Re: [Wireshark-users] Devices on MAC
On Fri, Apr 04, 2008 at 03:54:24PM +0200, Luca Bedogni wrote: maybe this could be a really basic question, but when I run wireshark on MAC OS, I can't see any device on any window. Is this a known issue and I'd to do something to show them? Could you provide the output of wireshark -v for us? What version of MacOS are you running? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] TCP Conversations Question
On Wed, Apr 02, 2008 at 10:14:19AM -0500, Tom.Saurer wrote: Is there a way to have Wireshark only gather IP conversation stats (source IP/Port and destination IP/Port) as it watches a nic? We don't need the full packet information. We need to gather this data for several weeks and it would be to hard to analyze a packet capture to pull that information. This functionality is not currently available in Wireshark. We've had requests for it before though, so perhaps some day someone will implement it :). Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wire shark from the program
On Tue, Apr 01, 2008 at 05:56:55PM -0700, Vinay Chilakamarri wrote: Thanks for the reply. I typed the port incorrectly .. (that 4 shouldn't have turned up after 6). When I tried the command, wireshark gave me a debug console indicating the arguments that are available for use with it(may be the syntax is incorrect). Here is what I tried: wireshark -f 'udp port 34678' tshark gave this output and quit with the above command: tshark: Capture filters were specified both with -f and with additional command-line arguments Are you on Windows? The above command works on Unix. Windows doesn't like single quotes AFAIK, so try -f udp port 34678 Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] how i can decode RDR packet
On Tue, Apr 01, 2008 at 09:31:01AM -0400, Herzl Shemuelian wrote: I use wireshark version 99.7 I have a decoder (RDR.SO) for a old version for wireshark and I can't use it How I can to receive a RDR plug-in for this version? Where did you get it from? You probably need to ask that person or the person who created it for a version compiled against a newer version of Wireshark. Or, if you have the source code, compile it with version 0.99.7 (better yet, 1.0 that just came out). Plug-ins are not always compatible bewteen versions of Wireshark. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark-users_Digest,_Vol_22,_Issue_75
On Fri, Mar 28, 2008 at 11:24:09AM +0800, 赵新元 wrote: #tshark -i 3 -o column.format:'Info, %i' I use this command ,but it cann't work! The ' marks only work on Unix. I just tried on Windows using a instead of ' and it works: tshark -o column.format:Info, %i Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Using tshark to extract empty fields from pcap files
On Wed, Mar 26, 2008 at 04:06:50PM -0500, Mark Sass wrote: I am trying to extract fields from pcap files using tshark. I am currently using a format like this: tshark -r pcapfile -R tcp.port eq xxx -Tfields -e field1 -e field2 I don't see the fields I wanted listed on the wireshark display filter reference listing, and when looking at the pcap files after conversion to PDML, the fields show up like this: Which field(s) are you trying to extract? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tshark loopback
On Thu, Mar 20, 2008 at 07:17:32AM -0500, Tennis Smith wrote: I run a series of tests via a loopback interface on Fedora 7. Is there any way to start tshark and have it monitor activity on the loopback, even if traffic is not yet being passed? You should be able to just start it as tshark -i lo0 and it will wait for traffic. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help.. pcap to ivs
On Thu, Mar 13, 2008 at 11:21:50PM +0100, Andrea Faver wrote: i'm trying to convert a pcap file (made with WIRESHARK) to a ivs file with aircrack ivstools.exe but it doesn't recognize the file. how can i do it? When i save my captured packed in WIRESHARK, in wich format should i do it? (i have several option, wireshark, modified tcdump, redhat6.1, suse6.3...) The ivs tool appears to want a (lib)pcap file, so you should probably save it in Wireshark as a Wireshark/tcpdump/... - libpcap file. If it doesn't recognize the file, then you should do more research to try to figure out what format they are looking for and we can tell you which one in Wireshark matches if it isn't obvious. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireless setup
On Fri, Mar 14, 2008 at 10:57:01AM +1000, stephen galowski wrote: with regard to wireless setup i am wondering why , the wireless toolbar does not work on my laptop with a inbuilt 2.4 and 5ghz The wireless toolbar in Wireshark? It's or AirPcap use only: http://www.cacetech.com/products/airpcap_family.htm Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Router broken or is my Linux crazy? *Smallest* log included
On Mon, Mar 10, 2008 at 06:56:15PM +, Monkey D. Luffy wrote: Still, I look at my current IP and the mask seems odd (although I never did quite grasped the mask concept). inet addr:xxx.xxx.73.144 Bcast:xxx.xxx.73.255 Mask:255.255.252.0 Shouldn't the mask's 3rd octet be 255? If the third octet was 255, then the addresses available would be xxx.xxx.xxx.[1-254]. With the third octet 252 as you said above, the addresses available are xxx.xxx.[0-3].[1-255] as an example. It could be any set of four 256 address blocks or 1024 addresses. It's just a way to put more machines on the same subnet. And another strange thing shows in the log: 18 283.873122 192.168.2.100 239.255.67.250IGMP V2 Membership Report Why the heck does my computer want to communicate to that address? That's a protocol that multicast uses to join multicast groups and 239.255.67.250 is the group number. Don't worry about it :) Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Distinguishing Ethernet II and 802.3 frames
On Thu, Mar 06, 2008 at 11:28:51AM +0100, Marcus Better wrote: I'm running Wireshark on Linux 2.6.24 though (mac80211 stack). Can it give me the 802.11 frames? Try looking through this page http://wiki.wireshark.org/CaptureSetup/WLAN Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Bug report - Follow TCP Stream conversation selection incorrect
On Thu, Mar 06, 2008 at 08:08:17AM -0500, Guy Bruneau wrote: I would like to report a new bug affecting the Follow TCP Stream. Since version 99.7 (99.8 has this issue as well), both Linux and Windows versions show the wrong conversation when selecting the client or server. While in the Follow TCP Stream window, the Entire conversation is fine but when you select either only the client conversation or server conversation, it shows the wrong Stream Content (reverse output). The server should be the client and the client should be the server. If you require additional information, please let me know. Thanks for your report. I fixed this a while back, but the problem seems to have crept up again somehow. The bug has been reopened: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1138 You can add any additional information you have to that bug or simply say you are having the problem also. This will put you on the CC list of the bug so you will know when it has been fixed. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] IO Graphs cumulative plot
On Wed, Mar 05, 2008 at 02:11:46PM +0100, Michele Pedrolli wrote: I was looking for a way to plot with IO Graphs a graph with cumulative bytes lenght on Y axis. I tried to manually define the unit of the Y axis using the 'Advanced' feature, choosing from the Calc box the SUM(*) function for the frame.len field. But I wasn't able to obtain the desired cumulative graph, which should be increasing. What's happening there is it is plotting the sum of the frame lengths over each time interval on the graph. Is there a way to plot this graph with IO Graphs? I don't think there is right now. There would have to be a frame dissector field that stored the cumulative number of bytes since the beginning of the capture. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] (no subject)
On Wed, Mar 05, 2008 at 09:44:11AM -0400, bubba dudley wrote: Hi, I noticed how one of my friends has been spying on me tracking what I am doing on the net. I know he is using a packet sniffer. So I was wondering if this software can do that and or can protect me from being watched. We are not on the same network, I believe he bought one because usually the trial versions of sniffers only allows you to moniter your own network. Wireshark is free software that allows a person to monitor traffic going a network they have physical access to. With few exceptions, no packet sniffer can monitor a remote network. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] IO Graphs cumulative plot
On Wed, Mar 05, 2008 at 08:34:10PM +0100, Stig Bjørlykke wrote: We already have the cumulative number of bytes in the frame dissector (used for the cumulative column), so it's just a matter of adding this as a generated frame field. Do we? The Cumulative Bytes column is pulled out of pinfo-fd-cum_bytes. This field does not always work as expected in the filter, because we can't add a filter like frame.cum_len 1000. But maybe it's better to have this field than not at all? Hmm.. what would frame.cum_len 1000 do wrong? I guess it depends on if it's cumulative from the beginning of the capture or for displayed packets. That could get messy. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Average MBit/sec
On Tue, Feb 26, 2008 at 05:45:12PM -0800, Greg Reed wrote: For MB/sec would I move the decimal point 2 places to the right from the output of MBit/sec? There are 8 bits in a byte, so you would actually multiply the MBit/sec by 8 to get MB[yte]/sec. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] packet payload string or hex filter
On Fri, Feb 22, 2008 at 01:49:29AM -0800, Guy Harris wrote: Sake Blok wrote: On Thu, Feb 21, 2008 at 10:01:48PM -0700, Stephen Fisher wrote: ... This is not currently possible because there is no field that contains the contents of the entire frame. Actually, there is - frame. And frame contains blablabla or frame contains 00:40:3f Thanks for the correction. I tried it last night and I thought it wasn't working when I typed frame contains, but this morning it does indeed work. :O Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Export Objects HTTP 2
On Fri, Feb 22, 2008 at 08:02:54AM +0300, [EMAIL PROTECTED] wrote: Tell, why not all content type saves export- object- HTTP mp3 Does not save??? All HTTP content with a content-type and payload is presented in the export object window. Sometimes, especially on Windows, certain filenames cannot be saved due to them having invalid characters in them. Do you see the file that isn't saving in the export object list? It is possible, you to ask, in to describe how and where analysis object HTTP becomes? I have not found where there is analysis JPG, GIF, mp3 etc.?? The way the export object feature for HTTP works is that it runs as a tap in the HTTP dissector that saves the HTTP hostname, URI filename, content type header and then the actual payload data and length: /* Save values for the Export Object GUI feature if we have * an active listener to process it (which happens when * the export object window is open). */ if(have_tap_listener(http_eo_tap)) { eo_info = ep_alloc(sizeof(http_eo_t)); eo_info-hostname = conv_data-http_host; eo_info-filename = conv_data-request_uri; eo_info-content_type = headers.content_type; eo_info-payload_len = next_tvb-length; eo_info-payload_data = next_tvb-real_data; tap_queue_packet(http_eo_tap, pinfo, eo_info); } This data is then gathered by the gtk/export_object_http.c code and fed into gtk/export_object.c code for the actual GUI display. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] build problem
On Thu, Feb 21, 2008 at 11:20:47PM -0500, Bill Meier wrote: bitmus DA wrote: i wan to use wireshark for just view packet, not for capture. so i run ./configure --without-pcap and then make. but make is giving error below It's a bug :( A fix will be committed momentarily to not compile the offending code if --without-pcap. ... and this fix should be included in the upcoming 0.99.8 release due out in about a week for the original poster's information. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tshark -d option
On Fri, Feb 22, 2008 at 02:33:11AM +, MKS {} wrote: The (-d , ) option with tshark tells tshark to interpret packets on the specified port as the given protocol. Is there a way to provide a range of ports using this route? A quick glance at the tshark code didn't turn up any way to do ranges. Also, is wireshark does not seem to allow this command line otion. Is there some way to do the same other than using decode as option from the analyze menu? No. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] packet payload string or hex filter
On Fri, Feb 22, 2008 at 03:38:23AM +0100, Grzegorz Szczytowski wrote: I'm wondering if wireshark support string or hex filier similar to following syntax: data.data include or content blablabla The issue is that the filter should goes over the whole packet to match that string. This is not currently possible because there is no field that contains the contents of the entire frame. Maybe we should add one under the frame dissector? This leaves you with the find packet search that allows hex values or strings. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Hiding interfaces
On Wed, Jan 30, 2008 at 11:20:55AM -0500, Onur Akgun wrote: Is there a way to hide some interfaces from the Capture Interfaces screen? Preferences - Capture - Interfaces - Edit does not do what I want... (Box is a fedora based Linux running with multiple network adapters) Would you mind opening a bug report at http://bugs.wireshark.org and marking it as an enhancement request to request this feature. That way we won't forget about it. Thanks! Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] limit packet
On Mon, Feb 18, 2008 at 05:52:40PM +0300, Alexander Pilugin wrote: Hello! Please advise the value in bytes (default 68 bytes is too small) to which limit captured packet so that on the one hand don`t lose any headers, and on the other to save the space on the hard disk. Thanks in advance! It depends on the protocols you expect to see in the capture. 500 bytes would most likely capture all headers and some of the traffic and still cut your capture file down by as much as 1/3 (assuming 1500 byte packets). Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to let wireshark capture one application packets
On Sat, Feb 09, 2008 at 11:33:44PM -0500, Du Zhidian wrote: I am using windows vista. I want to use wireshark to capture all packets of one application, no matter the protocol it use. For example, all packets of firefox. How can do it? This is not possible with Wireshark. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Bad Checksum Packet
On Sun, Feb 10, 2008 at 06:35:08AM -0800, Becky Vict wrote: I would like to know if a packet is discarded due to bad checksum, will it show in the capture? How to distinguish this quickly? What display filter should I use for this? If the frame is discarded by the network card for a bad CRC, you will probably not see it in Wireshark at all. If the checksum is bad at higher layers, then you will see bad checksum checks at various protocols/layers (IP, TCP, UDP and some other protocols such as CDP and EDP). Go into the protocol layer of a packet that you want to check the checksum of and there will be a tree such as the following: User Datagram Prptocol, Src Port: domain (53), Dst Port: 58475 (58475) Source Port: domain (53) Destination port: 58475 (58475) Length: 108 Checksum 0x2b97 [correct] [Good Checksum: True] [Bad Checksum: False] Right click on the good or bad checksum and go to Apply as Filter - Selected to apply a display filter for good or bad checksums. The filters in this case will be udp.checksum_good == 1 or udp.checksum_bad == 1 if it is good or bad respectively. There are also coloring rules in place by default for Checksum Errors that turn the packet list line red on black for cdp, edp, ip, tcp, udp checksums that are bad. Note that other a few other protocols have checksum checks too, but they are not in the default coloring rules. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] http Content-Encoding: gzip not decoding
On Fri, Feb 08, 2008 at 09:41:16AM -0800, Bob Keyes wrote: Packets are sniffed, tcp streams assembled, but when it comes time to decode gzip encoded content, I get nowhere. I am running 0.99.6 on Ubuntu Gutsy. I just verified that my copy of Wireshark uncompresses the gzip compressed html at the Amtrak web site and shows it to me. Is your copy of Wireshark compiled with zLib (libz)? You can check by doing wireshark -v or going to the Help - About menu in Wiresdhark. It should say Compiled ... with libz x.y.z ... Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Problem: i only sniff my own packets, not network packets
On Wed, Feb 06, 2008 at 01:43:00PM +0100, El Piraña wrote: I've tried this in other network area with same results, by ethernet and by wireless without any positive result, and i don't know what to do. I thought it would be about a switch on the network, but in any case the wireless APs works as a hub, so there shouldn't be problems, and in any case if there is a switch on a network it shouldn't show so much info as DNS request or similar... This issue is caused by your machine being connected to a switch. The packets you do see from other machines are either broadcast, multicast or traffic going to a destination the switch does not recognize at the moment (so it floods it out all ports). Wireless does act as a hub, but it is difficult/impossible to get some wireless cards into monitor mode so they actually capture the other traffic. See http://wiki.wireshark.org/CaptureSetup/WLAN for more details. If your wireless LAN has proper encryption on it though, you still won't be able to see other machine's traffic. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] URL capture filer??
On Mon, Feb 04, 2008 at 08:22:16AM -0800, jacob c wrote: I am running Wireshark 0.99.7. I tried using the sample URL capture filter shown on the wiki but it always gives me an error when I stopped the capture.. It looks like this: host www.cnn.com and not (port 80 or port 25) I also tried host www.cnn.com but it didn't seem to like that either. Can someone show me an example URL capture filter? Those *capture filters* should work fine in the capture filter box within the (Capture) Options dialog. The filter box in the main Wireshark window is for *display filters*, which have a different format entirely. If you are in fact putting the capture filters in the capture filter field, please send us your error message. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] URL capture filer??
On Mon, Feb 04, 2008 at 03:45:56PM -0800, jacob c wrote: I just wanted/assumed Wireshark would read the http header for www.cnn.com and then capture accordingly. That was my goal. Is there a way to do that if I am using a proxy? As Guy stated, you cannot do this in a capture filters. However, you can do it in a display filter: http.host == www.cnn.com Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Missing Capture filters
On Sat, Feb 02, 2008 at 09:22:51AM -0900, The Mathe Family wrote: I do not seem to have a default lits of capture filters in my capture filters list. Any suggestions? Are you running on Windows or Unix? The global capture filters are saved in /usr/local/share/wireshark/cfilters on Unix and %WIRESHARK%\cfilters on Windows. The file format is the same for each platform so I have included the default capture filters as of 0.99.8 development version (I don't think they've changed in a while though) as an attachment to this e-mail so you can replace yours if it is missing. Steve Ethernet address 00:08:15:00:08:15 ether host 00:08:15:00:08:15 Ethernet type 0x0806 (ARP) ether proto 0x0806 No Broadcast and no Multicast not broadcast and not multicast No ARP not arp IP only ip IP address 192.168.0.1 host 192.168.0.1 IPX only ipx TCP only tcp UDP only udp TCP or UDP port 80 (HTTP) port 80 HTTP TCP port (80) tcp port http No ARP and no DNS not arp and port not 53 Non-HTTP and non-SMTP to/from www.wireshark.org not port 80 and not port 25 and host www.wireshark.org ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Hiding interfaces
On Wed, Jan 30, 2008 at 11:20:55AM -0500, Onur Akgun wrote: Is there a way to hide some interfaces from the Capture Interfaces screen? Preferences - Capture - Interfaces - Edit does not do what I want... The Hide Interface option in that dialog should do what you want. If not, please explain further. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] crashing on OS X
On Wed, Jan 23, 2008 at 09:26:03PM -0500, Kelly Martin wrote: Also, when running as a regular user, Wireshark does not have sufficient privileges to monitor this device - yet if I run it as root, it gives me a warning that this might be dangerous (and indeed, I suspect it might in some cases). Is there another suggested way to run Wireshark on OS X, perhaps only as an admin-but-not-root user? I am confused. You can pass --enable-setuid-install to the configure script to tell Wireshark to install the dumpcap program as setuid root. This allows dumpcap (the capturing part of Wireshark) to run as root, while the rest of the program runs as a normal user. I don't know if MacPorts allows you to pass extra parameters to the configure script though, so Guy's suggestion may be easier for you if you don't want to compile Wireshark from scratch. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Filter existing file
On Tue, Jan 22, 2008 at 04:39:19PM +0100, Kuhs Lukas wrote: I want to filter an existing pcap-file using dumpcap on Windows. This is not possible since there is no infile option anymore. Tethereal had this option. My question is, whether this will be included in a later version or not. Do you know any workaround except for using tethereal? I need to execute it on the command line. Have you tried using tshark? It is the new version of tethereal. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] EBCDIC in data portion of packet
On Mon, Jan 14, 2008 at 01:07:01PM -0600, Starr, David wrote: Is there a better way to use the display filter to find a specific piece of EBCDIC data in a large capture file? Not at this time. Would it make sense to have a configurable flag to allow Wireshark to display the data as EBCDIC? Perhaps. What protocol is carrying the EBCDIC traffic you're seeing? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] LLC Sub-Layer Management
On Thu, Jan 10, 2008 at 03:37:11PM -1000, E B wrote: Can somebody please look below and answer my post Sub-Layer Management, this is my third post asking this question and I dont understand why I am being ignored, it is very frustrating. You are not being ignored. It must be that no one knows the answer to your question. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Decode any port as HTTP
On Fri, Jan 11, 2008 at 02:35:33PM +0800, Billie Chan wrote: How can I configure to decode any port as HTTP protocol for Wireshark in Fedora version? Any scripts or command available? You can specify ports separated by commas or ranges of ports separated by a dash in the HTTP preferences. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Editing packets with Wireshark and replay?
On Thu, Dec 27, 2007 at 08:29:47AM -0800, jacob c wrote: Is there any method with Wireshark (or other tool) to modify the ip addreseses in a packet capture before giving the file to another vendor for analysis. For example can I substitute all the packets with address 1.1.1.1 with 2.2.2.2? Tcpreplay may suit your needs: http://tcpreplay.synfin.net/trac/ Wireshark does not have this functionality. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Installing Microsoft 2003 R2 Server for Wireshark build environment
On Mon, Dec 24, 2007 at 07:15:57AM +, Vikas Jain wrote: I am new to Wireshark development and trying to set up the wireshark build environment for the windows platform. Please direct development questions to our other mailing list, [EMAIL PROTECTED] in the future :) One of the items mentioned on the Wiki and in developer's guide is to install the Platform SDK Server 2003 R2. I was just curious as to why the installation of Server 2003 R2 is required and which of its components are used by the Wireshark. That is the latest SDK version that matches up with Visual Studio 2005. It can be installed on Windows XP or Vista, 2003. Not sure why it is called Server 2003 R2. (I usually develop Wireshark on Unix, so I'm not as familiar with the Windows development tools). Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Relabeling or defining aliases to packets
On Sat, Dec 22, 2007 at 11:31:18PM -0800, ColfaxNet Support wrote: Once something about a packet is identified, we could then label the packets that contain the same criteria as a name such as test computer, etc. This would make is much easier to be able to glance at the capture window and to determine what device is creating that particular packet. This labeling would also be able to be viewed in the different report screens. This is not currently possible. One of the other capture programs calls this function creating an alias. What do you mean by creating an alias? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Continuous/circular in-memory tracing?
On Fri, Dec 21, 2007 at 10:00:54PM -0500, Jay Levitt wrote: As far as I can tell from searching the forum, there's no good way to keep Wireshark up and running and capturing to an in-memory circular buffer, Correct. Or is there another way to do this, either with Wireshark Maybe in the future. I thought this had been requested before, but I don't see it in the wish list (wiki.wireshark.org/WishList) or in the bug database (http://bugs.wireshark.org) at quick glance. Would you mind opening a bug report (marked as an enhancement request) at http://bugs.wireshark.org to request this feature? or another tool (either free or commercial but not enterprise-priced)? If I remember correctly, Sniffer can do memory only capturing, but I'm not positive. I don't know how much it costs, but there are free demos available. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] need a camel/inap phase 4 trace
On Tue, Dec 11, 2007 at 08:23:27PM -0800, [EMAIL PROTECTED] wrote: Could wireshark also read a trace from a Nethawk analyser file. I have some trace file from this analyser, it would be also wonderful that wireshark could read from it too. I don't think it supports NetHawk, although you could just try to open the capture and see if it works. If not, please open a bug marked as an enhancement request at http://bugs.wireshark.org/ and attach your sample capture files and any information you know about the product that made them and/or the file format specifications. Also if you could print the output of NetHawk to a file or do a screen capture and attach that when having the same capture files open, that would be very helpful as well. With this information, one of the developers may have time in the future to reverse engineer the file format and support it in Wireshark. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Licensing Terms for Wireshark
On Mon, Dec 03, 2007 at 09:49:54AM -0600, [EMAIL PROTECTED] wrote: I like to know, what are the licensing terms to buy Wireshark for our workstations here in our lab center at the Federal Reserve Bank? Wireshark does not cost anything. See: http://www.wireshark.org/faq.html#q1.6 http://www.wireshark.org/faq.html#q1.7 Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Recommended C compiler for Windows
On Sat, Nov 24, 2007 at 07:11:50PM -, Owens, Neil wrote: What's the current fave C compiler for Win32? There's loads out there, but what comes recommended? For Wireshark, Microsoft's compiler is the only supported compiler for Win32. Wireshark builds are still building using VC++ 6.0 by the buildbots, but the preferred compiler is Visual Studio 2005 Express Edition because it is free to obtain and use and a number of people use it without problems (though see http://www.wireshark.org/lists/wireshark-dev/200711/msg00349.html for an issue that some people have with the 2005 compiler). See http://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html for further information. Please direct further Wireshark development questions to the [EMAIL PROTECTED] mailing list. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] unique identifier for remote PC
On Sat, Nov 24, 2007 at 10:59:08PM +0200, Bilal Alpertonga wrote: I want to ask a question, Why we can take MAC address of the router, not address of the PC, Which protocol makes this MAC change ? Because the router accepts a packet and regenerates it going out another interface, the MAC address has to change to be sourced from the router's MAC address. There isn't really a protocol that makes this the case. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Trying to get Wireshark up and running via MacPorts
On Fri, Nov 23, 2007 at 07:49:48PM -0500, Kok-Yong Tan wrote: I'm currently in the middle of a sudo port -Rv install wireshark after doing a sudo port clean wireshark. I'll try downloading the source and then building directly after my build using MacPorts. However, I haven't used gdb in over fifteen years (used to be a developer, got sent to the abyss of systems administration and haven't clawed my way back out yet) so I'd appreciate a refresher on getting the backtrace via gdb. Thanks in advance. When you have the source build manually in the build directory, you'll want to use glibtool (normally named libtool, except on OS X, which has a libtool program that does something totally different) to run Wireshark through the gdb debugger. I'll create a breakpoint in gdb to simulate the program stopping at an error like you're getting (I will erase the breakpoint setting command/output from below for your clarity - it will crash on its own for you): - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [EMAIL PROTECTED]:/usr/local/src/wiresharkglibtool --mode=execute gdb ./wireshark GNU gdb 6.3.50-20050815 (Apple version gdb-696) (Sat Oct 20 18:16:54 GMT 2007) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-apple-darwin... warning: --arch option not supported in this gdb. Reading symbols for shared libraries... done (gdb) run Starting program: /usr/local/src/wireshark/.libs/wireshark Reading symbols for shared libraries ..++++++..+ done Reading symbols for shared libraries . done above line repeats a bunch of times) Breakpoint 1, commview_open (wth=0xb0ca650, err=0xbfffe8a8, err_info=0xbfffe86c) at commview.c:98 98 if(!commview_read_header(cv_hdr, wth-fh, err)) (gdb) backtrace 10 #0 commview_open (wth=0xb0ca650, err=0xbfffe8a8, err_info=0xbfffe86c) at commview.c:98 #1 0x0070e5c4 in wtap_open_offline (filename=0xb0b5ae0 /Users/sfisher/captures/commview/FormatShowcase1.ncf, err=0xbfffe8a8, err_info=0xbfffe86c, do_random=1) at file_access.c:341 #2 0x000117e4 in cf_open (cf=0x13d3d0, fname=0xb0b5ae0 /Users/sfisher/captures/commview/FormatShowcase1.ncf, is_tempfile=0, err=0xbfffe8a8) at file.c:215 #3 0x00028f78 in menu_open_recent_file_cmd (w=0xb138970) at menu.c:1462 #4 0x07a6c66b in g_closure_invoke () #5 0x07a7d99d in signal_emit_unlocked_R () #6 0x07a7eb43 in g_signal_emit_valist () #7 0x07a7f1f7 in g_signal_emit () #8 0x012a8aad in gtk_widget_activate () #9 0x0114ead1 in gtk_menu_shell_activate_item () (More stack frames follow...) (gdb) quit The program is running. Exit anyway? (y or n) y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The important command is backtrace 10, which shows the last 10 lines of the backtrace of functions called. This helps us see which function the crash occured in and some clues as to why it crashed. Got a couple of lines of output from the MacPorts build which look suspicious, though (do they help pinpoint the possible problem with MacPort patches?): That output looks normal. We have cleared almost all of the warnings from the code except for generated code, which those warnings are from. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Trying to get Wireshark up and running via MacPorts
On Thu, Nov 22, 2007 at 11:15:59PM -0500, Kok-Yong Tan wrote: I'm having a problem getting Wireshark up and running via MacPorts and X11 on a 8GB RAM, 140GB free drive space, dual 2GHz G5 tower system with OS X version 10.4.11 and with X11 Update 2006 applied (providing me with X11 v1.1.3). That should work fine. There are no warnings or errors whatsoever during the builds of Wireshark or Macports but when I try to fire up Wireshark from a xterm window under /Utilities/X11, I get a bus error. That's odd. Can you try building from our source code to see if the same problem happens? You can download the source code from the www.wireshark.org web site. Sometimes port systems apply patches that *might* be causing the problem, though it is unlikely. The main advantage to building from source is that you can run out of the build directory with debugging symbols - do you know how to use gdb to obtain a backtrace when that error occurs? Should I have built a variant of Wireshark other than the default darwin_8 variant or something other than the latest libpcap, glib, gtk, etc., libraries? No, the one you used should be fine. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How do I go about creating a custom packet data decode
On Wed, Nov 21, 2007 at 01:59:54PM -, Owens, Neil wrote: I'm up against it here and just need to (simply?) XOR all packet data with a HEX value. I just don't know enough about Wireshark to be able to do this . While I'm not asking for a complete solution could someone point me at something a little more specific than the Wireshark Users manual and possibly hold me hand a little? Is this for a specific protocol/port? Are you running on Windows or some type of Unix? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter not working?
On Thu, Nov 15, 2007 at 03:26:06PM -0800, Trevor Tolk wrote: When I use an IP (host) or tcp/udp capture filter on the monitoring nic, it captures no traffic. When I use the same filter on the nic connected to the normal network, the filter works fine. I can use an ether capture filter an it works. What is (are) the capture filter(s) you are trying to use? It should be working fine without changing any options. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to see HTTP hosts visited
On Mon, Nov 12, 2007 at 09:39:38AM -0600, Gary Fritz wrote: So anyway. I've figured out how to monitor packets. If I look at my own system, I can filter on my IP, and I can even do a Statistics report (filtering on ip.addr == 192.168.1.106 and http) to find the HTTP hosts I'm hitting. So far so good, if a bit manual. Problems: I don't seem to get the http requests from his wifi connection on my hard-wired PC. I get a few things like registration and ICMP requests, but I don't see HTTP requests. Why some but not others? Do I have to monitor his wifi connection from another wifi connection? The packets you are seeing are broadcast or multicast, which in your type of setup are sent to all machines on the network. You're not seeing his traffic because your wireless AP/(router?) is acting like a switch instead of a hub. Switches do not send traffic for one host out to all ports. What does your network setup look like? Do you have separate wireless AP, router, cable/dsl modem? Or which parts are combined into one? You could monitor the wifi through another wifi connection only if your operating system wireless driver support promiscuous mode, which is not common (especially on Windows). Ideally you would monitor his machine by installing Wireshark on his machine, but that may give away what you're trying to do :). Also, the http Statistics report produces a lot more data than I want, no surprise. E.g. if I browse to site A, which has graphics downloaded from sites B-Z, the report shows me requests for sites A-Z. Is there any way to narrow the report down to ONLY the sites HE REQUESTS, either by typing in a URL or by clicking on a link? And is there a better way to do this than the stumbling around I've done? Since the initial sites visited are typically the only time HTML is loaded (the accesses to other sites are usually graphics), this display filter should help narrow it down: ip.addr == 192.168.1.106 http http.content_type contains text/html Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help with GRE encapsulated packets
On Tue, Nov 06, 2007 at 09:24:59AM -, Eric Renkoff wrote: I am trying to solve a problem between 2 devices that are FTPing to/from one another. The problem is that at the network point where I am sniffing I se only GRE encapsulated packets. Wireshark is not decoding the encapsulated payload so I can not see what is going on in there in order to try and solve my network problems. How do I get Wireshark to decode the GRE encapsulated packets? Is Wireshark showing that there are GRE packets and just not showing what is within them? I do not remember how Wireshark handles GRE and there is no sample capture on the Wiki. Would you mind attaching a *small* capture file (1 packet is ok) to an e-mail response with GRE/encapsulated data in it? Then I (or anyone else) can take a look at what is going wrong. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Error w/ Make command on CentOS 4.5 wireshark-0.99.6
On Sat, Nov 03, 2007 at 10:43:28PM -0400, Steve West wrote: I'm trying to install just tshark to use wireshark via command line rather than a GUI. glib-1.2.10-15 glib-devel-1.2.10-15 glib2-2.4.7-1 [EMAIL PROTECTED] wireshark-0.99.6]# ./configure --disable-wireshark --disable-gtk2 --enable-tshark erf.c:152: warning: const qualifier ignored on asm By passing --disable-gtk2 on the configure line, you are also disabling glib2 so it will use glib1. The errors you are getting are caused by a problem with glib1 itself. There are two ways to get around this. Either pass --disable-warnings-as-errors as an additional configure option so these warnings don't stop compilation or remove the --disable-gtk2 and install glib2 -devel. I would recommend installing glib2 -devel and removing --disable-gtk2. By the way, the --disable-wireshark disables building of the GUI Wireshark. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Latest Wireshark on Mac OS X 10.5 (Leopard)
On Mon, Oct 29, 2007 at 04:10:58PM -0700, Guy Harris wrote: Brian Swan wrote: I'm curious if anyone has tried WireShark under Max OS X Leopard? http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1953 See comment #2, which notes a bug filed at Apple against the Leopard X11 server (which might be where the problem lies), Has the version of the X11 server changed in 10.5? My 10.4 installation has X11 1.1.3 - XFree86 4.4.0 FWIW. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Ipw3945 monitor mode
On Thu, Oct 25, 2007 at 04:30:13PM +0200, Palmeri Massimo wrote: iwconfig eth1 mode monitor iwconfig eth1 channel 9 It works, but I also see frames from other channels 802.11b/g runs in the 2.4GHz band and each channel in the is 5MHz wide. However, when using a channel, the signal spreads 25MHz wide covering 5 channels at once. This means that means that channel 9 is picking up traffic from channels 9-13. This may be why you are seeing traffic from other channels. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Exporting objects with invalid default filenames
On Tue, Oct 23, 2007 at 08:04:05AM -0700, Mark G. wrote: I am using Wireshark to capture a large number of JPEG2000 images from a web site. The captured images appear in the export/objects/http dialog with mime type application/octet-stream. But their default filenames are invalid, having been created from the original HTTP GET request. So save all will not save these objects. That is because all of the filenames are taken from the filename (specifically the last characters after the final /) in the HTTP GET request. Usually this is provides a normal filename, but as you have seen, it also sometimes leads to filenames that contain characters that are invalid for the filesystem you're using (or any filesystem). There is no good way to tell what filenames are going to be able to be saved until Wireshark tries it and sees if it fails. I can select them individually and save them, but then I have to wait while Wireshark reads through all the packets. This is tedious. Is there a way to automate this? I would like to instruct Wireshark to assign incremental filenames to the objects, but I see no way to accomplish this. I could not think of a really good way to handle these filenames that are unsavable when I implemeneted the export object feature. Were you hoping to save all of the objects with filenames that increment or just the ones that are based on HTTP GET requests that cannot be saved with their HTTP GET filenames? Do you have any other ideas of a good way to fix this? Maybe letting the user click on the filename field and change the ones they want to? Perhaps this could be done with Tshark? The export object feature is not implemented in tshark at all. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture options
On Mon, Oct 22, 2007 at 01:50:25PM +, Henrik wrote: In Wireshark, capture options - there is a dropdown menu of interfaces. When I select my MS loopback driver, there is also a list of 16 IP adresses below. I have about 30 IP addresses in my application. Does this mean that Wireshark only listens to 16 out of 30? I'm using MS Windows 2K SP4, Wireshark version 0.99.5 (SVN Rev 20677). No, it will listen to all of the IPs since it is not doing the capture based on IP at all but instead on the interface. There just isn't room to list all of the IPs in the Capture Options window. In newer versions, I added an ellipsis ( ... ) in the middle of the list of IPs and it shows the first so many and the last so many (depending on how wide your window is). I cannot remember if that made version 0.99.6 or if it is coming in 0.99.7 (I can check if anyone really wants to know). Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Latency
On Wed, Oct 17, 2007 at 09:17:45PM +, Sputnik Navigation wrote: Can we identify a specific received packet that is sent from transmitting computer in order to measure the delay, ie packet id from the transmitting computer to receiving computer. You could try the IP Packet Identification number (ip.id in Wireshark display filters). It shows up in the IP tree in Wireshark as Identification 0x0 (0). Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to send packets in wireshark
On Tue, Oct 09, 2007 at 12:22:02PM +0530, Saravanan BV wrote: I am using wireshark for packet analyzer. I am having 3 NIC cards. Respectively eth0, eth1 eth2. from eth0 packet are sending and receiving. But from eth1 and eth2 I am unable to capture any packet or traffic. How i should do that? give me the solution... Capturing from eth1 and eth2 should work the same as with eth0. Are eth1 and eth2 connected to a network also? What happens when you try to capture from them? Any error messages? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] To run Tshark in graphical mode.
On Mon, Oct 08, 2007 at 04:24:19PM +0530, Saravanan BV wrote: I need tshark/tetheral should be run in graphical mode. There is any option to run tshark or tetheral in graphical mode in FC6. You can run Wireshark / Ethereal to get a graphical version of the program. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] FreeBSD Running As User
On Tue, Sep 25, 2007 at 05:31:16PM -0700, J wrote: Can someone offer some insight as to how to run wireshark as a normal user in FreeBSD 6.2? I've tried changing the bpf devices' group, as well as granting read access to them via this group, but I'm still getting permission denied errors. If not, I would welcome some general instructions about how to run wireshark reasonably securely on FreeBSD. Currently using a generic kernel. Did you also grant the group read rights to all bpf devices? Does ls -l reflect this? I usually granted my user read rights and changed the owner to myself. I would assume doing it with the group would work too, but I do not have a FreeBSD box handy with Wireshark on it to test that with. To make these changes permament, you need to modify /etc/devfs.conf for next bootup. It is probably best to make the change to devfs.conf even if you aren't going to reboot, as each newly created bpf device inherits the permissions you give it in that file. Sometimes new bpf devices are created on the fly when using capturing tools. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Unable to compile static build of TShark on Fedora 7
On Wed, Sep 05, 2007 at 03:12:52PM -0700, Barry Gould wrote: and if I do this: --disable-gtk2 $ make -j2 cc1: warnings being treated as errors erf.c: In function 'erf_open': erf.c:152: warning: const qualifier ignored on asm Disabling GTK2 disables GLIB v2 as well. On some systems, including my MacOS X machine, GLIB1 is causing the warnings above. This was recently discussed on the (-dev?) mailing list, but I don't remember the specifics. Removing --disable-gtk2 should work around this problem (or add --disable-warnings-as-errors to the configure script). Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to find numerical sum of a particular field.
On Mon, Aug 27, 2007 at 12:13:25PM -0400, pradeep reddy wrote: In the IO graphs I can get graphical display of a particular field, is it posibble to get numerical value of this sum? Unfortunately, there is no way to get the values from the IO graph. Please open a bug report (and mark it as an enhancement request) at http://bugs.wireshark.org to request this feature. That way we do not forget that users such as yourself would like that feature and we can implement it when we have spare time. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] can wreshark read text file
On Fri, Aug 24, 2007 at 09:18:27PM -0700, Jenning Zhang wrote: I'm new here. I have lots of SS7 message traces which are in hexdump text file format, is there any tool can convert such file to a wreshark readable format? The text2pcap program that comes with Wireshark may suit your needs. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Installation problem on window 2003 standard edition
On Wed, Aug 08, 2007 at 05:08:11PM +0100, Coke, Norman wrote: I've just installed 0.99.6a and the font colors are not correct i.e the font is white, the tool tip text is the same as the tool tip background. The end result is that I can't read the text in the capture window since the text and the background are the same colour. Are you running in 256-color mode (such as through terminal services)? Newer GTK (our GUI library) versions have a bug in their handling of 256-color mode, which results in a display like that you described above. If you need to run it in 256-color mode, you can choose GTK1 at the beginning of the installation as a work-around for now. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] SSL decryption
On Mon, Aug 06, 2007 at 03:14:32PM -0400, Samson Katru wrote: Help me to decrypt ssl application data area 1. I have downloaded latest version of wireshark 0.99.6a 2. Server is mainframe..creates selfsigned server certificates. 3. Defined under preferneces ip,port,ssl,c:\server.kdb 4. trying to capture see all encrypted dataas application data. Please let me know where I am wrong. What protocol is contained within the SSL encrypted data? HTTP? You need to put that protocol name instead of ssl in your example above at #3. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on installing new Wireshark release over old release on Windows
On Thu, Jul 05, 2007 at 07:01:03PM -0400, Small, James wrote: I hope this isn't a dumb question, but if I have a previous version of Wireshark installed on Windows, may I simply install the latest version over it or should I first uninstall the old version and then install the new version? You can install the new version over the old version without any problems. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Right-click and open a tcp stream in a new window?
On Wed, Jun 27, 2007 at 10:31:57PM -0700, Alex Lee wrote: I do a lot of these a lot for work: Tcp.flags.syn == 1 tcp.flags.ack == tcp.port == some app A lot of times I need to follow each new connection's stream but often times, I end up not finding what I need in the first few streams. Is it possible to add a right-click open-in-new-windows the follow tcp stream? Or Add a back button to bring you back to the original filter string? Is the filter box drop-down list not helpful in this case? The previous filter string will be listed at the bottom of the list. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?
On Wed, Jun 27, 2007 at 05:29:41PM +0900, Mitsuho Iizuka wrote: Does anyone know how to drop 400 unwanted packets in a already caputured snoop file to analyze with wireshark ? According to this list, editcap has a 100 limitation. Actually, this has been raised to 500 in the latest SVN source code tree. I would like to analyze LDAP packets file, which was already captured, without specified src tcp.port(about 400 ports!). It seems Wireshark does not have a feature to read display filter from file. You are correct. I would like to write scripts as follows, (tcp.ports != 400 tcp.ports !=401 tcp.ports = 800) of course, port number is not sequencial. Are the frame numbers sequential? Is there a pattern to the tcp port numbers that you want to include/exclude? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Any zLinux users or idears about monitoring zLinux traffic externally?
On Tue, Jun 19, 2007 at 06:56:59PM -0400, Natividad, Joel wrote: Are there any users out there using Wireshark in zLinux (Linux on mainframes - http://en.wikipedia.org/wiki/Linux_on_zSeries)? Not sure. If not, any of the devs aware of any possible platform issues, should I venture to compile Wireshark on my own? Go ahead and try to compile it on your own - I bet it will work fine. If you have any trouble, join the wireshark-dev mailing list and we'll try to help you get it compiled. If not, can anybody recommend a setup whereby I can monitor network traffic coming out of the zLinux on a regular Linux/Windoze machine, perhaps, by bridging or some other technique? If you have the system connected to a switch, you may be able to do port monitoring/spanning of the system's port to another port where you would connect the regular machine to for capturing traffic. You'll get all traffic sent and received on the monitored port with this setup. An alternative is to put a hub in between the existing network and the server and then connect your monitoring machine to that hub and it will also see all traffic going through the hub. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] GUI vs CMD mode
On Sun, Jun 17, 2007 at 10:35:53PM +0800, Billie Chan wrote: On GUI mode I can customer the columns view e.g. add new column for src port, dst port etc... Yes, if you are using the latest version of Wireshark/tshark (Ethereal didn't support this). You would use the -T fields option along with -e field name for each field you wanted to display. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Saving the statistics to a file
On Thu, Jun 14, 2007 at 10:22:50PM +0100, Bala wrote: Can anyone tell, how we can print the statistics from the packet analysis to a file. Because, I find that we can only see the output in the tool but no option for saving the statistics of the trace analysis. Which statistics/analysis are you referring to? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Windows, connection not listed in netstat
On Wed, Jun 13, 2007 at 10:12:03AM +0200, paul wrote: I tried to use Wireshark on Windows. I catched one three way handshake from some foreign address on some ports greater than 1024. immediately I run netstat -a -n , but I cannot find any corresponding connection in this list. Does anybody know why ? You should have seen it if it was still active. Did you continue to see traffic in Wireshark for that connection? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Comparing packets
On Wed, May 23, 2007 at 06:14:53PM +0100, Piers Kittel wrote: So, the computers were run at the same time to capture the packets going between device A and B. I've got 2 files, like A-20070522-162040.gz and B-20070522-162040.gz. I've merged the two, and filtered out the packets I'm not interested in. Naturally, I see double of nearly all packets. What I'm interested in is to find packets that failed to reach the other side, so I'd like to filter out all packets that arrived successfully - how do I do this? Packet 4 failed to arrive however. How do I filter out Packets 1 and 2 but not 3? There currently isn't a way to detect duplicate packets in Wireshark that I know of. What would be needed is some sort of duplicate detection that compares the payload of each packet against each other packet. That would be computationally expensive, so it might be best left as an option that you run one time, perhaps as part of the merge captures process. Would it work for you to simply be told which are duplicates or would you prefer them to be displayed in the protocol tree (by default the middle pane) and be filterable? It would be best if you could go to http://bugs.wireshark.org and submit a bug report requesting this and mark it as an enhancement request. Thanks! Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] descriptive names for mac address
On Wed, Jun 06, 2007 at 12:46:53AM +0200, Martin Andersson wrote: Is it possible (via a file for instance) to get descriptive names of mac addresses in tshark. Example: Netgear_7e:39:d4 - IntelCor_19:32:c3 LLC I, N(R)=0, N(S)=0; DSAP NULL LSAP Individual, SSAP NULL LSAP Command Should be something like DeviceA - DeviceB LLC I, N(R)=0, N(S)=0; DSAP NULL LSAP Individual, SSAP NULL LSAP Command Yes, using the personal ethers file. The format is the same as the /etc/ethers file on a Unix machine (Basically a MAC address separated by colons, then a tab, then a descriptive name). The location for this file on Windows and Unix can be found here: http://www.wireshark.org/docs/wsug_html_chunked/ChAppFilesConfigurationSection.html Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] promiscuous mode on a wireless card with a router as the access point
On Mon, Jun 11, 2007 at 12:19:41AM -0500, Terra Frost wrote: The Linksys WRT54G - the access point I'm using - has a built-in switch, however, I'm not sure if this built-in switch is for wired networks, only, or if it's for wireless networks, as well. If it's for wireless networks, then that'd probably explain why I can't enter into promiscuous mode, however, what would let me enter into promiscuous mode for wireless networks, then? The ability to use promiscuous mode on a wireless LAN interface depends on the WLAN interface/drivers/operating system you're running and not the access point. For example, my work laptop can do promiscuous under Linux but not under Windows. Linksys has a stand-alone access point (WAP54G), however, the page on Linksys' website that discusses it doesn't mention anything about a hub or a switch. Does that mean that wireless access points don't even use hubs / switches? Wireless APs may have a hub or switch built in for the wired side of it or they may just have one wired connection. In either case, the wireless and wired sides are typically bridged together (a bridge is just a 2 port switch). The wireless side acts like a hub where all machines have to check if another station is currently using the wireless medium before they can transmit. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] analysing HTTP latencies
On Fri, Jun 01, 2007 at 04:20:04PM +1200, Rohit Grover wrote: Incidentally, upon viewing a simple HTTP dialogue using wireshark, I noticed that the server's first HTTP response datagram wasn't tagged by wireshark as HTTP. I'm quite sure I'm missing something because a something of this sort can't go un-noticed if it is a bug. Was the HTTP traffic on a standard HTTP port/proxy port? Wireshark by default recgonizes traffic on TCP ports 80, 3128, 3132, 8080, 8088, 11371, 3689 as some form of HTTP. It also recgonizes SSDP over HTTP on TCP and UDP ports 1900. There is a preference option to add one more port to the list of recgonized ports if you need. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Is there a tshark option to save just RTP Header?
On Thu, May 03, 2007 at 05:29:24PM -0400, Kerry L Foster wrote: Is it possible to control what information is being saved by tshark into the output capture file? The only way that I know of is the -s snapshot len option, which specifies how many bytes of each packet to read/save. This could be used in your case as long as all of the packets had the exact same length for the lower level protocols (ethernet, ip, udp, etc.) I assume tshark does not support this capability which leads me to the next question. If I (or someone else) were to implement this capability (to contribute back), where would the best place be to add it? Could I add it as a preference within the RTP dissector (something like '-o rtp.clear_payload:TRUE')? Then from the RTP dissector, just manipulate the tvb-real_data buffer or tvb-length based upon the preference setting (it could simply zero out RTP payload, or maybe even modify the UDP/RTP lengths, etc.). It looks like dissect_packet() passes a pointer to the original packet data and not to a copied buffer, so it looks feasible. That is probably the best place to put this sort of feature. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Stop process in Wireshark 0.99.5
On Tue, May 22, 2007 at 11:30:10AM +0900, Horyong Choi wrote: I try to capture the packet by wireshark 0.99.5 with winpcap 4.0 but it is stopping after some seconds. In the task manager of windows xp, it is impossible kill the processor of wireshark.exe. Thus I must reboot for kill the wireshark. Log file is saved in C drive root like ethera02568 format. What if you go into Wireshark and do File - Open and open that temporary file (ethera02568 or similar)? Does it hang again? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Bandwidth Utilization CSV??
On Wed, May 30, 2007 at 07:19:33AM -0400, Feeny, Michael (GPCT-CAI) wrote: Hi. Is there a way to produce a bandwidth utilization table? That is, a table that would show bandwidth utilization as a function of time, over the course of a capture file? The bandwidth utilized in both directions added together for the entire capture file can be found by going to Statistics - Summary and looking in the box at the bottom. The capinfos program that comes with Wireshark will also show this information about a capture file without having to open it in Wireshark. It looks like the Statistics / TCP Stream Graph / Throughput Graph provides this information (B/s over Time), but I have some questions about it that I don't see addressed in the User Guide... * Can I get a CSV corresponding to the Throughput Graph? Not at this time. If you're interested in this feature being added, please open a bug report (and mark it as an enhancement request) at http://bugs.wireshark.org. * When I click my mouse on the graph, it changes the scale of the axes, but I can't figure out how to control exactly how these scales change? Are you clicking the middle button? That zooms in or out. You can modify how it zooms by finding that window (that may be hidden behind the graph at first) titled Graph 1 - Control. Hope this helps, I don't use that graph usually so I'm not that familiar with it either. Let us know if you still have questions about it. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tshark --print-a-specific-field ?
On Tue, May 29, 2007 at 05:50:47AM -0400, Douglas F. Calvert wrote: Hello is there a way to have tshark print a specific field instead of the terse/verbose decoded output? I would like to be able to do: tshark -r file --dfc-grovel-flag wlan.bssid And have tshark print out the bssid either next to the source/address or instead of the src/address? Check out the new -Tfields and -e options in the latest Wireshark developer versions (they were added after 0.99.5 was released if I remember correctly). The tshark man page describes them. You can get the latest version (0.99.6 developer) from http://download.wireshark.org/download/automated/ or you can wait for 0.99.6 to be released (no set date yet). Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help about 'decode as'
On Wed, May 23, 2007 at 04:41:05PM +0800, majun wrote: I found that we can input protocols type like 'rtp' on a RedHat(Wireshark 0.99.5 GTK2+) PC when we use 'decode as', but I can't do this on a Windows XP SP2 laptop, that's quite annoying, and XP could not remember the 'decode as' window's size after resizing. Any ideas? BTW: I have test both 0.99.5 and wireshark-setup-0.99.6-SVN-21890.exe on my laptop. No one works. Wireshark code is usually identical between the Unix and Windows versions. I'm not quite sure what problem you are reporting - you can't do Decode As-RTP on Windows, but you can on Redhat? Or something else? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help..
On Wed, May 23, 2007 at 04:33:43PM +0530, Babu A wrote: I have recently started using Wireshark and I need to understand and analyze the error messages better... Can any one point me to a location where I can get information... the current type errors that I would like to interpret are: 1.Out-of-Order 2.Previous Segment Lost 3.Dup ack 4.TCP Windows Update 5.TCP Retransmission Check out http://wiki.wireshark.org/TCP and http://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers and let us know what other questions you have. Any good book that covers TCP should also cover these topics in detail. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Decoding RFC1950 compressed data?
On Mon, May 21, 2007 at 03:49:17PM +0200, Andreas Weller wrote: A friend of mine got a new PC system at his shop. It's a Linux based client/server system. As it is undocumented black box stuff we used wireshark to decode its datastream :-) :) But it also connect to port 1536 using some kind of encrypted or compressed protocol. Wireshark doesn't recognize the protocol. I think it might be RFC1950 compressed data (ZLIB). How do I force wireshark treating the port 1536 data as RFC1950 compressed - may be it can be decoded this way... There is no zlib dissector right now, but Wireshark is usually compiled with zlib and it is used within the HTTP and VNC dissectors. Would you mind sending the first response packet (the one that appears to have the compressed data and without the password you x out) to the list (or me privately if you prefer)? I would like to take a closer look at it. If it is just zlib compressed data, a dissector could be written to uncompress it and display the uncompressed data for you. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help with Output TCP Dup ACK3#2 1320 22 ACK
On Fri, May 18, 2007 at 03:57:01PM -0600, Mike Ciccone wrote: I am having a problem with SSH. I can ssh from some server but not others. I verified that there are no access-lists blocking from doing this. When I ran Wireshark on my pc and tried to ssh to the server I get the following line that could be telling me what the problem is. However, I don't understand it and was hoping some out there could explain it to me. Here is the line: [TCP Dup ACK 3#2] 1320 22 [ACK] Seq=1 Ack=1 win=65535 Len=0 Does this mean anything to anyone? I'm guessing my problem lies here. If I ssh to a server that works... I don't see this line It has meaning once you read the source code ;). The analysis within the brackets means means that this packet is it is the 2nd duplicate ack to packet #3. Which packet number do you first receive a notice like the one above? Is it the third packet of the SYN, SYN+ACK, ACK TCP handshake or a later packet? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] EXPORT-OBJECT in wireshark 0.99.4
On Wed, May 16, 2007 at 09:22:18PM +0200, mattia tomasoni wrote: I am using version 0.99.4, which is the latest automatically available for Ubuntu via the add/remove tool. I cannot find the EXPORT-OBJECT; (I read from the tutorial that) in the 0.99.5 version it can be found in the File menu... but does anybody have any clue where it was in the previous version? (It must be somewhere!) (I would prefer not to venture into installing 0.99.5 since it's not yet supported by Ubuntu...) The export object feature is new to version 0.99.6 actually, which has not been released yet. It shows up in the 0.99.5 documentation online because that is the most up to date documentation and it will be used when 0.99.6 is released. The only way to get it today is by downloading the source code for the latest developer version of 0.99.6 from: http://download.wireshark.org/download/automated/src/ (pick the file with the highest number in it) and compiling/installing it on your machine manually. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] decoding part of a SOCKS message as XML
On Tue, May 15, 2007 at 10:11:09PM +, Stefan Puiu wrote: If I try to export a capture, I get packet bytes in hex and the text on the right hand side, with very short lines, so it's not useful - this is probably because the message is part SOCKS, part text. Is it possible to somehow have wireshark decode or export a certain field as ASCII? Something along the lines of show raw SIP message for SIP, but only for a field in SOCKS messages. Have you tried the Follow TCP Stream feature in the Analyze menu? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] question about fancy DHCP display filtering
On Tue, May 15, 2007 at 05:37:18PM +, Stefan Puiu wrote: Thanks for confirming that. Then I've another question: how can I look for all DHCP packets where there is an option with value '0x3058' (in hex), for example? I can't seem to grasp how the bootp.options.value == filter is supposed to work - I've tried: * bootp.options.value == 0x3058 (field turns red, invalid format) * bootp.options.value == 30 58 (field turns green, however, all packets are matched, even if that is not correct) This would at least in my particular situation - I'm trying to find some DHCP clients which send some bogus options. Try putting a colon between each hex byte: bootp.options.value == 30:58 The bootp.options.value is a type BYTES which means it is just raw hex values separated by colons. You can right click on one of the values you see and select Apply As Filter - Selected and see how it is formatted in the filter entry box. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] VNC playback
On Tue, May 01, 2007 at 02:05:58PM -0500, Jonathan Polacheck wrote: There are some open-source efforts to get VNC playback, but so far I have been unable to get any of them to work. How cool would it be to be able to playback VNC data right from the trace that has the client/server traffic? And frame numbers to show the exact correlation between traffic and desktop events!? Wireshark does VOIP playback now. rfbproxy does VNC playback from it's own file format. It seems like all the pieces are available. Playing back VNC sessions from within Wireshark would be a LOT of coding to do and maintain and the VNC protocol isn't easy to decode (I wrote most of the VNC dissector in Wireshark and it still doesn't work perfectly for server frame buffer updates). What about a program that translates the VNC traffic from a pcap file and outputs it in a format that rfbproxy can read in? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark OSX
On Fri, Apr 27, 2007 at 12:10:45AM +1000, benny wrote: Wondering if anyone knew how to uninstall wireshark for macintel osx through terminal or how to safley remove the program , i have scoured the wireshark homepage but found nothing on this How did you install it? If you did make install after building the source code, then do make uninstall from the build directory as root. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] TCP reassembling for HTTP messages extraction
On Tue, Apr 24, 2007 at 06:25:12PM +0200, Laurent Burgy wrote: So, I have a trace of TCP messages with HTTP messages as payload... I would like to extract these HTTP messages and only to a file... The 'follow TCP stream' option seems to work only for one stream but my trace clusters many streams ... Is there a way to get all the HTTP messages from my trace ? What do you want to do with the HTTP messages? Save all of the data from them (HTML pages, images, other downloaded files, etc.)? Or just save a stream of all of the HTTP streams together? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark
On Fri, Apr 20, 2007 at 07:49:10AM -0700, [EMAIL PROTECTED] wrote: There's a great book on the subject; Ethereal Packet Sniffing by Angela D. Orebaugh and Gilbert Ramirez. It covers pretty much everything about the tool, and even a bit about protocol analysis. There is even a recently updated version of this book called Wireshark Ethereal Network Protocol Analyzer Toolkit by the same authors. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Saving and Crashing
On Fri, Apr 20, 2007 at 08:36:22PM +0100, luke peters wrote: I have just installed openSUSE 10.2. When I use wireshark when I try and save a capture it just crashes and I have to force a quit on the program. This happens on both my laptop and pc both with openSUSE 10.2. What could possibley cause this? What version of Wireshark are you using? Does it actually crash and disappear on its own or does it hang and you have to force quit? Is it a large capture file you're trying to save? Are there any error messages before the problem happens? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark sudo
On Tue, Apr 03, 2007 at 02:35:49PM +, [EMAIL PROTECTED] wrote: I've tried changing the umask under which the script to launch wireshark runs, but that gets ignored. So maybe it is Wireshark itself (rather then the shell) setting the permissions of saved files? Yes, Wireshark sets the umask on the temporary file it uses while capturing (look for the umask() call in tempfile.c). For saved files, I believe the temporary file is simply copied over with the same permissions it was created with. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Support for Microsoft LLTD Protocol
On Tue, Mar 20, 2007 at 06:08:23PM +0530, Manish Rajpal wrote: I would like to know if there is a version of wireshark that supports the Microsoft's Link Layer Topology Discovery (LLTD) protocol. Wireshark doesn't appear to support it at this time (I checked Help - Supported Protocols). Do you have a reference of how the protocol is designed? If so, then someone may have the time to write a dissector for it. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to know how much data transferred
On Mon, Mar 19, 2007 at 12:27:17PM +0530, Abhishek Chavan wrote: ya it can be seen in tht but i need to show in a proper format any idea?? What format do you need? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to know how much data transferred
On Mon, Mar 19, 2007 at 10:27:13AM +0530, Abhishek Chavan wrote: Can somebody tell me how i can find out how much data in bytes or kilobytes and not in terms of packets and frames is getting transferred and to see it in as an output Try Statistics - Summary. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to use Wireshark's log files to show data in HTML format
On Thu, Mar 15, 2007 at 09:52:56AM +0530, Abhishek Chavan wrote: Can somebody tell me how to use the saved log files of wireshark to view data in graphical format in html format?? What log files of Wireshark are you referring to? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] unreadablity due to poor use of colours (Win32)
On Fri, Mar 16, 2007 at 12:02:10AM +1100, Louis Solomon [SteelBytes] wrote: just downloaded and installed latest release (0.99.5) on a w2k3 box that I remotly admin (via RDC). can't use it though, as the latest edition (unlike previous ver of wireshark that I had on same machine) has really screwy colours like white on white. (when remotely admining, I always use 256 colours for speed) This is a problem 256-color mode using latest GTK+ libaries in 0.99.5. A work-around is to install the GTK1 version of 0.99.5, which you can pick at the beginning of the Windows installer. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Using multiple files with tshark
On Thu, Mar 01, 2007 at 12:38:01PM -, McGlinchy, Alistair wrote: While you are there, could you cast your eyes over this extension to your fix to allow for the files:value criteria too. This works but requires multiple uses of the -b flag (rather than the -b and -a flags). ./tshark -w ~/test.cap -b files:3 -b duration:5 Is that what was intended? Yes, I believe so. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help installing 0.99.5
On Thu, Mar 08, 2007 at 01:56:23PM -0500, Leonard, Thomas J wrote: After running I received these errors: ts2s141% ./wireshark 18:37:15 Warn radius: Could not find the radius directory This will go away once you install Wireshark. (lt-wireshark:18674): GLib-GObject-WARNING **: g_object_set_valist: object class `GtkSettings' has no property nam ed `gtk-label-select-on-focus' (lt-wireshark:18674): GLib-GObject-WARNING **: g_object_set_valist: object class `GtkSettings' has no property nam ed `gtk-label-select-on-focus' Can anyone tell me if there are critical program errors or simply warnings that I can ignore. These warnings can safely be ignored. You must be running a version of GTK older than 2.9 (wireshark -v will show you this). SVN revision 20936 fixed this issue on the 0.99.6 developer version. It is caused by our use of a feature introduced in GTK 2.9 to keep dialog text from automatically being highlighted when it pops up. It's purely cosmetic and no upgrades are necessary. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] locking up when viewing video captures
On Thu, Mar 08, 2007 at 09:19:56PM -0500, phat pig wrote: I have been successful in reassembling image files (gif,jpg) from my capture files. I saw an archived thread where someone was successful in reassembling videos using the same method. What method are you using? So far though, wireshark is locking up when I click on 'media type'. Size does not seem to matter. Maybe I am simply over looking something. Wireshark shouldn't freeze for any reason - this sounds like a bug. Is there a tutorial on reassembling images and videos? Which protocol are these video files coming through? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users