WET 
> 2005 i686 GNU/Linux
> #
>
>
> any ideas?
>
>
>
>
>
> Tiago Gomes da Silva Mendo
>
> e-mail: [EMAIL PROTECTED]
> PT Comunica??es/DRI/RTS (Direc??o de Risco T?cnico e Seguran?a)
>
> Urbaniza??o Tagus Park Lote 35 Torre 3 Piso 0
> 2784-549 Porto Salvo
> Tel: +351 21 501 9147
>
>
>

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

[Wireshark-users] MySQL packets showing "unknown/invalid protocol"

2006-11-14 Thread Rachel McConnell 
Hi,

I am using Wireshark to try to analyze some MySQL database traffic on a
remote network behind a firewall.  I have used tcpdump to get a file
which I then open in Wireshark for analysis.

I'm using Wireshark 0.99.4 (downloaded and installed yesterday) and
MySQL 5.0.24.

In the request packets from the client, I can drill down to MySQL
Protocol > Command and see, for example, "SELECT * FROM foo".  In the
response packets, however, no data is displayed - I've pasted an example
below.

Is the MySQL protocol ... plugin, I guess ... unfinished?  Did MySQL
change their API in version 5?  I haven't tried installing a 4.x version
locally and sniffing that traffic.  Might I have used some tcpdump flag
that's changing my data enough that Wireshark doesn't understand it?

I have searched all the wireshark docs I can find, and googled
unsuccessfully for "wireshark mysql" and variations.  Any ideas on this,
or suggestions for further research are much appreciated.

Thanks,
Rachel

response packet example:


MySQL Protocol
   Packet Length: 1
   Packet Number: 1
   Payload: unknown/invalid response

MySQL Protocol
   Packet Length: 63
   Packet Number: 2
   Payload: unknown/invalid response

MySQL Protocol
   Packet Length: 73
   Packet Number: 3
   Payload: unknown/invalid response

MySQL Protocol
   Packet Length: 69
   Packet Number: 4
   Payload: unknown/invalid response

...

MySQL Protocol
   Packet Length: 5
   Packet Number: 13
   EOF marker (254)
   Warnings: 0
   Server Status: 0x0002
    ...0 = In transaction: Not set
    ..1. = AUTO_COMMIT: Set
    .0.. = More results: Not set
    0... = Multi query - more resultsets: Not set
   ...0  = Bad index used: Not set
   ..0.  = No index used: Not set
   .0..  = Cursor exists: Not set
   0...  = Last row sebd: Not set
  ...0   = database dropped: Not set
  ..0.   = No backslash escapes: Not set



___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Howto: Wireshark from the command line

2006-11-14 Thread norman 
Thanks for your reply.Mike Savory <[EMAIL PROTECTED]> wrote: Hi NormanRead   man tsharkand   man tcpdump-a  Specify a criterion that specifies when TShark is to stop  writingto a capture file.  The criterion is of the form  test:value, wheretest is one of:duration:value Stop writing to a capture file after value  secondshave elapsed.-w  |-Write raw packet data to outfile or to the standard  output if out-file is '-'.NOTE: -w provides raw packet data, not text. If you want  text out-put you need to redirect stdout (e.g. using '>'), don't  use the -w   
 option for this.   host host  True  if  either the IPv4/v6 source or  destination of the  packet is host.So trytshark -a duration:5 -w packet.pcap host 192.168.1.5RegardsMikeOn Nov 14, 2006, at 1:51 AM, norman wrote:> Hello,> I have setup wireshark on my local network and wanted to examine  > all the traffic that was going out from the gateway or a specific  > IP (not the local machine) for a short period of time and output  > this in a file.>> How do you use it from the command line to get this?>> When I run>> #tshark -w capture.txt>> works, but how do I pass the time to run for, and specify the  > actual IP to look at, or even protocol>> Many thanks>> Norman> Send instant messages to your online friends http://
 > uk.messenger.yahoo.com>> ___> Wireshark-users mailing list> Wireshark-users@wireshark.org> http://www.wireshark.org/mailman/listinfo/wireshark-users Send instant messages to your online friends http://uk.messenger.yahoo.com ___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Exporting raw packet data?

2006-11-14 Thread Small, James 
Pretty cool Sake.

I don't have any UDP streams to coalesce at the moment, but just looking
at your perl script gave me some ideas.

Thanks,
  --Jim

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:wireshark-users-
> [EMAIL PROTECTED] On Behalf Of Sake Blok
> Sent: Tuesday, November 14, 2006 7:59 AM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Exporting raw packet data?
> 
> On Mon, Nov 13, 2006 at 09:02:41PM -1100, Hans Nilsson wrote:
> > You could try saving it as a pcap-file and stripping out the
headers. Or
> > exporting only the packet bytes as plain-text and using sed, awk or
any
> > other tool to extract the right data.
> 
> Based on your challenge, I wrote a little perl-script that I think
> would do the trick.
> 
> The perl-script will take all udp-packets from a saved trace-file
> and will extract the udp-payload to a file. If you use (wire|t)shark
> to select only the UDP-stream that you want, I think it will produce
> exactly what you are looking for :)
> 
> Cheers,
> 
> 
> Sake
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Howto: Wireshark from the command line

2006-11-14 Thread Mike Savory 
Hi Norman

Read
   man tshark
and
   man tcpdump

-a  
Specify a criterion that specifies when TShark is to stop  
writing
to a capture file.  The criterion is of the form  
test:value, where
test is one of:

duration:value Stop writing to a capture file after value  
seconds
have elapsed.


-w  |-
Write raw packet data to outfile or to the standard  
output if out-
file is '-'.

NOTE: -w provides raw packet data, not text. If you want  
text out-
put you need to redirect stdout (e.g. using '>'), don't  
use the -w
option for this.

   host host
  True  if  either the IPv4/v6 source or  
destination of the
  packet is host.


So try

tshark -a duration:5 -w packet.pcap host 192.168.1.5



Regards

Mike


On Nov 14, 2006, at 1:51 AM, norman wrote:

> Hello,
> I have setup wireshark on my local network and wanted to examine  
> all the traffic that was going out from the gateway or a specific  
> IP (not the local machine) for a short period of time and output  
> this in a file.
>
> How do you use it from the command line to get this?
>
> When I run
>
> #tshark -w capture.txt
>
> works, but how do I pass the time to run for, and specify the  
> actual IP to look at, or even protocol
>
> Many thanks
>
> Norman
> Send instant messages to your online friends http:// 
> uk.messenger.yahoo.com
>
> ___
> Wireshark-users mailing list
> Wireshark-users@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-users

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

[Wireshark-users] Interpretting a VoIP call

2006-11-14 Thread Razor Ramone 
Hello,for my school project, I decided to analyze a VoIP call using wireshark but there are some things that are not clear to me.below, I am always talking about RTP packetsfirst of all, in a conversation, I expect that the initiator and the receiver take turns talking. Therefore, I expected to see that when the initiator is sending packets (talking), the receiver is listening (not sending packets), but that is not the case in my Wireshark captures.
What I see is that the receiver generally sends packets continuously at a frequency of 1 packet every 20ms.On the other hand, the receiver is simultaneously sending packets in a different pattern. The receiver sends 4 to 5 packets almost at instantly (
0.0x ms between each packet), then it waits 80 to 100ms during which it receives 4 to 5 packets from the initiator, then it sends another burst of 4-5 packets.So my questions so far are-Why do initiator and receiver send packets simultaneously?
-Why do initiator send packets in different patterns? (20ms vs a burst of packets followed by a wait)The answer to my first question, I suspect, would be noise, or synhetic noise was introduced into the conversation on purpose (comfort noise) but I am not sure about this.
My final question is:-If it is true that the reasons initiator and receiver send packets at the same time, why, then, are there times that they do not send packets at the same time? (in one conversation, the initiator is talking for an extensive period of time during which the receiver sends no packets)

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Interpretting a VoIP call

2006-11-14 Thread LEGO 
On 11/14/06, Razor Ramone <[EMAIL PROTECTED]> wrote:
> Hello,
>
> for my school project, I decided to analyze a VoIP call using wireshark but
> there are some things that are not clear to me.
> below, I am always talking about RTP packets
>
> first of all, in a conversation, I expect that the initiator and the
> receiver take turns talking. Therefore, I expected to see that when the
> initiator is sending packets (talking), the receiver is listening (not
> sending packets), but that is not the case in my Wireshark captures.
> What I see is that the receiver generally sends packets continuously at a
> frequency of 1 packet every 20ms.
>
> On the other hand, the receiver is simultaneously sending packets in a
> different pattern. The receiver sends 4 to 5 packets almost at instantly (
> 0.0x ms between each packet), then it waits 80 to 100ms during which it
> receives 4 to 5 packets from the initiator, then it sends another burst of
> 4-5 packets.
>
> So my questions so far are
> -Why do initiator and receiver send packets simultaneously?
may full-duplex be the answer?

> -Why do initiator send packets in different patterns? (20ms vs a burst of
> packets followed by a wait)
Buffering problems, network congestion, transport problems, etc...
that should be seen on case per case basis.

>
> The answer to my first question, I suspect, would be noise, or synhetic
> noise was introduced into the conversation on purpose (comfort noise) but I
> am not sure about this.
That can be.
>
> My final question is:
> -If it is true that the reasons initiator and receiver send packets at the
> same time, why, then, are there times that they do not send packets at the
> same time? (in one conversation, the initiator is talking for an extensive
> period of time during which the receiver sends no packets)
may silence-suppression be the answer?

>
> ___
> Wireshark-users mailing list
> Wireshark-users@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

[Wireshark-users] Problem interpreting message

2006-11-14 Thread William Grayson 








Dear Wireshark Team:

 

I’ve attached a trace of a single test transaction
from Shaws. This is one transaction out of a run of 1000 that they did. Please
confirm/correct my interpretation of this trace.

 

What I see is them taking 2 seconds to ACK the handshake,
and then they send the transaction (line 33626). We turn the transaction around
in about 70ms (33656). It then takes about 2 seconds to get their FIN/ACK
(34150), resulting in an overall time of a little over 4 seconds to that point.
 So from what I can see the time they see of 4+ sec is almost entirely
network/Shaws delay. Do you see anything that indicates a possibility that we
are introducing a delay? 

 

We are monitoring more than one port – so you grab the
packet twice, once at the internal firewall interface, and once at the server.

 

 

Will Grayson

Senior Network Engineer

 

inComm

250 Williams
  Street

Suite M-100

Atlanta, GA 30303

 

Office # (678) 367-6462

Cell #: (908) 477-4799

Email: [EMAIL PROTECTED]

Web: http://www.incomm.com

 








ShawsSampleTrans.pcap
Description: ShawsSampleTrans.pcap
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

[Wireshark-users] Tethereal ring capture file with 0 bytes

2006-11-14 Thread Tiago Gomes da Silva Mendo 



Hi
 
i'm using tethereal 
with this command line:
 
\_ supervise 
sonda-tethereal 1872 ?    
SN 0:01  |   \_ /usr/bin/tethereal -n -q 
-w /var/sonda/caps/current/1163502308_cap -a filesize:51200 -b 0:600 -i eth0 ip 
proto \tcp and (host ip1 or host ip2 or host ip3 (etc) ) or arp
 
the problem is that 
when there's no packets matching the capture file is wrote with 0 
bytes instead of the normal file with 24 bytes and zero 
packets.
 
 
# dpkg -l 
tethereal* libpcap*Desired=Unknown/Install/Remove/Purge/Hold| 
Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed|/ 
Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: 
uppercase=bad)||/ 
Name   
Version    
Description+++-==-==-ii  
tethereal  
0.10.10-2sarge9    
network traffic analyzer (console)un  
libpcap-dev    
 
(no description available)un  
libpcap-ruby   
 
(no description available)un  
libpcap-ruby1.6    
 
(no description available)ii  
libpcap-ruby1.8    
0.6-5  
libpcap interface for scripting language Ruby 1.8ii  
libpcap0.7 
0.7.2-7    
System interface for user-level packet captureun  
libpcap0.7-dev 
 
(no description available)ii  
libpcap0.8 
0.8.3-5    
System interface for user-level packet capturepn  
libpcap0.8-dev 
 
(no description available)#
 
# uname 
-aLinux pulso-dc-041 2.6.10power-edge-2850-750 #1 SMP Fri Feb 25 10:36:50 
WET 2005 i686 GNU/Linux
# 
 
any 
ideas?

 
 
Tiago 
Gomes da Silva Mendo
e-mail: [EMAIL PROTECTED]PT 
Comunicações/DRI/RTS (Direcção de Risco Técnico e Segurança)Urbanização Tagus Park Lote 35 Torre 3 
Piso 02784-549 Porto SalvoTel: 
+351 21 501 9147
 
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Exporting raw packet data?

2006-11-14 Thread Sake Blok 
On Mon, Nov 13, 2006 at 09:02:41PM -1100, Hans Nilsson wrote:
> You could try saving it as a pcap-file and stripping out the headers. Or
> exporting only the packet bytes as plain-text and using sed, awk or any
> other tool to extract the right data.

Based on your challenge, I wrote a little perl-script that I think 
would do the trick.

The perl-script will take all udp-packets from a saved trace-file 
and will extract the udp-payload to a file. If you use (wire|t)shark 
to select only the UDP-stream that you want, I think it will produce 
exactly what you are looking for :)

Cheers,


Sake


extract-udp-payload.pl
Description: Perl program
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

[Wireshark-users] Howto: Wireshark from the command line

2006-11-14 Thread norman 
Hello,I have setup wireshark on my local network and wanted to examine all the traffic that was going out from the gateway or a specific IP (not the local machine) for a short period of time and output this in a file.How do you use it from the command line to get this?When I run#tshark -w capture.txtworks, but how do I pass the time to run for, and specify the actual IP to look at, or even protocolMany thanksNorman Send instant messages to your online friends http://uk.messenger.yahoo.com ___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] Exporting raw packet data?

2006-11-14 Thread Hans Nilsson 
You could try saving it as a pcap-file and stripping out the headers. Or
exporting only the packet bytes as plain-text and using sed, awk or any
other tool to extract the right data.


On Mon, 13 Nov 2006 17:52:21 -0800, "Pete Fraser" <[EMAIL PROTECTED]>
said:
> I'm new to Wireshark, so sorry if this is a dumb question.
> 
> I want to export packet data in raw format, so that I end up with a 
> binary file.
> 
> If the packets are TCP I can use Analyze->Follow TCP Stream then Save As
> Raw.
> For any type of packet, I can select packet data in the bottom pane 
> and do File->Export->Selected Packet Bytes.
> 
> What I want to do, but can't work out how, is to export a lot of 
> packet data as a raw binary file.
> I develop the appropriate filter so that only the packets of interest 
> are visible, then do File->Export->File..., select "All packets", 
> "Displayed", and "Packet Bytes" for the only Packet Format. I would 
> hope that I can then save as raw, but I only find ASCII, PS, XML, 
> etc. What am I doing wrong?
> 
> Thanks in advance.
> 
> 
> ___
> Wireshark-users mailing list
> Wireshark-users@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-users
-- 
  Hans Nilsson
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Same, same, but different…

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users