Re: [Wireshark-users] Interpretting a VoIP call
On 11/14/06, Razor Ramone [EMAIL PROTECTED] wrote: Hello, for my school project, I decided to analyze a VoIP call using wireshark but there are some things that are not clear to me. below, I am always talking about RTP packets first of all, in a conversation, I expect that the initiator and the receiver take turns talking. Therefore, I expected to see that when the initiator is sending packets (talking), the receiver is listening (not sending packets), but that is not the case in my Wireshark captures. What I see is that the receiver generally sends packets continuously at a frequency of 1 packet every 20ms. On the other hand, the receiver is simultaneously sending packets in a different pattern. The receiver sends 4 to 5 packets almost at instantly ( 0.0x ms between each packet), then it waits 80 to 100ms during which it receives 4 to 5 packets from the initiator, then it sends another burst of 4-5 packets. So my questions so far are -Why do initiator and receiver send packets simultaneously? may full-duplex be the answer? -Why do initiator send packets in different patterns? (20ms vs a burst of packets followed by a wait) Buffering problems, network congestion, transport problems, etc... that should be seen on case per case basis. The answer to my first question, I suspect, would be noise, or synhetic noise was introduced into the conversation on purpose (comfort noise) but I am not sure about this. That can be. My final question is: -If it is true that the reasons initiator and receiver send packets at the same time, why, then, are there times that they do not send packets at the same time? (in one conversation, the initiator is talking for an extensive period of time during which the receiver sends no packets) may silence-suppression be the answer? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Ethereal - how it reads data from NDIS driver
Are you sure that the monitor port of the switch you use is configured to forward tagged frames? On 11/13/06, Maxim Bakushin [EMAIL PROTECTED] wrote: Hi, all. I have a WinXP SP2 machine with a NDIS driver installed. Application running on this machine re-assembles VLAN-tagged Ethernet frames and sends them to a router via L2 switch. When I run Ethereal (0.99.0, WinPcap 3.1) on this machine, I can see correct VLAN-tagged Ethernet frames sent to the destination, but when I monitor (with Ethereal) the LAN between that machine and L2 switch - the frames do not include the VLAN-tags. Its seems me strange. So, my question is - what is source of information for Ethereal on the WinXP machine ? Thanks in advance. maximb ** The contents of this email and any attachments are confidential, and are proprietary of Shiron Satellite Communication. It is intended for the named recipient(s) only. If you have received this email in error, please notify us immediately by replying to the message and deleting it from your computer. Do not disclose the contents to anyone or make copies. ** ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Eurex MISS / CME MDP dissectors
On 11/6/06, Jee Kay [EMAIL PROTECTED] wrote: Working in the financial services industry I frequently find myself having to debug the multicast streams of Eurex and the CME price feeds. I was wondering if anyone has a wireshark dissector available for either of these two protocols, or could point me in the direction of who might / how to go about writing one? a good start point would be: - a pointer to the specifications f those protocols. - to have some capture files with as much different messages - write wiki pages describing what/how this protocols do (http://wiki.wireshark.org) Thanks, Ras ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Eurex MISS / CME MDP dissectors
If it is XML, that's a (relatively) easy job... - first take a look to http://wiki.wireshark.org/XML to know what you are to face - take a look at one of the eurex packets - what's the http Content-Type (or else tell us what protocol encapsulates it) -create a dummy dtd file called eurex.dtd in wireshark_dir/dtds - add to it: ? wireshark:protocol proto_name=eurex description=Eurex Feed hierarchy=yes media=/ ? !-- what you get in the Content-Type -- at this point if you see as eurex take a look to an rss feed and how rss.dtd is made and do preety much the same for your xml data Luis On 11/6/06, Jaap Keuter [EMAIL PROTECTED] wrote: Hi, It's an XML based protocol, but closed to the public. As closed as xml can be once used... (very little!) See http://www.eurexchange.com/download/documents/circulars/cf0622006e.pdf GTKBU -- good to know but useless :) On Mon, 6 Nov 2006, LEGO wrote: On 11/6/06, Jee Kay [EMAIL PROTECTED] wrote: Working in the financial services industry I frequently find myself having to debug the multicast streams of Eurex and the CME price feeds. I was wondering if anyone has a wireshark dissector available for either of these two protocols, or could point me in the direction of who might / how to go about writing one? a good start point would be: - a pointer to the specifications f those protocols. - to have some capture files with as much different messages - write wiki pages describing what/how this protocols do (http://wiki.wireshark.org) -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Use tcpdump to capture for Wireshark?
try tcpdump -w filename.cap On 10/24/06, John Oliver [EMAIL PROTECTED] wrote: I redirected the output of tcpdump to an ASCII text file, but Wireshark doesn't like that. How can I capture traffic with tcpdump in a format that Wireshark will understand? -- *** * John Oliver http://www.john-oliver.net/ * * * *** ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] need H.248 captures with as many package parameters/events/signals
Hi folks, In order to thoroughly test the new package infrastructure for the H248 dissector I need capture files with data of as many packages as possible (Annex C, E, 3GPP, etc...) Thanks, Luis -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Sniffing ASP web traffic
You should use the server logs for that, unless you are experiencing a large packet loss you will be able to aproximate the bandwidth usage of every virtual host. The logs should contain the timestamp, the request, and the bytes served. Statistics-HTTP-LoadDistriution gives you the number of HTTP requests but it does not give you the packet/byte count. Luis. On 7/24/06, John Turpin [EMAIL PROTECTED] wrote: We run .asp apps on IIS web servers, with different sites on the same IP address. We would like to be able to tell how much bandwidth each site uses. (we have about 300) Since the pages are .aspx and a dynamically compiled and share the same IP address it is hard to split them up. I have the following setup: (firewall) -(TAP)-(Switch)---(IIS Server) | | (wireshark) How can I tell from the TCP/IP packets (capture) what files and pages come from what site and how large they are to determine bandwith usage from 5 minute samples of data in wireshark? * John Turpin Senior Network Administrator iModules 7201 W. 129th St. Overland Park, KS. 66213 [EMAIL PROTECTED] 913.888.0772 Toll Free 1.800.734.3853 www.imodules.com ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Sniffing ASP web traffic
I guess IIS logs HTTP requests regardless of how the request is performed, at least it should. On 7/24/06, John Turpin [EMAIL PROTECTED] wrote: Will that get compiled .asp pages too? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of LEGO Sent: Monday, July 24, 2006 10:49 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Sniffing ASP web traffic You should use the server logs for that, unless you are experiencing a large packet loss you will be able to aproximate the bandwidth usage of every virtual host. The logs should contain the timestamp, the request, and the bytes served. Statistics-HTTP-LoadDistriution gives you the number of HTTP requests but it does not give you the packet/byte count. Luis. On 7/24/06, John Turpin [EMAIL PROTECTED] wrote: We run .asp apps on IIS web servers, with different sites on the same IP address. We would like to be able to tell how much bandwidth each site uses. (we have about 300) Since the pages are .aspx and a dynamically compiled and share the same IP address it is hard to split them up. I have the following setup: (firewall) -(TAP)-(Switch)---(IIS Server) | | (wireshark) How can I tell from the TCP/IP packets (capture) what files and pages come from what site and how large they are to determine bandwith usage from 5 minute samples of data in wireshark? * John Turpin Senior Network Administrator iModules 7201 W. 129th St. Overland Park, KS. 66213 [EMAIL PROTECTED] 913.888.0772 Toll Free 1.800.734.3853 www.imodules.com ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to enable h248 dissector for Ethereal trace H.248.1 v1 BER (ip:udp:h248) ?
Go to Preferences-Protocols-h248 and set the UDP Port preference. On 7/4/06, Bill Huang [EMAIL PROTECTED] wrote: I am new to Ethereal. I downloaded and installed the Win32 Binary Wireshark v0.99.1pre1 on WinXP Pro., and opened an Ethereal capture file for H.248 v1 BER encoded trace (ip:udp:h248 over udp port 2945). What configuration changes or plugins are needed so I can see the content of H.248 BER encoded data? Thanks, Bill ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users