Re: [Wireshark-users] Whitewashing Packet Traces?
Hi Andy, Lots of interesting suggestions - one that I have used which works decently is the bittwist family (works on most platforms including Windows with pre-built binaries available). Just make sure you heed Guy's warning - there are many other embedded fields and it's hard to get them all in a completely automated fashion. http://bittwist.sourceforge.net/ --Jim -Original Message- Hey all: I'm doing some troubleshooting in a client environ, and we're using Wireshark to analyze CIFS traffic. Problem is, they're a secure site, and require a whitewash/screening process on all data before they can send to us. In this case, the trace was taken between a W2K3 server and a Netapp filer (just between two interfaces/IPs), and we're looking for a way we can basically whitewash the trace. That is, basically replace the IPs within the trace with other IPs (change 10.100.100.1 to 192.168.1.1) and the same for MACs. However, unfortunately when opening traces with vi and the like, the IPs are not listed in plaintext. I checked all available docs, and did some google hunts. Is there a way to do this, basically take a Wireshark trace file, then edit it to swap out data like IPs and MACs? Thanks for your time. -Andy K ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Ethereal vs wireshark
Did you try dumpcap? It's included with Wireshark (the latest version of Ethereal) and typically is much better at capturing because it doesn't do any processing - it just dumps everything to a file. I've used it in many situations where Wireshark/tshark would drop packets (1Gbps+) because of processing overhead but dumpcap worked beautifully with no drops. Once you have the captured information, you can then use Wireshark to slice/dice/display it. Keep in mind though that if you use a PC there are many performance limits imposed. For example - a 1 Gbps NIC is pushing the limits of the traditional PC architecture unless you're using hi-end PCI/PCI-X/PCIe with a corresponding high performance card (like Intel's). Don't forget you need a well tuned driver and fast CPU/Memory. There have also been some interesting papers published on tuning drivers and capture methods for high speed networks, check out: http://www.winpcap.org/docs/ --Jim Hello, sirs, What kind of tools can capture ethernet packets (such as UDP) fast enough on the Linux platform? Ethereal cannot fulfill my requirements. I'm using packETH 1.4 to send packets. I found that Ethereal cannot monitor all of the packets if I send 10 (or more) packets (100 bytes per packet) consecutively with a delay between packets of 8 us (= 0.008 ms = 0.08 s), i.e. at least some percent of the packets cannot be captured in Ethereal. 96172/10 = 96.172%, 3% lost 957952/10 = 95.7952%, 4% lost After look around in Google, I found the Wireshark is a kind of upgraded version of ethereal, right? Is it possible to capture all packets as I want? Please help me out, thanks in advance. Winter Song. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
