Re: [Wireshark-users] STOP !!
Yannis, I get the STOP systematically, with no other info. You are right in saying that it does not affect functionality; it is just that I dont like when it does not what it is supposed to do BTW: Im running Wireshark under Win XP Patrick Derwael WEB And Co sprl Rue Hubert Larock, 20 B - 4280 Poucet Tél. + Fax : 019/63.64.35 Mob : 0479/80.50.79 TVA. BE 0.877.467.641 http://www.webandco.be/ http://www.webandco.be _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Chancellor Sent: lundi 26 février 2007 8:51 To: wireshark-users@wireshark.org Subject: Re: [Wireshark-users] STOP !! I have exactly the same outputs in 2 different machines. The STOP popup sometimes says that it couldn't get the interfaces list Anyway I think that this thing doesn't affect the functionality of the programm. Yannis Liaskos From: Web and Co sprl - Patrick DERWAEL [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED],Community support list for Wireshark wireshark-users@wireshark.org To: wireshark-users@wireshark.org Subject: [Wireshark-users] STOP !! Date: Sun, 25 Feb 2007 18:13:40 +0100 Hi list I have just upgraded from 0.99.4 to 0.99.5 and the Shark starts misbehaving. Wireshark starts ok, I then click on the button labeled List the available capture interfaces on the toolbar, then I select the I/F I want to sniff from and click on Options, I get 2 popups: the one I call STOP (see here: http://www.webandco.be/treeicons/icons/wireshark_stop.jpg), and the usual Wireshark capture options I have to click OK on the STOP before I can go any further on the options. Apart from this trick, everything appears to function OK Alternatively, if I click directly on Show the capture options from the toolbar, I do not get the STOP. Any idea where I should start looking at ??? Cheers Patrick Derwael WEB And Co sprl Rue Hubert Larock, 20 B - 4280 Poucet Tl. + Fax : 019/63.64.35 Mob : 0479/80.50.79 TVA. BE 0.877.467.641 http://www.webandco.be/ http://www.webandco.be http://www.webandco.be/default/conditions-generales.pdf Nos Conditions gnrales - http://www.webandco.be/reseau/audit-securite-informatique.asp ICT Security management http://www.webandco.be/developpement/creation-site-web-internet.asp Cration, http://www.webandco.be/developpement/maintenance-site-web-internet.asp gestion et http://www.webandco.be/referencement/accueil.asp rfrencement de sites Web http://www.webandco.be/hebergement/accueil.asp Hbergement et http://www.webandco.be/domaine/accueil.asp noms de domaine http://www.webandco.be/telephonie/accueil.asp Tlphonie smime.p7s ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ _ avast! Antivirus http://www.avast.com : Inbound message clean. Virus Database (VPS): 000717-0, 26/02/2007 Tested on: 26/02/2007 8:53:11 avast! - copyright (c) 1988-2007 ALWIL Software. smime.p7s Description: S/MIME cryptographic signature ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Diameter unknown AVPs
Hi Anders, Did you receive the sample file? Is the Volume-Quota-Threshold AVP recognized in your case? Regards, Frederiek _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:42 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, That should suffice, can you send me a small sample file? Best regards Anders _ Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 16:27 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Diameter unknown AVPs Hi, The Attempt to load/use Diameter XML Dictionary checkbox, in the preferences for Diameter, is checked. The Diameter XML dictionary is set to C:\Program Files\Wireshark\diameter/dictionary.xml. The Volume-Quota-Threshold AVP (code 869) is not recognized. This AVP is not defined by IETF RFC 3588, but by a 3GPP specification. I am not that familiar with XML, though I noticed the occurrence of following lines in file chargecontrol.xml: avp name=Volume-Quota-Threshold code=869 mandatory=must may-encrypt=no protected=may vendor-bit=must vendor-id=TGPP type type-name=Unsigned32/ /avp I'm not sure whether this should be sufficient. It does not seem to be, since the AVP is still not recognized. Regards, Frederiek _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:04 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, AVP:s can be dissected either by the data in the file packet-diameter-defs.h or by the Diameter XML files if those preferences are set. See the wiki page for details. The XML library is more updated than the file. What AVP:s are not recognised? Best regards Anders _ Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 15:33 Till: wireshark-users@wireshark.org Ämne: [Wireshark-users] Diameter unknown AVPs Hi, I frequently use Wireshark to analyze Diameter protocol traffic. I notice that not all AVPs are recognized. That is, the packet details frame contains a line with Unknown AVP in that case. What must be done to make Wireshark recognize these AVPs? I am using the latest Wireshark version, i.e. version 0.99.5. Regards, Frederiek This email has been processed by SmoothZap - www.smoothwall.net ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users This email has been processed by SmoothZap - www.smoothwall.net http://www.smoothwall.net/ This email has been processed by SmoothZap - www.smoothwall.net ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Diameter unknown AVPs
Hi, Yes I got the file. I'm quite busy but are hoping to be able to look at it today. Best regards Anders From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederiek Debruyne Sent: den 26 februari 2007 09:10 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Diameter unknown AVPs Hi Anders, Did you receive the sample file? Is the Volume-Quota-Threshold AVP recognized in your case? Regards, Frederiek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:42 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, That should suffice, can you send me a small sample file? Best regards Anders Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 16:27 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Diameter unknown AVPs Hi, The Attempt to load/use Diameter XML Dictionary checkbox, in the preferences for Diameter, is checked. The Diameter XML dictionary is set to C:\Program Files\Wireshark\diameter/dictionary.xml. The Volume-Quota-Threshold AVP (code 869) is not recognized. This AVP is not defined by IETF RFC 3588, but by a 3GPP specification. I am not that familiar with XML, though I noticed the occurrence of following lines in file chargecontrol.xml: avp name=Volume-Quota-Threshold code=869 mandatory=must may-encrypt=no protected=may vendor-bit=must vendor-id=TGPP type type-name=Unsigned32/ /avp I'm not sure whether this should be sufficient. It does not seem to be, since the AVP is still not recognized. Regards, Frederiek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:04 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, AVP:s can be dissected either by the data in the file packet-diameter-defs.h or by the Diameter XML files if those preferences are set. See the wiki page for details. The XML library is more updated than the file. What AVP:s are not recognised? Best regards Anders Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 15:33 Till: wireshark-users@wireshark.org Ämne: [Wireshark-users] Diameter unknown AVPs Hi, I frequently use Wireshark to analyze Diameter protocol traffic. I notice that not all AVPs are recognized. That is, the packet details frame contains a line with Unknown AVP in that case. What must be done to make Wireshark recognize these AVPs? I am using the latest Wireshark version, i.e. version 0.99.5. Regards, Frederiek This email has been processed by SmoothZap - www.smoothwall.net ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users This email has been processed by SmoothZap - www.smoothwall.net http://www.smoothwall.net/ This email has been processed by SmoothZap - www.smoothwall.net http://www.smoothwall.net/ ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Gr Interface
Florent, Are you by any chance capturing ss7 directly using Wireshark? If so what hardware (ss7 card are you using, OS, etc...) Thanks Joe If you have any questions or comments please let me know. Kind Regards Joseph Cortes Current Date Time in Gibraltar Joseph Cortes Wireless Department Gibtelecom P.O. Box 929 Suite 942 Europort Gibraltar Tel: +350 52211 GSM: +350 57003000 Fax: +350 57003500 Email: [EMAIL PROTECTED] Web: www.gibtele.com STANDARD EMAIL DISCLAIMER FOLLOWS FOR LEGAL REASONS: This electronic message contains information from GIBTELECOM which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error please notify us by telephone or e-mail (to the number or address above) and delete it Viruses: Although our Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 23 February 2007 13:04 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Gr Interface Joseph, You could add your utility in the tools section of the wireshark wiki http://wiki.wireshark.org/Tools The datalink value for MTP2 is 140, so as the datalink is already existing, you do not need to use a User Datalink. The value of the datalink are stored in wiretap/libpcap.c, or in the libpcap sources. Regards Florent Cortes, Joseph [EMAIL PROTECTED] To: Community support list for Wireshark wireshark-users@wireshark.org Sent by: cc: [EMAIL PROTECTED] Subject: Re: [Wireshark-users] Gr Interface reshark.org 23/02/2007 12:11 Please respond to Community support list for Wireshark Florent, I already realised that, I have actually written a small utility to ever come this i.e. to convert from hex text to Wireshark pcap in one go. Where can I post this for other users with this problem? One small question why did you specify -l 140 ? Does this indicate MTP2, I am using -l 147 and then setting the payload to MTP2 under one of the DLT user settings for 147. Joe If you have any questions or comments please let me know. Kind Regards Joseph Cortes Current Date Time in Gibraltar Joseph Cortes Wireless Department Gibtelecom P.O. Box 929 Suite 942 Europort Gibraltar Tel: +350 52211 GSM: +350 57003000 Fax: +350 57003500 Email: [EMAIL PROTECTED] Web: www.gibtele.com STANDARD EMAIL DISCLAIMER FOLLOWS FOR LEGAL REASONS: This electronic message contains information from GIBTELECOM which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error please notify us by telephone or e-mail (to the number or address above) and delete it Viruses: Although our Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 February 2007 17:14 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Gr Interface Hello, You have to modify your test file to add an ascii dump at each end of line, and to remove the lines containing a description (see the attached text file). Then you will have to convert the file with: text2pcap -l 140 hex2.txt hex2.cap The link layer for Gr interface is MTP2. (See attached file: hex2.txt)(See attached file: hex2.cap) Regards Florent Cortes, Joseph [EMAIL PROTECTED] To: wireshark-users@wireshark.org, wireshark-dev@wireshark.org cc: Sent by: Subject: [Wireshark-users] Gr Interface [EMAIL PROTECTED] reshark.org 22/02/2007 12:33 Please respond to Community support list for Wireshark Hi,
[Wireshark-users] Sniffing across 2 network types
I have a wireless router that servers all the traffic to my house. Connected to 1 of the Ethernet ports on the router is a linux box. Is it possible to sniff the traffic on the network (wireless clients) using this wired box? Im assuming ARP poisoning is out of the question as the wireless clients need to talk to the router before they can talk to the wired box. The only other option i can think of is to add an AP to an additional interface on the wired box and have the wired box act as a gateway. Cheers ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] how to filter a port?
David Drexler wrote: It's either to or from 'http'. I also tried tcp.port != 80 same results. I want to run the capture realtime and only see the traffic that interests me. Your display filter falls under the A common mistake, try !(tcp.port == 80) instead, which is not the same. HTTP can be transported over various TCP ports - not only port 80. See: http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol?action=showredirect=HTTP for protocol info http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html for capture filters and http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html for display filters Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] how to filter a port?
David Drexler wrote: It's either to or from 'http'. I also tried tcp.port != 80 same results. I want to run the capture realtime and only see the traffic that interests me. Then you'll need to find out what ports the traffic is going to or coming from - capture filters only work at that level. The Wireshark HTTP dissector checks for traffic to or from the following ports: 80, 1900, 3128, 3132, 8080, 8088, 11371 If you filter all of them out, with, for example: not port 80 and not port 1900 and not port 3128 and ... that should exclude traffic that Wireshark classifies as HTTP. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Gr Interface
Hi, You can find some information on SS7 capture here http://wiki.wireshark.org/CaptureSetup/SS7 Best regards Anders Från: [EMAIL PROTECTED] genom Cortes, Joseph Skickat: må 2007-02-26 10:52 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Gr Interface Florent, Are you by any chance capturing ss7 directly using Wireshark? If so what hardware (ss7 card are you using, OS, etc...) Thanks Joe If you have any questions or comments please let me know. Kind Regards Joseph Cortes Current Date Time in Gibraltar Joseph Cortes Wireless Department Gibtelecom P.O. Box 929 Suite 942 Europort Gibraltar Tel: +350 52211 GSM: +350 57003000 Fax: +350 57003500 Email: [EMAIL PROTECTED] Web: www.gibtele.com STANDARD EMAIL DISCLAIMER FOLLOWS FOR LEGAL REASONS: This electronic message contains information from GIBTELECOM which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error please notify us by telephone or e-mail (to the number or address above) and delete it Viruses: Although our Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 23 February 2007 13:04 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Gr Interface Joseph, You could add your utility in the tools section of the wireshark wiki http://wiki.wireshark.org/Tools The datalink value for MTP2 is 140, so as the datalink is already existing, you do not need to use a User Datalink. The value of the datalink are stored in wiretap/libpcap.c, or in the libpcap sources. Regards Florent Cortes, Joseph [EMAIL PROTECTED] To: Community support list for Wireshark wireshark-users@wireshark.org Sent by: cc: [EMAIL PROTECTED] Subject: Re: [Wireshark-users] Gr Interface reshark.org 23/02/2007 12:11 Please respond to Community support list for Wireshark Florent, I already realised that, I have actually written a small utility to ever come this i.e. to convert from hex text to Wireshark pcap in one go. Where can I post this for other users with this problem? One small question why did you specify -l 140 ? Does this indicate MTP2, I am using -l 147 and then setting the payload to MTP2 under one of the DLT user settings for 147. Joe If you have any questions or comments please let me know. Kind Regards Joseph Cortes Current Date Time in Gibraltar Joseph Cortes Wireless Department Gibtelecom P.O. Box 929 Suite 942 Europort Gibraltar Tel: +350 52211 GSM: +350 57003000 Fax: +350 57003500 Email: [EMAIL PROTECTED] Web: www.gibtele.com STANDARD EMAIL DISCLAIMER FOLLOWS FOR LEGAL REASONS: This electronic message contains information from GIBTELECOM which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error please notify us by telephone or e-mail (to the number or address above) and delete it Viruses: Although our Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 February 2007 17:14 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Gr Interface Hello, You have to modify your test file to add an ascii dump at each end of line, and to remove the lines containing a description (see the attached text file). Then you will have to convert the file with: text2pcap -l 140 hex2.txt hex2.cap The link layer for Gr interface is MTP2. (See attached file: hex2.txt)(See attached file: hex2.cap) Regards Florent Cortes, Joseph [EMAIL PROTECTED] To: wireshark-users@wireshark.org, wireshark-dev@wireshark.org cc: Sent by:
Re: [Wireshark-users] Diameter unknown AVPs
Hi, The problem is that Wireshark expects this to be a vendor AVP but it's sent as a normal one. I think this was changed in more recent versions of the 3GPP doc's to be Vendor specific AVP:s. The simplest soulution for you is to edit the XML file and remove Vendor-id=TGPP from the relevant AVP:s Best regards Anders From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederiek Debruyne Sent: den 26 februari 2007 09:10 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Diameter unknown AVPs Hi Anders, Did you receive the sample file? Is the Volume-Quota-Threshold AVP recognized in your case? Regards, Frederiek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:42 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, That should suffice, can you send me a small sample file? Best regards Anders Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 16:27 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Diameter unknown AVPs Hi, The Attempt to load/use Diameter XML Dictionary checkbox, in the preferences for Diameter, is checked. The Diameter XML dictionary is set to C:\Program Files\Wireshark\diameter/dictionary.xml. The Volume-Quota-Threshold AVP (code 869) is not recognized. This AVP is not defined by IETF RFC 3588, but by a 3GPP specification. I am not that familiar with XML, though I noticed the occurrence of following lines in file chargecontrol.xml: avp name=Volume-Quota-Threshold code=869 mandatory=must may-encrypt=no protected=may vendor-bit=must vendor-id=TGPP type type-name=Unsigned32/ /avp I'm not sure whether this should be sufficient. It does not seem to be, since the AVP is still not recognized. Regards, Frederiek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:04 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, AVP:s can be dissected either by the data in the file packet-diameter-defs.h or by the Diameter XML files if those preferences are set. See the wiki page for details. The XML library is more updated than the file. What AVP:s are not recognised? Best regards Anders Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 15:33 Till: wireshark-users@wireshark.org Ämne: [Wireshark-users] Diameter unknown AVPs Hi, I frequently use Wireshark to analyze Diameter protocol traffic. I notice that not all AVPs are recognized. That is, the packet details frame contains a line with Unknown AVP in that case. What must be done to make Wireshark recognize these AVPs? I am using the latest Wireshark version, i.e. version 0.99.5. Regards, Frederiek This email has been processed by SmoothZap - www.smoothwall.net ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users This email has been processed by SmoothZap - www.smoothwall.net http://www.smoothwall.net/ This email has been processed by SmoothZap - www.smoothwall.net http://www.smoothwall.net/ ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Jitter wrong in wireshark?
Hi Anders, since this too is a recurring question, perhaps you (or someone else) could add it to the Wiki, just under what i added last week: http://wiki.wireshark.org/RTP_statistics (bottom). (I'm sorry, i don't have the time right now). br, Lars Anders Broman wrote: Hi, Looking at the sources there is code there to use different frequencies But for dynamic payload types there are two prerequisites that must be met: - The setup signalling must be in the traces for Wireshark to track the PT to the media type. - The media type sampling frequency must be in the table of rtp_analysis.c This types are currently specified: static const mimetype_and_clock mimetype_and_clock_map[] = { {AMR, 8000}, /* [RFC3267] */ {AMR-WB, 16000}, /* [RFC3267] */ {EVRC,8000}, /* [RFC3558] */ {EVRC0, 8000}, /* [RFC3558] */ {G7221, 16000}, /* [RFC3047] */ {G726-16, 8000}, /* [RFC3551] */ {G726-24, 8000}, /* [RFC3551] */ {G726-32, 8000}, /* [RFC3551] */ {G726-40, 8000}, /* [RFC3551] */ {G729D, 8000}, /* [RFC3551] */ {G729E, 8000}, /* [RFC3551] */ {GSM-EFR, 8000}, /* [RFC3551] */ {mpa-robust, 9}, /* [RFC3119] */ {SMV, 8000}, /* [RFC3558] */ {SMV0,8000}, /* [RFC3558] */ {red, 1000}, /* [RFC4102] */ {t140,1000}, /* [RFC4103] */ {BMPEG, 9}, /* [RFC2343],[RFC3555] */ {BT656, 9}, /* [RFC2431],[RFC3555] */ {DV, 9}, /* [RFC3189] */ {H263-1998, 9}, /* [RFC2429],[RFC3555] */ {H263-2000, 9}, /* [RFC2429],[RFC3555] */ {MP1S,9}, /* [RFC2250],[RFC3555] */ {MP2P,9}, /* [RFC2250],[RFC3555] */ {MP4V-ES, 9}, /* [RFC3016] */ {pointer, 9}, /* [RFC2862] */ {raw, 9}, /* [RFC4175] */ }; Best regards Anders -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För [EMAIL PROTECTED] Skickat: den 24 februari 2007 17:45 Till: wireshark-users@wireshark.org Ämne: Re: [Wireshark-users] Jitter wrong in wireshark? Hi Anders, Yes, your are right. Codecs affect jitter calculation because of the sampling frequency. In practice, it affects when calculating the timestamp to seconds. I.e: when multipling timestamp ticks to convert to seconds one must use the frequency sampling of the current codec. As wireshark uses always 0.000125 (it looks like this is not configurable), then if codec is not G711 calculations will be wrong. And that´s my case :( BR Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ext Anders Broman Sent: Sábado, 24 de Febrero de 2007 04:50 a.m. To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] Jitter wrong in wireshark? Hi, If I understood the previous discussion correctly the RTP timestamp which is based on the sampling frequency is used in the calculations. If the wrong sampling frequency is used the calculations will be off. If a dynamic PT is used (95) it probably not G711. Best regards Anders Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För [EMAIL PROTECTED] Skickat: den 23 februari 2007 18:29 Till: wireshark-users@wireshark.org Ämne: Re: [Wireshark-users] Jitter wrong in wireshark? Hi Anders, good question. I´m not sure but I guess is codec is PCMA G711 8KHz (will take a look during call setup in a couple of hours). However Payload type is 97 (0x61), and wireshark shows it as Payload type=Unknown According to the formula, jitter calculation depends on timestamps and arrival time differences. I don´t know how codec could affect. BR Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ext Anders Broman (AL/EAB) Sent: Viernes, 23 de Febrero de 2007 01:05 p.m. To: Community support list for Wireshark Subject: SV: [Wireshark-users] Jitter wrong in wireshark? Hi, Which codec is used? Best regards Anders Från: [EMAIL PROTECTED] genom [EMAIL PROTECTED] Skickat: fr 2007-02-23 16:53 Till: wireshark-users@wireshark.org Ämne: [Wireshark-users] Jitter wrong in wireshark? Hi All, Below is a rtp analysis from a wireshark 0.99.5 capture in a live network. Doing by hand jitter calculation it doesn´t match. And of course, if below data is real it means we are having jitter of more than 1 minute !! Exampe: first jitter should be 138.90/16 = 8.68125 [ms] and is showing 8803,82 [ms] !!! Do someone know what could be wrong or what I´m missing? BR Juan Forward Packet SequenceDelta (ms) Jitter (ms) IP BW (kbps) Marker Status DateLength
Re: [Wireshark-users] SMB Trans2 FILE_QUERY_INFO Query File Standard Info - what's going on?
Regarding #2 - I found the following link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cifs/pr otocol/smb_com_transaction2_trans2_query_path_information.asp Regarding #1 - Am guessing that the files were written on the unix end and when read from the Windows side it just keeps searching for a Ctrl-Z EOF rather than Ctrl-D EOF, but I haven't been able to verify this as of yet. Thought I would update the list before signing off. Thx. Jim From: Surlow, Jim Sent: Thursday, February 22, 2007 10:01 AM To: wireshark-users@wireshark.org Subject: SMB Trans2 FILE_QUERY_INFO Query File Standard Info - what's going on? Apologies - as this is more of a problem with SMB client than with Wireshark/Ethereal. But, as I saw a similar thread from 3/2005 from the list http://www.ethereal.com/lists/ethereal-users/200503/msg00048.html, maybe someone could help me: I am seeing hundreds of SMB/Trans2/FILE_QUERY_INFO/Query File Standard Info requests and responses following a file open and prior to the file close. The clients are running a custom application in our Citrix environment running on Windows 2003. We see the same behavior regardless as to whether the file server is Samba, NetApp, or Windows 2000. The custom application, is just reading ini files - and so that is anywhere between a 2-5 packet exchange. The fact that we see hundreds of Query File Standard Info requests and responses (200-300 could occur in the same half second of time) is very confusing to us. And of course, it is burying our servers. Questions: 1) Anyone have a clue as to this behavior? 2) What is the difference between: Query File Standard Info, Query File Basic Info, Query File EA Info? Thanks, Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] how to filter a port?
Thanks Ulf--I didn't realize you could do that, I've been doing not source and not destination - this is much more efficient! --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Ulf Lamping Sent: Monday, February 26, 2007 5:34 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] how to filter a port? David Drexler wrote: It's either to or from 'http'. I also tried tcp.port != 80 same results. I want to run the capture realtime and only see the traffic that interests me. Your display filter falls under the A common mistake, try !(tcp.port == 80) instead, which is not the same. HTTP can be transported over various TCP ports - not only port 80. See: http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol?action=showredir ec t=HTTP for protocol info http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSectio n. html for capture filters and http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilter Se ction.html for display filters Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] SMB Trans2 FILE_QUERY_INFO Query File Standard Info - what's going on?
Surlow, Jim wrote: Regarding #1 – Am guessing that the files were written on the unix end and when read from the Windows side it just keeps searching for a Ctrl-Z EOF rather than Ctrl-D EOF, ...which would be a bit bizarre given that both Windows and UN*X have a the file is this many bytes long EOF - i.e., the file system stores the length of the file, in bytes, as one of the file's properties. There are no actual ^D's stored as end-of-file padding in UN*X files to pad the file out to a disk block or file system block boundary (control-D is handled by the tty driver, which treats it as an indication that, when running in cooked mode, a line should be constructed that contains everything typed since the last line but *not* including the ^D, so if you've typed nothing on the line, that looks like a zero-length line, and a read returning a byte count of 0 is generally treated as an end-of-file indication), and, unless you have a very crufty old application, I would hope that there are no actual ^Z's stored as end-of-file padding in Windows files to pad the file out to a disk block or file system block boundary. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Diameter unknown AVPs
Hi, Changing the chargecontrol.xml file to: avp name=Volume-Quota-Threshold code=869 mandatory=must may-encrypt=no protected=may type type-name=Unsigned32/ /avp Works for me. Quota-Holding-Time is defined in the dictionary.xml file and in the chargecontrol.xml(as vendor specific)perhaps Volume-Quota-Threshold Should be in both files as well. I think there is a bit of a mess with the older 3GPP specs misusing The common AVP's which has been corrected in later specs. Best regards Anders Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Frederiek Debruyne Skickat: den 26 februari 2007 14:52 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Diameter unknown AVPs Hi, The cleared flag bits seem not to be the real problem that causes Wireshark not to recognize this Volume-Quota-Threshold AVP. I removed the vendor-id=TGPP part from the related XML file line, and set vendor-bit=mustnot. That did not help. Furthermore, the 3GPP AVP Quota-Holding-Time, on the other hand, is recognized without any problem, while all its flag bits are cleared too. Regards, Frederiek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: maandag 26 februari 2007 13:27 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Diameter unknown AVPs Hi, The problem is that Wireshark expects this to be a vendor AVP but it's sent as a normal one. I think this was changed in more recent versions of the 3GPP doc's to be Vendor specific AVP:s. The simplest soulution for you is to edit the XML file and remove Vendor-id=TGPP from the relevant AVP:s Best regards Anders From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederiek Debruyne Sent: den 26 februari 2007 09:10 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Diameter unknown AVPs Hi Anders, Did you receive the sample file? Is the Volume-Quota-Threshold AVP recognized in your case? Regards, Frederiek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:42 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, That should suffice, can you send me a small sample file? Best regards Anders Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 16:27 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Diameter unknown AVPs Hi, The Attempt to load/use Diameter XML Dictionary checkbox, in the preferences for Diameter, is checked. The Diameter XML dictionary is set to C:\Program Files\Wireshark\diameter/dictionary.xml. The Volume-Quota-Threshold AVP (code 869) is not recognized. This AVP is not defined by IETF RFC 3588, but by a 3GPP specification. I am not that familiar with XML, though I noticed the occurrence of following lines in file chargecontrol.xml: avp name=Volume-Quota-Threshold code=869 mandatory=must may-encrypt=no protected=may vendor-bit=must vendor-id=TGPP type type-name=Unsigned32/ /avp Im not sure whether this should be sufficient. It does not seem to be, since the AVP is still not recognized. Regards, Frederiek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Broman (AL/EAB) Sent: vrijdag 23 februari 2007 16:04 To: Community support list for Wireshark Subject: SV: [Wireshark-users] Diameter unknown AVPs Hi, AVP:s can be dissected either by the data in the file packet-diameter-defs.h or by the Diameter XML files if those preferences are set. See the wiki page for details. The XML library is more updated than the file. What AVP:s are not recognised? Best regards Anders Från: [EMAIL PROTECTED] genom Frederiek Debruyne Skickat: fr 2007-02-23 15:33 Till: wireshark-users@wireshark.org Ämne: [Wireshark-users] Diameter unknown AVPs Hi, I frequently use Wireshark to analyze Diameter protocol traffic. I notice that not all AVPs are recognized. That is, the packet details frame contains a line with Unknown AVP in that case. What must be done to make Wireshark recognize these AVPs? I am using the latest Wireshark version, i.e. version 0.99.5. Regards, Frederiek This email has been processed by SmoothZap - www.smoothwall.net ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users This email has been processed by SmoothZap - www.smoothwall.net This email has been processed by SmoothZap - www.smoothwall.net This email has been processed by SmoothZap - www.smoothwall.net
Re: [Wireshark-users] Jitter wrong in wireshark?
Hi, I've added a note on RTP timestamp, please review. Best regards Anders -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Lars Ruoff Skickat: den 26 februari 2007 14:46 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Jitter wrong in wireshark? Hi Anders, since this too is a recurring question, perhaps you (or someone else) could add it to the Wiki, just under what i added last week: http://wiki.wireshark.org/RTP_statistics (bottom). (I'm sorry, i don't have the time right now). br, Lars Anders Broman wrote: Hi, Looking at the sources there is code there to use different frequencies But for dynamic payload types there are two prerequisites that must be met: - The setup signalling must be in the traces for Wireshark to track the PT to the media type. - The media type sampling frequency must be in the table of rtp_analysis.c This types are currently specified: static const mimetype_and_clock mimetype_and_clock_map[] = { {AMR, 8000}, /* [RFC3267] */ {AMR-WB, 16000}, /* [RFC3267] */ {EVRC,8000}, /* [RFC3558] */ {EVRC0, 8000}, /* [RFC3558] */ {G7221, 16000}, /* [RFC3047] */ {G726-16, 8000}, /* [RFC3551] */ {G726-24, 8000}, /* [RFC3551] */ {G726-32, 8000}, /* [RFC3551] */ {G726-40, 8000}, /* [RFC3551] */ {G729D, 8000}, /* [RFC3551] */ {G729E, 8000}, /* [RFC3551] */ {GSM-EFR, 8000}, /* [RFC3551] */ {mpa-robust, 9}, /* [RFC3119] */ {SMV, 8000}, /* [RFC3558] */ {SMV0,8000}, /* [RFC3558] */ {red, 1000}, /* [RFC4102] */ {t140,1000}, /* [RFC4103] */ {BMPEG, 9}, /* [RFC2343],[RFC3555] */ {BT656, 9}, /* [RFC2431],[RFC3555] */ {DV, 9}, /* [RFC3189] */ {H263-1998, 9}, /* [RFC2429],[RFC3555] */ {H263-2000, 9}, /* [RFC2429],[RFC3555] */ {MP1S,9}, /* [RFC2250],[RFC3555] */ {MP2P,9}, /* [RFC2250],[RFC3555] */ {MP4V-ES, 9}, /* [RFC3016] */ {pointer, 9}, /* [RFC2862] */ {raw, 9}, /* [RFC4175] */ }; Best regards Anders -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För [EMAIL PROTECTED] Skickat: den 24 februari 2007 17:45 Till: wireshark-users@wireshark.org Ämne: Re: [Wireshark-users] Jitter wrong in wireshark? Hi Anders, Yes, your are right. Codecs affect jitter calculation because of the sampling frequency. In practice, it affects when calculating the timestamp to seconds. I.e: when multipling timestamp ticks to convert to seconds one must use the frequency sampling of the current codec. As wireshark uses always 0.000125 (it looks like this is not configurable), then if codec is not G711 calculations will be wrong. And that´s my case :( BR Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ext Anders Broman Sent: Sábado, 24 de Febrero de 2007 04:50 a.m. To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] Jitter wrong in wireshark? Hi, If I understood the previous discussion correctly the RTP timestamp which is based on the sampling frequency is used in the calculations. If the wrong sampling frequency is used the calculations will be off. If a dynamic PT is used (95) it probably not G711. Best regards Anders Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För [EMAIL PROTECTED] Skickat: den 23 februari 2007 18:29 Till: wireshark-users@wireshark.org Ämne: Re: [Wireshark-users] Jitter wrong in wireshark? Hi Anders, good question. I´m not sure but I guess is codec is PCMA G711 8KHz (will take a look during call setup in a couple of hours). However Payload type is 97 (0x61), and wireshark shows it as Payload type=Unknown According to the formula, jitter calculation depends on timestamps and arrival time differences. I don´t know how codec could affect. BR Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ext Anders Broman (AL/EAB) Sent: Viernes, 23 de Febrero de 2007 01:05 p.m. To: Community support list for Wireshark Subject: SV: [Wireshark-users] Jitter wrong in wireshark? Hi, Which codec is used? Best regards Anders Från: [EMAIL PROTECTED] genom [EMAIL PROTECTED] Skickat: fr 2007-02-23 16:53 Till: wireshark-users@wireshark.org Ämne: [Wireshark-users] Jitter wrong in wireshark? Hi All, Below is a rtp analysis from a wireshark 0.99.5 capture in a live network. Doing by hand jitter calculation it doesn´t match. And of course, if below data is real it means we are having