Re: [Wireshark-users] 12 bytes before the IP header
Aleksander, If I save the pcap file you sent and follow this procedure: bittwiste -I http_packet.cap -O http-new.cap -M 147 Open http-new.cap in Wireshark 0.99.6 Edit-Preferences-Protocols,DLT_USER,Edit... Click on Edit... Click New Leave encap at default of User 0 (DLT=147) payload_proto - ip header_size - 26 (12 for Ethernet + 12 for extra stuff + 2 for next protocol field) header_proto - eth_withoutfcs trailer_size - leave blank trailer_proto - leave blank Click OK Click OK Now, the IP part and below of the packet decode correctly in Wireshark. This doesn't work for you? BTW - there does appear to be a bug in the DLT_User preferences where you get gobbledygook - I should probably file a bug... As to whether this should be automatically decoded I can't say - I would have to defer to one of the developers. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Aleksander Veksler Sent: Wednesday, September 19, 2007 7:23 PM To: wireshark-users@wireshark.org Subject: Re: [Wireshark-users] 12 bytes before the IP header Hello again guys, Sorry for the delay. The procedure Sake Block recommended didn't work. I first thought it was because there was a trailer, so I tried with trailer sized 1,2,3 and four (see the packet to see why), but this didn't work. There seem to be a bug in DLT_USER configuration page, which make random characters appear in the payload field (it seem to me the characters are coming from the capture, but I am not sure. I attach a screenshot, can make more if you need it. I also attached a sample http packet. I found a packet with as much clear text as possible, tell me if you need more. This particlular packet was not classified as LLC, but many others were. Thank you again for your help. Aleksander Siterer Aleksander Veksler [EMAIL PROTECTED]: Siterer Joerg Mayer [EMAIL PROTECTED]: On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote: Anyone have tips on how you loose a few bytes? I get 12 bytes between the Ethernet header and IP header. This means that wireshark does not recognize the IP header as, and I can't use any of the wireshark's advanced features. Anyone know how to get rid of those bytes, or perhaps what they are? * My card is Intel Pro/Wireless 3945ABG * The wireless switch is D-Link DIR-635 * The problem only happens in promiscuous mode, and only to the packets not directed to my computer * I attach picture of a window of a sample http packet * Please help :) Actually it looks like this packet might have a third mac at the beginning: Is the length of 02 d7 really correct? Sending a packet would have helped more than the image you sent and have been smaller. After the third mac it looks to me that there is an ordinary LLC/SNAP header. The LLC dissector attempted to dissect the first 4 bytes, right after ethernet length. Again, I will have to send full data on Monday. Thank you for the help! Ciao Joerg -- Joerg Mayer [EMAIL PROTECTED] We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Way to easily identify UDP/ICMP packets with no reply?
Oops - that was supposed to be capture/display filter! -Original Message- Is there a way to easily identify UDP/ICMP packets with no reply? I suppose statistics--conversations is one way, but is there a capture filter that would help? Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Way to easily identify TCP SYNs without a response?
Hello, Is there a way to easily identify TCP SYN packets that get no reply? In other words, no SYN/ACK or RST/ACK sent in reply? I know you can do a tcp.flags.syn==1 and just look through the list, but I was wondering if there is a better way with a capture/display filter? Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Whitewashing Packet Traces?
Hi Andy, Lots of interesting suggestions - one that I have used which works decently is the bittwist family (works on most platforms including Windows with pre-built binaries available). Just make sure you heed Guy's warning - there are many other embedded fields and it's hard to get them all in a completely automated fashion. http://bittwist.sourceforge.net/ --Jim -Original Message- Hey all: I'm doing some troubleshooting in a client environ, and we're using Wireshark to analyze CIFS traffic. Problem is, they're a secure site, and require a whitewash/screening process on all data before they can send to us. In this case, the trace was taken between a W2K3 server and a Netapp filer (just between two interfaces/IPs), and we're looking for a way we can basically whitewash the trace. That is, basically replace the IPs within the trace with other IPs (change 10.100.100.1 to 192.168.1.1) and the same for MACs. However, unfortunately when opening traces with vi and the like, the IPs are not listed in plaintext. I checked all available docs, and did some google hunts. Is there a way to do this, basically take a Wireshark trace file, then edit it to swap out data like IPs and MACs? Thanks for your time. -Andy K ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Ethereal vs wireshark
Did you try dumpcap? It's included with Wireshark (the latest version of Ethereal) and typically is much better at capturing because it doesn't do any processing - it just dumps everything to a file. I've used it in many situations where Wireshark/tshark would drop packets (1Gbps+) because of processing overhead but dumpcap worked beautifully with no drops. Once you have the captured information, you can then use Wireshark to slice/dice/display it. Keep in mind though that if you use a PC there are many performance limits imposed. For example - a 1 Gbps NIC is pushing the limits of the traditional PC architecture unless you're using hi-end PCI/PCI-X/PCIe with a corresponding high performance card (like Intel's). Don't forget you need a well tuned driver and fast CPU/Memory. There have also been some interesting papers published on tuning drivers and capture methods for high speed networks, check out: http://www.winpcap.org/docs/ --Jim Hello, sirs, What kind of tools can capture ethernet packets (such as UDP) fast enough on the Linux platform? Ethereal cannot fulfill my requirements. I'm using packETH 1.4 to send packets. I found that Ethereal cannot monitor all of the packets if I send 10 (or more) packets (100 bytes per packet) consecutively with a delay between packets of 8 us (= 0.008 ms = 0.08 s), i.e. at least some percent of the packets cannot be captured in Ethereal. 96172/10 = 96.172%, 3% lost 957952/10 = 95.7952%, 4% lost After look around in Google, I found the Wireshark is a kind of upgraded version of ethereal, right? Is it possible to capture all packets as I want? Please help me out, thanks in advance. Winter Song. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Setting up a display offset
Bill, I don't believe there is in Wireshark. You have to change the datalink type in the capture file and then setup custom offsets as I described. Did you try this and have any luck? --Jim -Original Message- Can anyone follow up with me on this, is there a way to force a offset so wireshark will start decoing 56 bytes inside the frame and assume it to be a protocol like IP. Thanks Bill ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Setting up a display offset
Thanks Luis! Just like you said, the following properly decodes the Ethernet part: Edit-Preferences-Protocols,DLT_USER,Edit... Click on Edit... Click New Leave encap at default of User 0 (DLT=147) payload_proto - ip header_size - 48 (14 for Ethernet + 34 for the proprietary header) header_proto - eth_withoutfcs trailer_size - leave blank trailer_proto - leave blank Click OK Click OK In my case, this is for decoding a Cisco protocol. The modular Cisco multi-function firewall, the ASA, has an expansion slot that houses one of 3 different modules. The data plane between the ASA and the expansion module is (or is like) a gigabit ethernet connection. So, you can actually capture what goes across. However, when data is encapsulated from the ASA to the expansion module, it appears to put a 34 byte proprietary header in between the Ethernet header and the IP header. It's actually not quite this simple though. When you look at a capture, there are other frames that don't follow this simple pattern - perhaps signaling between the ASA and the expansion unit or something? In some cases it is useful to look at this information - hence the above trick is useful. I would certainly be happy to send you a sample if you'd care to look but I guess I'm not sure if this would be interesting to the general Wireshark community. Of course, if you're curious just let me know! :-) Thanks again, --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Luis EG Ontanon Sent: Sunday, July 22, 2007 12:55 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Setting up a display offset On 7/22/07, Small, James [EMAIL PROTECTED] wrote: For the general Wireshark community - is there a way to do the above and still see the Ethernet frame but ignore the data in the middle? I thought in a way to implement it but I could not find a viable way. The problem is that we cannot know how long a frame will be. We normally pass the entire frame to the ethernet dissector assuming that all of it is the ethernet frame and that usually works but in the scenario you are depicting that's not the case. For example, if I have something that processes traffic and inserts a 34 byte proprietary header between the Ethernet header and the IP header, can I still see the Ethernet header and the following IP header but ignore the proprietary header in the middle (if I'm not slick enough to write a dissector!)? If you give us a capture with some frames and the background information behind what's encoded (port-ids (in the machine creating the packets), addresses, etc.) we might be able to reverse-engineer it, (For me there's always a certain satisfaction involved in rendering public knowledge that someone tries to keep away from the people :-). I tried: payload_proto - ip header_size - 14 (14 for Ethernet) header_proto - Ethernet (tried ether, ethernet, neither worked...) Ethernet is registered as either eth_withoutfcs (I think this may be your case) or eth_withfcs. In revision 22381 I just added an eth one that finds out if there's an fcs at the end of the frame... I never thought about it but eth_withoutfcs is far from user-friendly! trailer_size - 34 trailer_proto - blank Also - would this be a good thing to put in the WIKI? If so, any suggestions on where? Go ahead, someone might find it useful. -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Setting up a display offset
Hi Bill, Excellent question, I hope this helps: Try getting bittwist: http://bittwist.sourceforge.net/ It works on Windows/UNIX/Linux/BSD so you should be good on any platform You can get pre-compiled binaries for Windows Assuming you have a file in libpcap format: bittwiste -I original-packets.cap -O new-mod.cap -M 147 This changes the datalink type from Ethernet to 147 which Wireshark allows you to customize. When you open new-mod.cap in Wireshark (assuming 0.99.6, earlier versions are different): When one of the packets is highlighted, in the second pane under the frame you should see: user encap not handled: DLT=147, check you [sic] Preferences-Protocols-DLT_USER Edit-Preferences-Protocols,DLT_USER,Edit... Click on Edit... Click New Leave encap at default of User 0 (DLT=147) payload_proto - ip header_size - 58 (14 for Ethernet + 44 for the proprietary header??? - might be 72 if it's 58+14...) header_proto - I leave blank as it's proprietary and I don't know how to write a dissector trailer_size - I leave blank trailer_proto - I leave blank Click OK Click OK Should now see what you want in Wireshark! Please let me know if this works for you. For the general Wireshark community - is there a way to do the above and still see the Ethernet frame but ignore the data in the middle? For example, if I have something that processes traffic and inserts a 34 byte proprietary header between the Ethernet header and the IP header, can I still see the Ethernet header and the following IP header but ignore the proprietary header in the middle (if I'm not slick enough to write a dissector!)? I tried: payload_proto - ip header_size - 14 (14 for Ethernet) header_proto - Ethernet (tried ether, ethernet, neither worked...) trailer_size - 34 trailer_proto - blank Also - would this be a good thing to put in the WIKI? If so, any suggestions on where? Thanks, --Jim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Halvorsen (bhalvors) Sent: Saturday, July 21, 2007 8:26 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] Setting up a display offset I am using a feature called Cable Intercept on a Cisco CMTS, it packages up traffic between two endpoints into a udp wrapper and sends it to a machin where its collected using wireshark, To view the origianl packet I need to setup an offset of 58 bytes to view the original IP packet. How can I do this? Bill ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tons of ARP packets...?
IchBin, Still need to find the bugger who is causing that problem. Or more interestingly where is this xxz0n3dxx.dyndns.org coming from on my machine. I did a global text search for xxz0n3dxx.dyndns.org and only found in 5 files but these related to the emails I have sent to this newsgroup. Maybe I should look for just xxz0n3dxx or dyndns by themselves. When I see these Standard Queries, in real time, I see the Process-ids associated but no associated program initiating that process. If this is a Windows machine, One thing you can try is installing ZoneAlarm of Kerio's personal firewall. This allows you to selectively block network access on a per process basis. While it could be time consuming, you can start with a default deny where when anything wants network access you must approve it. The obvious programs like your browser and E-mail client you can grant access. For other programs that request access you can google their process/binary name to learn more about them. There is a wealth of information on-line. Once you find a process you don't like, try using something like the Sysinternal's Process Explorer to learn more about the process. Then hopefully you can uninstall/delete/disable it. If you didn't already, you may want to try installing Windows Defender or other anti-spyware programs to check the PC. If it's just one program you might be able to kill it. If it's a nasty one though you might have to re-image/re-format the machine. Some nasties are almost impossible to eradicate. Good Luck, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Beginner Quick Setup Question
Depends on the switches - as long as they are RSPAN capable and not limited by bugs then yes - setup RSPAN on 7 with the last one receiving and spanning everything to your Wireshark node. I believe you need a 2950 or better for RSPAN (except don't believe 3500XLs do RSPAN). Also, if you have RSPAN crossing multiple 2950s I believe there are some known issues. Search Cisco for RSPAN and review the release notes/doco for your particular switches and IOS/CatOS version. The following may help: General Cisco Doco: www.cisco.com/go/documentation Good SPAN/RSPAN Overview: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note 09186a008015c612.shtml Good VACL Capture Overview: http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/rspan_wp.p df Just make sure you don't oversubscribe the switch port doing the spanning or the interface or Wireshark - watch for interface errors on the computer and the spanning switch. If you have a 6500 then you might also want to check out VACL based captures which are more flexible than (R)SPAN (see above link) - especially since you are limited to a few SPAN sessions but can have dozens or VACL based captures. Note though that this only applies to the 6500 - as far as I know it doesn't work on any other platforms, not even a 4500. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Peter Parady Sent: Friday, July 13, 2007 1:38 PM To: 'Community support list for Wireshark' Subject: [Wireshark-users] Beginner Quick Setup Question Importance: High I have 8 Cisco Switches and a Cisco Router in the LAN I want to monitor, all nodes on the LAN connect directly to a switch. It looks as if I need to configure SPAN on the Switch my Wireshark machine connects to and RSPAN on all the other switches, or is there a better way to handle this? Thanks in Advance. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Beginner
I completely agree - Laura's books are fantastic - an excellent investment if you want to get productive in network analysis quickly. I still have and use her books on Novell networks - the Token Ring explanations are probably the best I have ever seen if you're (un)fortunate enough to still run into them... :-) Even though the books are from the mid 90's, they were so well written that I still find them useful today - a true testament to great writing. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 13, 2007 12:06 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Beginner You're being too modest Laura. The lab kit is a fantastic resource and reality check for those who have anything to do with networks. People, Laura explains protocol analysis better than anyone I've ever read. (Yes, you can blush now Laura.) Clear, concise and eminently readable she makes what can be rather dry reading fun. Better, it's accessible to the average network professional - ubergeek credentials not required! Laura frequently writes on the subject for various magazines; she has a number of great entry level articles available online at connection magazine, http://www.novell.com/connectionmagazine . (She's featured in this quarter's magazine.) I'll make a couple of recommendations for those starting out: Introduction to Network Analysis. If you're just starting out, you NEED this. How and why, with examples and humor. Even most managers will find this accessible. TCP Analysis and Troubleshooting. TCP/IP won the protocol wars, so you need to understand how the protocol suite is put together. Both of these are available either electronic or hard copy; check out http://www.packet-level.com/books.htm . You can also purchase these with other titles as a set - I bought the Master Library a couple of years ago, and even as an out of pocket professional purchase I've never regretted it. I can't think of a better resource if you're serious about getting into network analysis. Randy Grein Network Engineer Laura Chappell [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2007 09:33 PM Please respond to Community support list for Wireshark wireshark-users@wireshark.org To 'Community support list for Wireshark' wireshark-users@wireshark.org cc Subject Re: [Wireshark-users] Beginner In addition, you can download the ISO image of the Laura's Lab Kit v8 from www.novell.com/connectionmagazine/laurachappell.html - there are training resources on the DVD. In addition, at that same URL I have recorded monthly articles on network troubleshooting, network forensics and reconnaissance. Free to all. I agree with the need to understand the protocols! I co-authored Guide to TCP/IP with Ed Tittel - not sure where it is sold - it's used as a college textbook - check Amazon I guess. Laura Chappell Founder, Wireshark University Sr. Protocol/Security Analyst, Protocol Analysis Institute ** This message is intended only for the use of the addressee and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that any use and/or dissemination of this communication is strictly prohibited. If you have received this communication in error, please delete all copies of the message and its attachements and notify the sender immediately. ** From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of zuoheng Sent: Thursday, July 12, 2007 7:25 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Beginner I am new to Wireshark too. But I would share some experience with you. First, before you use Wireshark analyzing some network traffic, you need have some knowledge about TCP/IP fundamental. Such as ARP packets, DNS query packets, IP sourece address, IP destination address, TCP port number, UDP port number, are quite basic concepts of TCP/IP stack. Interworking with TCP/IP Volume 1 or Illustration TCP/IP Volume 1 are two good books to read. Second, you may move to speicifid application, such as http, email, nfs, cifs. These are upper layer protocol based on TCP/IP. One of Wireshark's strong point is that it provides so many dissectors to decode protocols. Though Wireshark is a good tool to capture and decode network traffic, and even give an analyzing, you'd better know the protocol by your own and then utilize Wireshark. www.wiresharktraning.com has a free section of video cource and some tech notes, you may find it useful. http://www.wiresharktraining.com/files/msteched_traces.zip http://www.wiresharktraining.com/files/2007_microsoft_chappell.zip
Re: [Wireshark-users] Tons of ARP packets...?
Dooh! That's a major bummer. Perhaps Zone Alarm then? Or... How about this for a wish item - the ability to filter and/or identify network traffic by process name/ID. Based on what I've seen from the Sysinternals tools I believe it may be possible. What do you think? --Jim -Original Message- If this is a Windows machine, One thing you can try is installing ZoneAlarm of Kerio's personal firewall. ...and then possibly give up on using Wireshark to capture packets on that machine - Kerio and WinPcap appear to get into arguments on a number of occasions: http://www.winpcap.org/pipermail/winpcap-users/2007-July/001975.html There have been other reports of problems with Kerio and WinPcap on the winpcap-users list. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Filter UDP from IP in UDP transport
Scott, I believe bittwist might be able to do the trick for you: bittwist.sourceforge.net --Jim Hello I have a dataset where IP is transported in UDP For each packet in the wire shark pcap capture I need to strip the first 50 bytes. I would like to then have a new file with just the IP packets free of the encapsulating UDP wrapper. I have been working with Filter Display but I am at a loss. Can anyone bail me out? Thanks Scott ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] TCP Dup Ack
Roland, What kind of problems? Do the transfers abort? Are they slow? When dealing with a carrier, you need to be specific. Remember that carriers deal with troubleshooting Internet traffic for a living so they are understandably skeptical if a non-carrier tells them there is something wrong with their network. Not to say that there are never carrier issues - there are. However, most of the time, the problem is not with the carrier/ISP. Things you can do to show the customer ISP that you've done your homework: 1) Perform download/speedtests throughout the day. I like speakeasy.net/speedtest. Keep track of the results. Is the problem just during business hours or all day long? What about on the weekends? 2) If you look at all the customer equipment - are there any interface errors? Look at the end user PC, all routers, switches, firewall, traffic shapers, in-line security equipment, and anything else that touches Internet traffic. Do any of them have any interface errors? Are all of them operating at the correct speed and duplex settings? Are all of them running solid network drivers and solid code versions with no known bugs/issues? 3) When you get the problems - can you demonstrate them from multiple sites on the Internet? Are you sure it's not just one site or another customer? 4) You can also run tools to monitor Internet usage - is the customer maxing out their Internet pipe? MRTG (UNIX/Linux), PRTG (Windows) are great and free/cheap tools to monitor Interfaces. 5) Ask your ISP how they do speed tests. Many ISPs have their own internal speed test or will setup an iperf server to allow CPE testing. 6) Look at utilities like pingplotter and NetFlow Analyzer to watch traffic over time. Once you do all of this and document your findings - if you're still stumped, you can forward your findings off to the customer's ISP to show them what you've done. Then ask for their help. Tell them you've done everything you can think of and ask them what else you should try to isolate the problem. Often times if you show an ISP that you've done your homework and made a reasonable effort to rule out any CPE issues, they will then take the time to seriously look at their equipment to see if anything is amiss. They might also ask you to run some more tests - but as long as you work with them you should be able to get to the bottom of it. Put on your patience hat though - troubleshooting Internet performance issues can be difficult and is often very time consuming. --Jim I have a couple of customers that have been complaining of issues on their circuits, an issue that causes them to have problems with large file transfers. The only noteworthy problems in their data streams seem to be TCP Dup Acks - I've seen as many as sixty, or over a hundred, in file transfers of 100 MB test files. However, as near as I can determine, these errors are being introduced in the Internet, outside of our network (the customers use VPNs over internet circuits with major carriers for these file transfers). As I said, we've tested our own network thoroughly, but I'm at a loss as to where to go with this issue. Obviously, telling the customer, It's not our fault is unacceptable, as that doesn't move them any closer to error-free file transfers. On the other hand, I'm not sure where to tell the carriers' help desk technicians to look for the source of this issue. Has anyone seen this before on Internet circuits, and is there some way I can use Wireshark to help pinpoint the issue more specifically than telling the carrier, It's in your cloud? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Malformed SSL - Is it really?
Hello, When using Wireshark 0.99.5 on Windows, sometimes I see: [Malformed Packet: SSL] e.g.: No. TimeSourceDestination Protocol Src Port Dst Port Delta Info 381 15.301101 172.24.101.100172.24.100.107TLSv1443 1136 0.017923Application Data, [Malformed Packet] Frame 381 (1314 bytes on wire, 1314 bytes captured) Arrival Time: Apr 10, 2007 10:20:40.195898000 [Time delta from previous packet: 0.017923000 seconds] [Time since reference or first frame: 15.301101000 seconds] Frame Number: 381 Packet Length: 1314 bytes Capture Length: 1314 bytes [Frame is marked: True] [Protocols in frame: eth:ip:tcp:http:ssl] [Coloring Rule Name: HTTP] [Coloring Rule String: http || tcp.port == 80] Ethernet II, Src: StBernar_00:8c:e5 (00:07:e8:00:8c:e5), Dst: Dell_00:be:6b (00:12:3f:00:be:6b) Internet Protocol, Src: 172.24.101.100 (172.24.101.100), Dst: 172.24.100.107 (172.24.100.107) Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 1136 (1136), Seq: 9184, Ack: 1341, Len: 1260 Hypertext Transfer Protocol Secure Socket Layer TLSv1 Record Layer: Application Data Protocol: http Content Type: Application Data (23) Version: TLS 1.0 (0x0301) Length: 1048 Encrypted Application Data: 986EF11CE4141826D529372C664768C27C0E749FFC4BB768... [Malformed Packet: SSL] Is the packet really malformed, or is it possible that Wireshark doesn't support the cipher being used? If so, is there any way to tell if the packet is really malformed versus Wireshark just not understanding it/the encryption scheme? Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
Hi Doug, That sounds pretty sweet. I tried to follow the steps and I think I'm close. I use bittwiste to change the Data Link Type: bittwiste -I one.cap -O two.cap -M 147 I load the libpcap file in Wireshark 0.99.5. Under the Info column I now see: WTAP_ENCAP = 45, so I think so far so good. I open the preferences dialogue and navigate to the DLT_User_A Protocol. I set DLT to User 0 (DLT=147 WTAP_ENCAP=45). Special Encapsulation is left to No encapsulation Payload is blank - if I enter IP, I get an error stating: DLT User A: No such proto: IP Header Size is 48 (14 for Ethernet for 34 for the proprietary header) Trailer Size is 0 Header Protocol is empty - Setting this to IP produce the same error as above Trailer Protocol is empty With these settings, I now see in the Middle Pane for a selected packet/frame: Frame 1 (96 bytes on the wire, 96 bytes captured) Data (48 bytes) Data (48 bytes) Selecting the second Data (48 bytes), highlights the IP portion of the frame, I can see the starting value of 0x4500 which signifies the beginning of the IP header. However, I don't have the option to decode as IP. What am I doing wrong? I just need to get that second Data set to decode as IP and I'm golden. Thanks, --Jim -Original Message- If you can modify the saved PCAP file using a hex editor, try setting the Pcap DLT at the start of the file to a user defined value such as 147 (see the Wireshark docs and Wiki for info on the PCap file format). This will cause Wireshark to pass the whole packet to a DLT_User dissector. Then Edit\Preferences and look up Protocols\DLT_User. This allows you to say that the header is a certain number of bytes but should be ignored (leave the header proto blnak) and the payload should be treated as a given protocol. If you set the header length to be Ethernet + vendor length, and the payload protocol to be IP, this might work for you (assumes the vendor header is fixed length). Someone has updated the UI for this preference in the latest Wireshark so that it's a bit clearer. I'm not sure what version you are using. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
Yes--that's it! Thanks Hans. That definitely works and is easier than cutting the header out. Never the less, I really like Guy's idea as that would still let me see the Ethernet header too. Thanks for everyone's help on this, --Jim -Original Message- Maybe try ip instead of IP. On Wed, 14 Mar 2007 20:46:24 -0400, Small, James [EMAIL PROTECTED] said: Hi Doug, That sounds pretty sweet. I tried to follow the steps and I think I'm close. I use bittwiste to change the Data Link Type: bittwiste -I one.cap -O two.cap -M 147 I load the libpcap file in Wireshark 0.99.5. Under the Info column I now see: WTAP_ENCAP = 45, so I think so far so good. I open the preferences dialogue and navigate to the DLT_User_A Protocol. I set DLT to User 0 (DLT=147 WTAP_ENCAP=45). Special Encapsulation is left to No encapsulation Payload is blank - if I enter IP, I get an error stating: DLT User A: No such proto: IP Header Size is 48 (14 for Ethernet for 34 for the proprietary header) Trailer Size is 0 Header Protocol is empty - Setting this to IP produce the same error as above Trailer Protocol is empty With these settings, I now see in the Middle Pane for a selected packet/frame: Frame 1 (96 bytes on the wire, 96 bytes captured) Data (48 bytes) Data (48 bytes) Selecting the second Data (48 bytes), highlights the IP portion of the frame, I can see the starting value of 0x4500 which signifies the beginning of the IP header. However, I don't have the option to decode as IP. What am I doing wrong? I just need to get that second Data set to decode as IP and I'm golden. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header
That's a great idea - I just did. Truly a fantastic tool! -Original Message- You got to thank the developer(s) of bittwiste -- great tool, one of a kind! Frank ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on Decoding packet with insertedproprietary header
I am dealing with packets that are modified by a vendor device. The packets are standard Ethernet frames with IP. Once the frames/packets traverse the Vendor device, a new proprietary header is inserted between the Ethernet header and the IP header. So, in a standard IP/Ethernet packet, my IP offset is 0x08. In the modified IP/Ethernet packet, my IP offset is 0x30. The modified IP/Ethernet packet looks like this: Ethernet Header Proprietary Header - 34 bytes IP Header and the rest of the packet Using Wireshark, is there a way to start the IP decode at a/the specified offset? There is no way to do this right now in Wireshark. A dissector would need to be built that is able to be called from the Ethernet dissector and can call the IP dissector afterwards. Do you know the format of the proprietary header? Bummer - so you'd have to be a coder, eh? Unfortunately my coding skills are insufficient - I barely remember how to spell pointer... :-) I have no idea what the Vendor inserted header is. I suspect there might be two 48bit MAC addresses in there, but other than that I don't know. The header just shows up as an Ethertype and then I can see the 45 00 that designates where the IP header starts. Since this capability is not currently present for non-coders, I just took a stab at using bittwiste to cut out that part of the packet. Then I can select the data after the Ethernet header and decode it as IP. It works fairly well, but it turns out that the vendor frame/packet modifications are more extensive than I thought... Anyway, could be a useful Wireshark feature - if you agree let me know and I'll put it on the wish list. Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
Anyway, could be a useful Wireshark feature - if you agree let me know and I'll put it on the wish list. What would be nice would be a language to describe a packet format and an interpreter for the language, so that a non-programmer could add a dissector for simpler protocols. Even if you just know that there's a 34-byte header, and don't know its contents, you could describe the header as a 34-byte opaque blob. Guy, that sounds like an excellent idea. Would you like me to file the request? --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on Internet PerformanceTroubleshooting
Sweet--talking about a great source of information in networking! :-) Laura, please allow me to respond inline: If you can capture on both sides of the firewall with two time synced WS systems then you can merge the trace files and note the delay at the firewall. [Small, James] That sounds like a great idea but I'm a little unclear on how to do it. So, if I have two XP computers synced to the same ntp server (with the built-in SNTP Windows client) and start the captures at close to the same time, would I then be able to use mergecap to successfully merge them in order? If so, I believe that's something I can do remotely and perhaps take another stab at this problem. 10% is really high - now it may be that there is packet loss somewhere upstream (closer to the HTTP server) and it's not your firewall's fault at [Small, James] The problem definitely exists without the firewall. However, I'm not letting myself off the hook as the firewall measurably exacerbates the issue. One off the wall idea - the site had two T1's (3.0 Mbps) multiplexed via PPP before. The problems seem to start close to around when they added a third T1 (again via PPP) for a total of approx 4.5Mbps. Is there any chance that this could cause issues - seems to be a pretty standard provider setup... all. When we a high number of lost packets (which, during the file download will cause duplicate ACKs from the client and retransmissions from the server) we'll run ping potter or ping path to identify where packet loss may be occurring - you're kind of comparing apples to oranges, however and may find your itty bitty pings go flying through while larger packets are dropped. We have noted a router upstream from us that is dropping packets through this process, however. Do you only find the packet loss when the firewall is in place? Have you tried jacking in outside the firewall to perform the same download? What latency times are you seeing? If your duplicate ACK count gets really high (not just up to DUPE ACK #2 or so), then you may look into latency issues as well. [Small, James] There is packet loss/issues with or without the firewall - the firewall just seems to exacerbate it for some reason. When I connect directly to the router (outside of the firewall) I get measurably better performance but I still have somewhat erratic performance and have never been able to get the advertised bandwidth on the connection - even at night with 0 traffic. I did setup PRTG to do pings every 10 seconds (32 bytes) to the ISPs edge router and the first hop router in Chicago (believe at the Chicago NAP). The ISP edge router (12 hops from site) varies between 10-100+ ms for latency. I notice that when the performance becomes erratic, the ping latency times spike. The Chicago router (15 hops from site) varies between 15-130+ ms with occasional drops. One more thing I didn't mention - the problems are mainly between 7-3 when they have their peak load. However, they are usually not getting to more then 70% of their theoretical bandwidth capacity so I'm not sure that it's necessarily a bandwidth problem. When you look at an SNMP graph of their bandwidth usage, it doesn't seem like the are maxing out much and when they do it's very short lived. Ping plotter looks very slick - I just set it up. It appears to give much more detail than other ping/tracert programs I've used. I'll be interested to see what it shows me next week. Any other thoughts? Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on InternetPerformanceTroubleshooting
Steve, I believe the 3 T1 are multiplexed using multilink PPP using an Adtran router if I remember correctly. Is there any way to tell if this PPP bundle is causing out of order packets or other issues? Thanks, --Jim One off the wall idea - the site had two T1's (3.0 Mbps) multiplexed via PPP before. The problems seem to start close to around when they added a third T1 (again via PPP) for a total of approx 4.5Mbps. Is there any chance that this could cause issues - seems to be a pretty standard provider setup... How are the three T1s load-balanced? Multilink PPP or just using three paths that the routers see between each other? When there are just three paths seen between the routers, the routers will often cache which destination goes over which circuit so the packets are transmitted across the same circuit in proper order for each destination on the other end. Multilink PPP sends the packets in more of a round-robin fashion, where one of the packets could get caught behind a larger packet on say the first T1 while two other packets from the same session make it across the other two T1s quickly. This would cause out-of-order packets. Although that case is usually confined to slower speed links ( 768Kbps) and is called serialization delay. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on InternetPerformanceTroubleshooting
Hi Sake, Not an unreasonable suspicion - in fact, when I used: http://miranda.ctd.anl.gov:7123/ The site suspected a duplex mismatch since my download speed tends to be less than half of my upload speed. Many times the upload speed is close to the advertised rate but I have never been able to get the full download speed. Maybe I can double check with the provider on their router - but they said they already checked everything and the service provider seems decent. Still, it's probably worth double checking. On all my equipment, there are no errors/FCS, drops, out of buffers - everything is perfect (from an Ethernet stand point anyway). The newer stuff is gigabit where the IEEE mandates auto-negotiation in the spec. The older stuff that's 100 Mbps is hard coded just like you said. I guess if it were easy there wouldn't be a whole IT profession, eh? :-) --Jim You probably have checked this already, but I could not resist in mentioning it, did you check the duplex settings on the uplink-router, the firewall and the switch-ports? If the packet-loss is higher when your (local) traffic increases, but your traffic is not maxing out your links, it does sound like a local problem and duplex mismatches are still source nr.1 in my experience. If it is possible, set all speeds and duplex-modes fixed. Having one side on fixed and the other side on auto is a sure cause for trouble. Having both sides on auto usually works, but does indeed give you duplex-mismatches sometimes. If you have a duplex mismatch, you will see a lot of FCS/alignment errors on the interface in full-duplex mode and a lot of collisions on the interface in half-duplex mode. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] how to filter a port?
Thanks Ulf--I didn't realize you could do that, I've been doing not source and not destination - this is much more efficient! --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Ulf Lamping Sent: Monday, February 26, 2007 5:34 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] how to filter a port? David Drexler wrote: It's either to or from 'http'. I also tried tcp.port != 80 same results. I want to run the capture realtime and only see the traffic that interests me. Your display filter falls under the A common mistake, try !(tcp.port == 80) instead, which is not the same. HTTP can be transported over various TCP ports - not only port 80. See: http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol?action=showredir ec t=HTTP for protocol info http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSectio n. html for capture filters and http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilter Se ction.html for display filters Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capturing packets in stealth mode on Windows
Dave, Under the Network Adapter Properties, under the General Tab, you should see a list of clients/protocols/etc. that use the particular network adapter. For example: Client for Microsoft Networks VMware Bridge Protocol Deterministic Network Enhancer File and Printer Sharing for Microsoft Networks Network Monitor Driver Internet Protocol (TCP/IP) You want to uncheck everything except the Network Monitor Driver - I believe this is what WinPcap is using to monitor the network adapter. You should then be able to silently monitor the network that this particular network adapter is hooked up to. I have tried this and it works for me. That said, if you want a perfect solution, you would have to have to get a switch that can mirror/SPAN ports, or get a network tap, or cut the transmit wires on the patch cord. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of David Durgee Sent: Saturday, February 03, 2007 9:26 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] capturing packets in stealth mode on Windows I need to capture packets between a cable modem and a router for diagnostic purposes. I have inserted a hub between them, so I can attach the Win2K system to it, but I need to avoid having the capturing system inserting packets of its own as it might either mask the problem I am trying to diagnose or create new problems. I have downloaded and installed Wireshark 0.99.4 on a Windows 2000 system. I am able to capture packets on my ethernet interface with the interface enabled and in full operation, but if I disable the interface as I expect I will need to in order to operate stealthy the interface is not available to select for capture in Wireshark. How do I need to configure things to be able to do what I need? Can I define another ethernet interface using the same NIC that has no protocols enabled on it and then swap which one is enabled? Do I need to disable all protocols on the existing interface for the capture and then manually re-enable them when I want to reconnect to the network? Any help appreciated. Dave __ __ Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on new U3P format of Wireshark
Thanks Hans--that looks pretty slick. In this case though I would like to use the current version of Wireshark and I'm wondering if this U3P package allows Wireshark to run from a flash drive without installing anything on the host including WinPcap. This would be especially appealing to me--but I'm not sure it's possible, especially with the WinPcap part. Thanks, --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Hans Nilsson Sent: Saturday, January 27, 2007 3:25 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Question on new U3P format of Wireshark If you're interested there's a version of Ethereal here that you don't need to install WinPcap or anything to use: http://www.download.com/PacketStuff-Network-Toolkit/3000-2085_4- 10428838.html It's an older version and the authors page seems to be gone now but there's an archived version here where you can read how he did it: http://web.archive.org/web/20060427203232/http://www.packetstuff.com/ On Sat, 27 Jan 2007 14:33:16 -0500, Small, James [EMAIL PROTECTED] said: I have a question on the upcoming U3P package of Wireshark: Let's say I get a U3 flash drive, and the u3p package for Wireshark. Does that mean I can take that flash drive to any computer (let's say Windows XP computer), plug it in, and run Wireshark doing a promiscuous capture from the U3P package? I won't have to install anything, including WinPcap on the host computer? The last point I'm especially interested in--with the U3 packaging format, does it preclude having to install a driver on the host? Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Choose from over 50 domains or use your own ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on new U3P format of Wireshark
Thanks Erick--that's exactly what I was wondering. I agree that for our own computers, we'd just want Wireshark installed. However, if you work in support and have to do a capture on a computer with nothing the new packaging is definitely an improvement over having to install everything. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Erick B Sent: Saturday, January 27, 2007 6:46 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Question on new U3P format of Wireshark I downloaded this new U3P package and tried it on my U3 flash drive. When you run it, it installs WinPcap (regular WinPcap installer) and when you exit WireShark it brings up Uninstall WinPcap application. I was just testing it out, etc myself also, as I just recently picked up a U3 drive. I needed a bigger portable thumb drive and found a deal on one w/U3 - wasn't looking for U3 specifically. So for now I think I'll stick to using regular install of WireShark so I don't have to deal with WinPcap every time I use WireShark. On 1/27/07, Small, James [EMAIL PROTECTED] wrote: Thanks Hans--that looks pretty slick. In this case though I would like to use the current version of Wireshark and I'm wondering if this U3P package allows Wireshark to run from a flash drive without installing anything on the host including WinPcap. This would be especially appealing to me--but I'm not sure it's possible, especially with the WinPcap part. Thanks, --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Hans Nilsson Sent: Saturday, January 27, 2007 3:25 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Question on new U3P format of Wireshark If you're interested there's a version of Ethereal here that you don't need to install WinPcap or anything to use: http://www.download.com/PacketStuff-Network-Toolkit/3000-2085_4- 10428838.html It's an older version and the authors page seems to be gone now but there's an archived version here where you can read how he did it: http://web.archive.org/web/20060427203232/http://www.packetstuff.com/ On Sat, 27 Jan 2007 14:33:16 -0500, Small, James [EMAIL PROTECTED] said: I have a question on the upcoming U3P package of Wireshark: Let's say I get a U3 flash drive, and the u3p package for Wireshark. Does that mean I can take that flash drive to any computer (let's say Windows XP computer), plug it in, and run Wireshark doing a promiscuous capture from the U3P package? I won't have to install anything, including WinPcap on the host computer? The last point I'm especially interested in--with the U3 packaging format, does it preclude having to install a driver on the host? Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Choose from over 50 domains or use your own ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Filtering a very large capture file
I wonder if ngrep would work for you: http://ngrep.sourceforge.net/ There are binaries for most platforms including Linux and Windows. Perhaps you could do something like this: ngrep -I input.cap -O output.cap regex I tried and it seems to work, although I only used a 20MB capture file. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Seymour Dupa What about 'grep'? I used it a lot in my DOS days. I'm sure there is/are Windows versions. It's quite powerful with many wildcard characters and search patterns. It will do a lot of filtering for you. You mauy have to run it several times for the different search parameters. John --- Guy Harris [EMAIL PROTECTED] wrote: On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote: I've read the man pages on the tools that come with Wireshark. I was hoping to find a tool that opens a capture, applies a filter and outputs matching packets to a new file. Here's a sample run of the hypothetical filtercap tool: # filtercap -r very-large.eth -w only-infrequent.eth -f tcp.port==5 tcpdump -r very-large.eth -w only-infrequent.eth tcp port 5 That can't do arbitrary display filtering, but truly *arbitrary* display filtering has problems with reassembly (i.e., a filter that matches something in the reassembled portion of the packet can't match anything but the last packet). It also can't handle non-libpcap capture files, but given that your capture file is *from* tcpdump, it's obviously readable by tcpdump tshark is almost the right thing, except that tshark also tries to read in the whole capture first instead of processing it like editcap. No, actually, it *does* process it like editcap; neither it nor Wireshark read the entire capture file into memory. They *do* keep reassembled data in memory, but that's another matter. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] OUI Look Up Tool on Wireshark site?
Here's another set - I heard that some vendors ask the IEEE not to publish their blocks but I don't know if that's true... http://map-ne.com/Ethernet/ --Jim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith French Sent: Sunday, January 21, 2007 5:08 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] OUI Look Up Tool on Wireshark site? Laura, I don't know if an error crept into my link, this is the one that definitely works:- http://www.ethereal.com/tools/oui-lookup.html However, I didn't realise that the standards did a lookup, only the text file. I'll probably use that one in future. Keith. - Original Message - From: Laura Chappell mailto:[EMAIL PROTECTED] To: 'Community support list for Wireshark' mailto:wireshark-users@wireshark.org Sent: Sunday, January 21, 2007 7:42 PM Subject: Re: [Wireshark-users] OUI Look Up Tool on Wireshark site? Keith, You could go straight to the IEEE to read the list (http://standards.ieee.org/regauth/oui/oui.txt) or do a lookup online (http://standards.ieee.org/regauth/oui/index.shtml). Hope that helps... (I couldn't access the link you provided, so I couldn't see how the lookup tool worked - did it point to other sites or did it do a lookup on a static list on the server...?) Laura [EMAIL PROTECTED] This message is intended only for the use of the addressee and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that any use and/or dissemination of this communication is strictly prohibited. If you have received this communication in error, please delete all copies of the message and its attachments and notify the sender immediately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith French Sent: Sunday, January 21, 2007 7:37 AM To: Wireshark-Users Subject: [Wireshark-users] OUI Look Up Tool on Wireshark site? On the old Ethereal web site there was an OUI Lookup Tool:- http://www.ethereal.com:80/tools/oui-lookup.html I cannot find this on the Wireshark site. Is it already on the site elsewhere, or are there any plans to put it on the Wireshark site? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.4/643 - Release Date: 21/01/2007 17:12 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] I see no captured packets at all
Yep--that's it. Thanks Guy. Also, just for the record, I tried capturing under WinPcap under XP, SP2 both using the Microsoft Bridge and just using my wireless adapter in non-promiscuous mode (Intel Pro Wireless 2200BG built-in to a Dell Latitude D610). My particular wireless card will only capture if I don't enable promiscuous mode. Interestingly enough, if I don't have the Microsoft Bridge installed with the wireless card as a bridge adapter, then I won't see multicast traffic groups that my host didn't join (in other words I don't see most multicast traffic). Once I setup the Microsoft Bridge, then I can capture normally (using promiscuous mode) using the bridge and all multicast traffic shows up using either the bridge or the wireless card (although still must capture on wireless card with promiscuous mode off). Note that in any case, I can not see non-broadcast/non-multicast traffic which is not destined to my wireless card. For this you would need the AirPcap adapter. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Guy Harris Sent: Friday, December 29, 2006 3:17 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] I see no captured packets at all Small, James wrote: Unfortunately, many wireless cards in Windows do not allow you to do network captures. I use to have a link to a web site that explained it all and had a list of Wireless NICs/Chipsets and which ones worked or didn't work for network captures but now I can't find it. You might be thinking of http://www.micro-logix.com/WinPcap/Supported.asp which is linked to from http://wiki.wireshark.org/CaptureSetup/WLAN which gives information on wireless captures on various OSes, including Windows (and also mentions the AirPcap adapter). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Question on interpreting TCP Expert Info
Hello, I am using Wireshark to look at mail traffic (SMTP/POP3). When I look at the trace I see lots of the following: Previous Segment Lost Retransmission (suspected) Duplicate ACKs I'm suspecting that this is exacerbated by not having enough Internet bandwidth. My question is, how do I interpret this? Does this show that I don't have enough bandwidth? Does it mean there needs to be tuning? I realize this is not an easy question and would be very happy even with a go ready book ABC answer - just as long as once I read book ABC I would know how to interpret the data. Any and all advice greatly appreciated. Thank you, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] I see no captured packets at all
Cor, Unfortunately, many wireless cards in Windows do not allow you to do network captures. I use to have a link to a web site that explained it all and had a list of Wireless NICs/Chipsets and which ones worked or didn't work for network captures but now I can't find it. However, many times you can get around this by bridging if you're using XP. Basically, you need to add the Microsoft Bridge and add your wireless adapter to it. You then choose the Microsoft MAC Bridge Virtual NIC as the capture source instead of the Wireless card. This works in the majority of cases - I use it myself. If I remember correctly, in the Network Control Panel, I believe you select two adapters and then select bridge. This creates a Microsoft Virtual Bridge with the two adapters as members of the bridge. After the bridge is created, you can remove everything except your wireless card and try capturing as described above (just go into the bridge properties). When you create the bridge, it acts just like a simple network bridge including emitting 802.1d spanning tree BPDUs. Be warned, many switches (especially corporate ones) are configured to basically shutdown if they detect spanning tree BPDUs. Usually if you're just bridging your wireless card this doesn't create problems. However, I have run into some instances where the wireless network is seamlessly bridged to a wired switch and when the switch detects spanning tree BPDUs, it disables the switch port that the access point is on. This is rare but possible so be warned! Also, sometimes my wireless connection can be a little flakey and if I remove the bridge the problems go away. That said, I usually always run in bridged mode so I can do captures and for the most part it works well. Let me know if you have trouble setting up the bridging, --Jim -Original Message- I installed Wireshark (Version 0.99.4 (SVN Rev 19757)) on my laptop (Acer Aspire 6510 with a build in Intel PRO/Wireless 3945ABG network card), running Windows XP sp2. My LAN has an Asus WL500g router and a 3COM switch for the wired desktops attached to it. When I start capturing on the laptop, the name of my networkcard is mentioned in the top of the capture window all right, but no captured packets are shown, even if I wait for 10 minutes. I also uninstalled and re-installed WinPcap (version 3.1) What am I doing wrong? Is this network card the evil part? On one of the wired desktops, it works fine. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] TCP Reassembly Question
I have learned much from listening to the list, especially about TCP and HTTP. Thank you to everyone for this! One question that this has brought up for me is on TCP Reassembly. I read Steven's TCP/IP Illustrated and other networking books so I have a pretty good idea how TCP works. However, I don't believe I completely understand TCP segmenting. Is the way it works like this? I want to transmit a 100K PNG file via TCP. TCP segments (right term?) the packet to accommodate the MTU of the underlying transport. So if we're using Ethernet with an MTU of 1500 and IP+TCP overhead of 40 bytes, my payload size is 1460 bytes per packet (assuming no MSS reductions in SYN packets). TCP would use 71 packets to transmit the 100K image (102400 bytes). (Assuming ideal conditions and each packet is max size) So I'm assuming if I use Wireshark, I would see 70 TCP segment of a reassembled PDU frames and then one frame showing the transfer protocol (http for example) at the end. I have tried something like this and it appears to work that way. So assuming my understanding is correct, is there any way to tell from looking at a TCP packet/segment which other TCP segments are part of the same stream? Or is everything for one TCP session between the SYN-SYN/ACK-ACK and the FIN/ACK-ACK-FIN/ACK-ACK part of the stream? I guess another way to ask this question would be to say, can I use one TCP session to send multiple files or does each file/data chunk require a new TCP session/stream? Thank you, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] SSH packets
What about: tcp.port==22 Normally an SSH Server/Service/Daemon listens on TCP Port 22. If the SSH end point is on a different port, then you can filter on the server port (e.g. tcp.port==60022) and right click on a packet and select decode as, and choose SSH. Hope this helps, --Jim -Original Message- Hi all, Can anybody tell me how can I capture packets which belong to SSH connection? When I establish a SSH connection, even all SSH packets are shown as TCP packets however I have set the filter to capture all packets. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] 2 gig limit on mergecap
Your suspicions are correct: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/choosing_between_ntfs_fat_and_fat32.mspx?mfr=true The file size limit for FAT32 appears to be 4GB. That said, I can't image trying to use a modern Hard Drive with large partitions and writing large files under FAT32 - it's just not a robust file system and is too easily corrupted. --Jim --- I always thought 4 gb was the limit for FAT32. On Thu, 23 Nov 2006 01:09:40 +, William Saw [EMAIL PROTECTED] said: Hi Daniel, If you are running on wondows FAT32 disk partition, that is the limitation. Try NTFS. Regards, SL Saw From: Jeff Morriss [EMAIL PROTECTED] Reply-To: Community support list for Wireshark wireshark-users@wireshark.org To: Community support list for Wireshark wireshark-users@wireshark.org Subject: Re: [Wireshark-users] 2 gig limit on mergecap Date: Thu, 23 Nov 2006 08:51:11 +0800 Daniel Goolsby wrote: I sifted through some of the archives but couldn't find anything whether this was going to be fixed. I started capturing all port 80 traffic.. every hour i send that tcpdump to another machine, so at the end of the day i wanted to merge all the traffic together in one nasty port 80 tcpdump file. regardless, mergecap stops at 2g. I made sure and compiled merge on a Sparc Sun box, i also recompiled zlib to make sure it was at least compiled on a 64bit machine- no telling if it had any real effect. regardless, it still stops after the 2 gig limit has been reached on the new dump file i'm trying to create. Are there any other tools that can merge tcpdump files that anyone knows of that doesn't have this limit? I could probably 'tcpreplay' the individual files on an interface that isn't being used, and tcpdump that one, but that's the only workaround i've thought up so far. Any suggestions/comments? One other thought is: what will you do with a capture file 2 Gb big? Are you aware that Wireshark needs a lot of memory to open large capture files: http://wiki.wireshark.org/KnownBugs/OutOfMemory ? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users _ Share your latest news with your friends with the Windows Live Spaces friends module. http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmk ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Email service worth paying for. Try it for free ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users winmail.dat___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] RST in connection after webserver upgrade. Pleasehelp analyse
Jeroen, From what you included below, it looks like after the upgrade, the web server responds with an extra/extraneous FIN segment. In the before scenario, you have a proper shutdown - FIN/ACK ACK (close one direction), FIN/ACK ACK (close other direction). In the after scenario you have a FIN/ACK from the web server followed by a FIN/ACK from the load balancer. It looks like the web server is then sending another FIN/ACK. Next it appears that the load balancer is responding to the first FIN/ACK with an ACK and then responds to the second FIN/ACK with a RST. Now as to why that's happening is another question... That's my interpretation anyway...hope it helps, --Jim We have 2 IBM IHS webservers (Apache 2.0.x) with a Avaya loadbalancers on top. The loadbalancers does every 5 seconds a healthcheck with an GET / HTTP/1.1 request. Now the health check works and this is the flow: Webserver1: 10.132.32.97 Loadbalancer: 10.132.32.124 No. TimeSourceDestination Protocol Info 28 6.28168710.132.32.124 10.132.32.97 TCP 63264 50110 [SYN] Seq=0 Len=0 29 6.28176410.132.32.97 10.132.32.124 TCP 50110 63264 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460 30 6.28495610.132.32.124 10.132.32.97 TCP 63264 50110 [ACK] Seq=1 Ack=1 Win=8192 Len=0 31 6.28581910.132.32.124 10.132.32.97 HTTP GET / HTTP/1.1 32 6.28634010.132.32.97 10.132.32.124 HTTP HTTP/1.1 200 OK (text/html) 33 6.28960510.132.32.124 10.132.32.97 TCP 63264 50110 [FIN, ACK] Seq=90 Ack=605 Win=8192 Len=0 34 6.28964910.132.32.97 10.132.32.124 TCP 50110 63264 [ACK] Seq=605 Ack=91 Win=32768 Len=0 35 6.28969110.132.32.97 10.132.32.124 TCP 50110 63264 [FIN, ACK] Seq=605 Ack=91 Win=32768 Len=0 36 6.29366110.132.32.124 10.132.32.97 TCP [TCP Dup ACK 33#1] 63264 50110 [ACK] Seq=91 Ack=605 Win=8192 Len=0 37 6.29457110.132.32.124 10.132.32.97 TCP 63264 50110 [ACK] Seq=91 Ack=606 Win=8192 Len=0 We needed to upgrade our webserver to a new IBM IHS release (Apache 2.0.47) and now the health check doesn't work and Avaya marks the webserver as down. Because the Avaya needs a HTTP 200 OK response AND a good closed tcp connection. And as you can see, there is not a nice closed session. The loadbalancer send a RST to close the connection. Can anybody see why? No. TimeSourceDestination Protocol Info 51 10.000206 10.132.32.124 10.132.32.97 TCP 63378 50110 [SYN] Seq=0 Len=0 52 10.000345 10.132.32.97 10.132.32.124 TCP 50110 63378 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460 53 10.003637 10.132.32.124 10.132.32.97 TCP 63378 50110 [ACK] Seq=1 Ack=1 Win=8192 Len=0 54 10.004307 10.132.32.124 10.132.32.97 HTTP GET / HTTP/1.1 55 10.004993 10.132.32.97 10.132.32.124 HTTP HTTP/1.1 200 OK (text/html) 56 10.005111 10.132.32.97 10.132.32.124 TCP 50110 63378 [FIN, ACK] Seq=624 Ack=90 Win=32768 Len=0 57 10.014761 10.132.32.124 10.132.32.97 TCP 63378 50110 [FIN, ACK] Seq=90 Ack=624 Win=8192 Len=0 58 10.01482010.132.32.97 10.132.32.124 TCP 50110 63378 [FIN, ACK] Seq=624 Ack=91 Win=32768 Len=0 59 10.016232 10.132.32.124 10.132.32.97 TCP 63378 50110 [ACK] Seq=91 Ack=625 Win=8192 Len=0 71 12.180680 10.132.32.124 10.132.32.97 TCP 63378 50110 [RST] Seq=92 Len=0 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Exporting raw packet data?
Pretty cool Sake. I don't have any UDP streams to coalesce at the moment, but just looking at your perl script gave me some ideas. Thanks, --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Sake Blok Sent: Tuesday, November 14, 2006 7:59 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Exporting raw packet data? On Mon, Nov 13, 2006 at 09:02:41PM -1100, Hans Nilsson wrote: You could try saving it as a pcap-file and stripping out the headers. Or exporting only the packet bytes as plain-text and using sed, awk or any other tool to extract the right data. Based on your challenge, I wrote a little perl-script that I think would do the trick. The perl-script will take all udp-packets from a saved trace-file and will extract the udp-payload to a file. If you use (wire|t)shark to select only the UDP-stream that you want, I think it will produce exactly what you are looking for :) Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Exporting raw packet data?
Replies in-line below... I didn't even realize you could do this until I read your question, but here is one way (not sure if this is exactly what you want): Open a capture Narrow down the interesting packets (For example, I do a lot of web traffic analysis so I might use a filter such as http.content_length 2) Now, let's say I see a Flash file, a GIF, or a JPEG that I want to save - just the actual binary data, not the packet headers. I would click on the interesting packet (assuming I have TCP and HTTP reassembly enabled) Next, in the packet details window (middle pane) I would click on the relevant data portion. So for a JPEG image this would be the part that reads JPEG File Interchange Format. Finally, I would use the File-Export-Selected Packet Bytes menu item. Then I would name the file and I personally change the save as type to *.* so I can set the file extension (not completely sure this is necessary but I do it out of habit). Now, if I open up this file with a graphics viewing I will see that I have a valid JPEG. Pretty cool stuff. I think that would work for small amounts of data, but I'm dealing with video streams over hundreds of packets. Out of curiosity, I just tried it on a 4.4MB video file and while a little slow, it worked well. This is definitely a slick program! You can also filter by TCP streams (but I believe you can't save as raw from the TCP Streams page). You can save as raw. It's great for video streams over TCP. I was hoping for a similar capability for UDP streams, after I'd applied a filter. You're right of course - there is a save as raw option. I noticed though that this option also saves the headers. Thus for a binary file such as an image, you have to use a hex editor or binary editing program so you don't corrupt the file when you remove the headers. The other way it just saves the binary data so it's a small convenience that saves you from removing the headers. I agree that it would be nice to have something like this for UDP but that means someone would have to write the dissector/re-assembler. Probably not an easy task. --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] filter to capture ospf pacets?
Stan, I believe you have it, but just to re-iterate: The most common capture is usually TCP/IP over Ethernet. So if we look at a capture of TCP/IP traffic over Ethernet, a typical Frame looks like this: Ethernet Frame which carries a Network Protocol (such as IP) IP Datagram which carries a Transport Protocol (such as UDP or TCP or OSPF) UDP Datagram or TCP Segment which carries a Service/Application (a Port) Service/Application Data or Possibly Additional Layers (e.g. Http, XML, etc...) So when we're talking about a protocol in this case, we're talking about the Transport Protocol that IP is carrying So for OSPF, it's protocol 89 or 0x59 in Hexadecimal (as displayed by Wireshark) This is important to understand - I often find that there is some confusion in the difference between a Transport Protocol or Layer 4 Protocol and a Port/Service/Application which typically uses UDP or TCP. /etc/protocols in UNIX/Linux or %windir%\system32\drivers\etc\protocol in Windows NT+ or IANA (best source) has the list of protocols that IP can carry which range from 0-255. /etc/services (Windows dir, IANA too) has the list of ports (0-65535) for TCP and UDP and what the assigned service/application/daemon is. Popular protocols: 1 - ICMP 6 - TCP 17 - UDP 47 - GRE 50 - ESP (IPSec) 51 - AH (IPSec) 88 - EIGRP 89 - OSPF Some Popular Services which ride on UDP/TCP: TCP/21 - FTP TCP/22 - SSH TCP/25 - SMTP TCP/80 - HTTP UDP/53 - DNS UDP/67 - DHCP/BOOTP Server UDP/69 - TFTP UDP/161 - SNMP I hope this helps and please let me know if it's not clear, --Jim -Original Message- On Thu, Nov 02, 2006 at 05:50:23PM +, LEGO wrote: cat /etc/protos Ah, /etc/services brother. Thanks, I did not even know that was there. -- Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] TCP Decoding differences between Ethereal0.99 and Wireshark 0.99.3/4?
Thank you Steve, I believe you are right. Jaap/Ulf - I know you are busy and this does not appear to be a high priority bug. Is there any work around to disable the bug 852 fix so that if you want to easily display TCP stream text and are willing to except the crash risk you can? Thanks, --Jim -Original Message- Except--when I follow the TCP stream with Ethereal 0.99, this works great. However, when I do the same thing with Wireshark 0.99.3/4 (I've tried 0.99.3 and just uninstalled/re-installed 0.99.4), the password does not appear in the ASCII/Raw decoding screens. This appears to be related to bug #1043: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1043 The work-around has caused the last character of each packet to be dropped, which is where the username and password characters are in a telnet session. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] TCP Decoding differences between Ethereal 0.99 and Wireshark 0.99.3/4?
I teach networking and security at a community college. When explaining to students why they should bother to use ssh and not telnet I like to show how easy it is to capture plain text passwords by firing up Wireshark and doing a live demo. Sometimes a picture/demo is worth a thousand words. Even though this is fairly common knowledge for experience network/security folks, I find many people are shocked to see just how easy it is. At any rate, my demo consists of telneting to a router while running Wireshark and logging in. I then use the follow the TCP stream option to show that the password is easily exposed. Except--when I follow the TCP stream with Ethereal 0.99, this works great. However, when I do the same thing with Wireshark 0.99.3/4 (I've tried 0.99.3 and just uninstalled/re-installed 0.99.4), the password does not appear in the ASCII/Raw decoding screens. If I look at the individual packets I can piece together the password. Also, if I use Hex Dump option, it's not as easy to read as in 0.99 but you can see it. Is there a preference change or something else from 0.99 to 0.99.3/4 that would explain this? Thanks, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to find the application sending a namerequest?
One way to narrow it down would be to use Wireshark to identify the source IP and port. So on that particular Windows box, you could then use either netstat -ano (believe only 2003 and XP add the -o option) or you could use fport from Foundstone: http://www.foundstone.com/knowledge/proddesc/fport.html These should let you map the source port to a particular process ID or application/service. From there the best tool to use to look at processes is probably Process Explorer on sysinternals.com: http://www.sysinternals.com/Utilities/ProcessExplorer.html Alternatively you can use the Windows built in by pressing Control-Shift-Esc to bring up Windows Task Manager and click on the Process Tab. However, process explorer is much more thorough and powerful (and also free). On the same site you can also check out TCPView that lets you view all networking apps and the process IDs: http://www.sysinternals.com/Utilities/TcpView.html That's not perfect but it should give you a good start. If you still can't figure it out after that try posting again with what you found so far. --Jim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Frottner Sent: Saturday, October 28, 2006 3:11 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] How to find the application sending a namerequest? Hi, I have no experience in network analysis. However, there is a network problem here and I think I have found it using Wireshark: Some Windows application or service is sending name queries asking for a server which has been removed from the net. Now my question: How can I find out which application or service within windows is sending those name queries? That must be trackable somehow but I have no idea how... It would be great if somebody could give me help on this! Thanks, Bob Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to find the application sending anamerequest?
Bob, If the query is coming from a remote machine, you should be able to run Wireshark on that system and see the source of the original query to the DNS server. If thats not the case and the query is initiated from the local machine than Im not sure. You could try this tool from Sysinternals: http://www.sysinternals.com/Utilities/TdiMon.html That might help. You used to be able to get a trial version of TCPViewPro from winternals.com but I dont see that option any more. That version is more powerful. You can also run services.msc and try stopping services or use Process Explorer and kill processes until you figure out which one is the culprit. Short of that, Im not sure what else to tell you. Im not much of a Windows internals expert. You might want to try one of the Microsoft forums some of them are very helpful or look for articles by Mark Russinovich, the Windows Internals Guru (and Author of the Sysinternals Tools). Good luck, --Jim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Frottner Sent: Saturday, October 28, 2006 4:05 PM To: wireshark-users@wireshark.org Subject: Re: [Wireshark-users] How to find the application sending anamerequest? Thanks James, that's great help! I found out that - ok, I should have expected that - svchost (registering dnscache.dll) is sending the DNS name query and getting the response no such name. But I still cannot figure out which application initiated the DNS request, which application sits at the starting point for asking for the unknown server. I suspect it is some service. Thanks, Bob Small, James [EMAIL PROTECTED] wrote: One way to narrow it down would be to use Wireshark to identify the source IP and port. So on that particular Windows box, you could then use either netstat -ano (believe only 2003 and XP add the -o option) or you could use fport from Foundstone: http://www.foundstone.com/knowledge/proddesc/fport.html These should let you map the source port to a particular process ID or application/service. From there the best tool to use to look at processes is probably Process Explorer on sysinternals.com: http://www.sysinternals.com/Utilities/ProcessExplorer.html Alternatively you can use the Windows built in by pressing Control-Shift-Esc to bring up Windows Task Manager and click on the Process Tab. However, process explorer is much more thorough and powerful (and also free). On the same site you can also check out TCPView that lets you view all networking apps and the process IDs: http://www.sysinternals.com/Utilities/TcpView.html That's not perfect but it should give you a good start. If you still can't figure it out after that try posting again with what you found so far. --Jim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Frottner Sent: Saturday, October 28, 2006 3:11 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] How to find the application sending a namerequest? Hi, I have no experience in network analysis. However, there is a network problem here and I think I have found it using Wireshark: Some Windows application or service is sending name queries asking for a server which has been removed from the net. Now my question: How can I find out which application or service within windows is sending those name queries? That must be trackable somehow but I have no idea how... It would be great if somebody could give me help on this! Thanks, Bob Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Want to start your own business? Learn how on Yahoo! Small Business. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Trace files for public download?
? Besides the wireshark wiki, there are also some here: http://www.packet-level.com/traces/index.htm They are more for specific examples though so not sure if that's what you're looking for. --Jim From: [EMAIL PROTECTED] on behalf of P Li Sent: Tue 10/17/2006 4:11 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] Trace files for public download? I noticed that some anonymized traces are available for public download here: http://www.icir.org/enterprise-tracing/download.html I was wondering if there are other places hosting trace files (hopefully a few days of traffic) for public research and demo use. I would appreciate any information. Thanks, Phil ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users winmail.dat___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Wiki/Link issue
When browsing through the Wireshark wiki, I noticed that the links to the display filter references seem to be broken. For example, if I look at the SSL link: http://wiki.wireshark.org/SSL?action=""> And from there I click on the SSL display filter reference link: http://www.wireshark.org/docs/dfref/s/ssl.html It results in a page not found error. Im not sure where the correct link under docs is. Please let me know if there is a better place to report this. Thank you, --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireshark ssl decryption for dummies
When I use 0.99.3 for Windows, I also have trouble with the SSL decodes. When I use the Wiki example and look at the logs, I see: In the logs, I keep seeing decrypt ssl3 record: no session key Logs: association_remove_handle removing ptr 02D39200 handle 0282E918 association_remove_handle removing ptr 02D321E8 handle 0282DD88 association_remove_handle removing ptr 02D32450 handle 0283F9F8 association_remove_handle removing ptr 02D34DC0 handle 0296AA40 ssl_init keys string 127.0.0.1,443,ssl,rsasnakeoil2.key ssl_init found host entry 127.0.0.1,443,ssl,rsasnakeoil2.key ssl_init addr 127.0.0.1 port 443 filename rsasnakeoil2.key ssl_get_version: 1.5.0 ssl_init private key file rsasnakeoil2.key successfully loaded association_add port 443 protocol ssl handle 02CF2C60 association_add port 443 protocol http handle 0282E918 association_add port 636 protocol ldap handle 0282DD88 association_add port 993 protocol imap handle 0283F9F8 association_add port 995 protocol pop handle 0296AA40 ssl_session_init: initializing ptr 03FA1978 size 568 association_find: port 38713 found packet_from_server: is from server 0 dissect_ssl server 127.0.0.1:443 client random len: 16 padded to 32 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74 ssl state 11 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 2 offset 5 lenght 70 bytes, remaning 79 dissect_ssl3_hnd_hello_common found random state 13 dissect_ssl3_hnd_srv_hello found cipher 35, state 17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 37) dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 836 ssl state 17 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 11 offset 84 lenght 832 bytes, remaning 920 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl state 17 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 14 offset 925 lenght 0 bytes, remaning 929 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 132 ssl state 17 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 16 offset 5 lenght 128 bytes, remaning 137 dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 17 pre master encrypted[128]: 65 51 2d a6 d4 a7 38 df ac 79 1f 0b d9 b2 61 7d 73 88 32 d9 f2 62 3a 8b 11 04 75 ca 42 ff 4e d9 cc b9 fa 86 f3 16 2f 09 73 51 66 aa 29 cd 80 61 0f e8 13 ce 5b 8e 0a 23 f8 91 5e 5f 54 70 80 8e 7b 28 ef b6 69 b2 59 85 74 98 e2 7e d8 cc 76 80 e1 b6 45 4d c7 cd 84 ce b4 52 79 74 cd e6 d7 d1 9c ad ef 63 6c 0f f7 05 e4 4d 1a d3 cb 9c d2 51 b5 61 cb ff 7c ee c7 bc 5e 15 a3 f2 52 0f bb 32 ssl_decrypt_pre_master_secret:RSA_private_decrypt pcry_private_decrypt: stripping 79 bytes, decr_len 127 decypted_unstrip_pre_master[127]: 02 c8 3b d5 a5 24 3c 40 c7 6e 95 b9 46 da b2 79 b1 06 ec 61 2d f7 f5 4a b7 62 b6 33 4b b3 05 ef 90 14 59 72 08 d5 34 88 41 cc a6 96 f4 dd 97 9a dc 3a 6e 92 1f 3a e4 6b 5b fb 3f ee 46 59 62 f3 f3 06 0f d1 1f f4 9d b2 29 08 c6 01 f5 c3 00 03 00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 18 87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 cb 7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 pre master secret[48]: 03 00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 18 87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 cb 7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 ssl_generate_keyring_material:PRF(pre_master_secret) ssl3_prf: sha1_hash(1) ssl3_prf: md5_hash(1) datalen 48 ssl3_prf: sha1_hash(2) ssl3_prf: md5_hash(2) datalen 48 ssl3_prf: sha1_hash(3) ssl3_prf: md5_hash(3) datalen 48 master secret[48]: 1e db 35 95 b8 18 b3 52 58 f3 07 3f e6 af 8a a6 ab c3 a4 ed 66 3a 46 86 b6 e5 49 2a 7c f7 8c c2 ac 22 bb 13 15 0f d8 62 a2 39 23 7b c2 ff 28 fb ssl_generate_keyring_material sess key generation ssl3_prf: sha1_hash(1) ssl3_prf: md5_hash(1) datalen 48 ssl3_prf: sha1_hash(2) ssl3_prf: md5_hash(2) datalen 48 ssl3_prf: sha1_hash(3) ssl3_prf: md5_hash(3) datalen 48 ssl3_prf: sha1_hash(4) ssl3_prf: md5_hash(4) datalen 48 ssl3_prf: sha1_hash(5) ssl3_prf: md5_hash(5) datalen 48 ssl3_prf: sha1_hash(6) ssl3_prf: md5_hash(6) datalen 48 ssl3_prf: sha1_hash(7) ssl3_prf: md5_hash(7) datalen 48 (...) Am I missing something obvious? --Jim James Small ANALYSTS INTERNATIONAL SEQUOIA SERVICES GROUP ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Issues/Questions with SSL Decode for Windows in 0.99.3
Hello, According to the 0.99.3 release notes - ...SSL decryption are now supported in the Windows installer However, when I follow the instructions at http://wiki.wireshark.org/SSL, I can not get the example SSL decode to work. Can someone send me an example of what it looks like when the SSL decode works correctly? Also, has anyone gotten this to work under Windows? Specifically, I'm using Windows XP, SP2. Finally, is there a way to check if the SSL support is compiled in to a Windows version? Thank you, --Jim James Small ANALYSTS INTERNATIONAL Security SERVICES GROUP ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
