Re: [Wireshark-users] newbie question

On Wed, Aug 16, 2006 at 09:00:31AM +0200, Krekan wrote: > Hello all, I am new to Ethereal. I would like to ask when I got > file about 1 mb full of data captured how do I extract certain > information such as password from those sniffed data. I run ethereal > start to capture and when the s

Re: [Wireshark-users] newbie question

On Wed, Aug 16, 2006 at 11:34:15AM -0700, Guy Harris wrote: > Stephen Fisher wrote: > > > You can specify a capture filter to tshark (or wireshark while it's > I assume you meant "You can specify a display filter to tshark ...", > as that's a display f

Re: [Wireshark-users] Dropped apckets/TCP Connection Loss

On Wed, Aug 23, 2006 at 10:37:06AM -0400, Adam Mattina wrote: > Problem > Web pages are coming up either > a) perfectly > b) half mangled with some images and screwed up tables or > c) not at all The last time I saw this problem, there was a MTU problem with the link. There was an 802.1q v

Re: [Wireshark-users] Display Filter - Byte Offset Notation

On Wed, Aug 23, 2006 at 03:01:41PM -0500, Prigge Scott wrote: > Using version 0.99.2, and am struggling to create a simple display > filter using byte offset notation. I want to simply capture traffic > where the first two bytes of the source address are 68.154. Shouldn't > this filter be as si

Re: [Wireshark-users] Does Wireshark work on Windows XP Tablet PC and/or XP Media Center?

On Sat, Aug 26, 2006 at 02:40:09PM +0200, Ulf Lamping wrote: > Just wanted to know if someone is working on these systems? It works fine on WinXP Media Center for me. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wir

Re: [Wireshark-users] Which program sent this TCP packet

On Mon, Aug 28, 2006 at 08:56:54AM +0200, Ben Stover wrote: > Is it possible to detect which program initiated originally this TCP packet? If you're on Windows, check out TCPView: http://www.sysinternals.com/Utilities/TcpView.html It has to be open at the moment the packet is sent out though.

Re: [Wireshark-users] No TCP traffic

On Wed, Sep 06, 2006 at 03:59:31PM +0100, Alan Middlehurst wrote: > 1, Yep, definately a hub, a dual speed hub A dual speed hub must have a switch inside to connect hub ports that are 10Mbps to hub ports that are 100Mbps. Are all of your devices running at the same speed? You also need to che

Re: [Wireshark-users] trouble getting packaged installs to work on OSX

On Wed, Sep 06, 2006 at 05:05:33PM -0400, Chris Cocuzzo wrote: > I've encountered this problem using both Fink and DarwinPorts. While > the error messages might have been slightly different, they both > amounted to something like this in the OSX command line: "GTK unable > to open" Is this the

Re: [Wireshark-users] Command Syntax Problem with tethereal

You need to specify -b for each option you use, so the syntax would be: tethereal -b duration:60 -b filesize:1000 -b files:5 -i hme0 -N nt -w /var/tmp/hme0.pcap P.S. Please send future e-mails in text mode instead of HTML only. Steve ___ Wireshark-

Re: [Wireshark-users] How and where to capture a SNMP PDU?

On Mon, Oct 02, 2006 at 03:57:44AM -0700, Nguyen Huy Nhiem wrote: > I use Ethereal running in my computer to capture SNMP PDU. But I don't > have even 1 SNMP PDU. Please help to capture a real SNMP PDU! > Moreover, please send me some real packets of SNMP PDU. I need these > to understand clear

Re: [Wireshark-users] Duplicate packet with wireshark and winpcap

On Wed, Oct 04, 2006 at 08:22:03PM +0200, alex loutrbringa' wrote: > There is one millisecond each time between the two packets, the > packets are perfectly similar on ethernet, IP, TCP layers... Are the > packets really emitted two time or is this winpcap who capture 2 times > the packet? Thi

Re: [Wireshark-users] Hubs and Switches

On Wed, Oct 04, 2006 at 06:48:59PM -0400, Usman Qureshi wrote: > I have a questions regarding ICMP packets traversing through Hubs and > Switches. If connected on a Hub I ping the broadcast address > (192.168.0.255) from a host machine (192.168.0.100) I get a response > from the address 192.16

Re: [Wireshark-users] using ssl filter for ssh trafic?

On Thu, Oct 05, 2006 at 02:14:34PM -0600, Jeff Sadowski wrote: > Is it possable to use the ssl filter for ssh traffic? I don't think it is possible because SSH doesn't use SSL for encryption, it has its own methods. Steve ___ Wireshark-users mailing

Re: [Wireshark-users] Malformed packet within Putty's 0.52 SSH

On Sat, Oct 07, 2006 at 12:15:44AM -0400, LDB wrote: > Within Ethereal I am detecting a malformed packet coming from a Putty > SSH Client using version 0.52. Could my users have downloaded a > tainted version of Putty? > > Also, why does Ethereal consider it a malformed packet from SSH? It dep

Re: [Wireshark-users] Save Graphs

On Sat, Oct 07, 2006 at 02:31:39AM +0800, Wing Pui Ma wrote: > Wireshark Support, > > When I click statistics -> Flow Graph, then click OK, the graph is > come out, when I click "Save As" in the Graph Analysis dialog box > > What should I type in under Selection: C:\Program Files\Ethereal > >

Re: [Wireshark-users] Hub and Switch

On Thu, Oct 05, 2006 at 11:46:21PM -0400, Usman Qureshi wrote: > What kind of packets will appear on ping_hub_B that will not show on > ping_switch_B (both files are attached)? I am wondering, because I am > thoroughly thrown off by the packets traversing in the network. In each capture you sta

Re: [Wireshark-users] Lost packets can not ping my machine on my network

On Sun, Oct 08, 2006 at 03:43:23PM +0100, David Ackie wrote: > My problem is that I can not ping to M1 from M2 or M3 ??? but I can > Ping M1 from M1 of course -- I can Ping M2 to M3 or vis versa works .. > Ping M1 to M2 or M3 works as well I assume all three machines are on the same IP subnet?

Re: [Wireshark-users] Lost packets can not ping my machine on mynetwork

On Mon, Oct 09, 2006 at 02:22:28PM +0100, David Ackie wrote: > But I do not know how to read the info & from what machine to what .. > I pinged M2 to M1 and saw some bad check sums ?? I really need some > help with this so I can attempt to solve this > Yes I have installed Wireshark/Ethereal on

Re: [Wireshark-users] Using these mailing lists

On Thu, Oct 12, 2006 at 10:38:32AM -0500, Turner, Jay wrote: > Sorry for my ignorance, but how do I use these mailing lists > effectively? I can at least send messages (since this is here 8^)). > > 1. How do I properly reply to my message or another's in my Inbox? > a. If I use "Reply", will the

Re: [Wireshark-users] Lost packets can not ping my machineonmynetwork

On Thu, Oct 12, 2006 at 12:01:11PM +0100, David Ackie wrote: > Filter icmp showed up icmp actions only ... I had no idea that saving > that file saves everything not just icmp .. i.e the filter is not a > hard filter .. It still has everything in it ... When you go to File -> Save [As], you can

Re: [Wireshark-users] Lost packets can not ping my machine onmynetwork

Your setup sounds fine and the ping requests are leaving the other machines AND arriving at M1. However, M1 chooses not to reply. I don't see any reason from a network perspective that this is happening. If it's a Windows machine, have you tried reinstalling? :) Steve

Re: [Wireshark-users] SEQ/ACK analysis

On Wed, Oct 11, 2006 at 11:25:33AM +0200, Peter Daum wrote: > I just upgraded to wireshark 0.99.3. > > In older versions of ethereal, there used to be a section labeled > SEQ/ACK analysis with links to the packet an ACK is referring to. Is > there an option somewhere to get this information bac

Re: [Wireshark-users] Filter string "udp" versus "udp)"

On Sat, Oct 21, 2006 at 08:10:26PM +0200, Toralf F?rster wrote: > Why is the string "udp)" allowed ? It is marked as valid (green > colour), but the filter seems to have no effect. This may be a bug. Would you mind opening a bug report at http://bugs.wireshark.org/bugzilla so this can be looke

Re: [Wireshark-users] UMA decode support?

On Tue, Oct 24, 2006 at 07:52:24PM -0500, Frank Bulk wrote: > I read this news item: > http://www.unstrung.com/document.asp?doc_id=108160 > which made me ask: is there UMA decode support in WireShark? There is partial support in Wireshark: http://wiki.wireshark.org/UMA Steve ___

Re: [Wireshark-users] View Filter -> Capture Filter

On Thu, Oct 26, 2006 at 02:33:19PM +1000, [EMAIL PROTECTED] wrote: > Anybody knows what the Capture Filter equivalent is of the following > View Filter: ldap.authentication == 0 > > I am basically trying to whittle down my capture to simple > authentication requests over LDAP (389) as part of a

Re: [Wireshark-users] View Filter -> Capture Filter

On Thu, Oct 26, 2006 at 04:49:45PM +1000, [EMAIL PROTECTED] wrote: > Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr > capture resulted in a lot of info. Even when splitting the data > amongst multiple files resulted in 10Mb x 260 files. Opening this many > files would be t

Re: [Wireshark-users] Book

On Thu, Oct 26, 2006 at 03:51:31PM -0400, Jack Daniel wrote: > I think the Syngress Ethereal book is still only $15 direct from > syngress.com. A little dated, but still a good foundation reference. This month a new version of that book titled "Wireshark & Ethereal Network Protocol Analyzer T

Re: [Wireshark-users] Mac OSX new MacBook Pro

On Sat, Oct 28, 2006 at 05:35:22PM -0700, Mike Savory wrote: > When running Wireshark the wireless network dies as soon as you open a > "List the available Capture Interface" window the wireless connection > dies. > Has anyone else seen this on Intel Macs? Or is it perhaps a function > of the

Re: [Wireshark-users] TCP Decoding differences between Ethereal 0.99 and Wireshark 0.99.3/4?

On Tue, Oct 31, 2006 at 11:50:40PM -0500, Small, James wrote: > Except--when I follow the TCP stream with Ethereal 0.99, this works > great. However, when I do the same thing with Wireshark 0.99.3/4 > (I've tried 0.99.3 and just uninstalled/re-installed 0.99.4), the > password does not appear

Re: [Wireshark-users] checksum incorrect

You can turn off the verification of IP, TCP, or UDP checksums in the preferences. On Mon, Nov 06, 2006 at 12:20:41PM +0100, Jaap Keuter wrote: > Hi, > > The answer is staring you in the face: > > ...(maybe caused by checksum offloading?) > > Google for "checksum offloading" and you'll s

Re: [Wireshark-users] (no subject)

On Mon, Nov 06, 2006 at 02:38:21PM -0800, Bob Carlson wrote: > Has the ability to decode WPA/2 in 802.11 been added to Wireshark yet? > I don't want to go thru the pain of upgrading otherwise. Nope, sorry. Steve ___ Wireshark-users mailing list Wire

Re: [Wireshark-users] SSL Decryption Issues

On Mon, Nov 06, 2006 at 11:00:26AM -0600, James Hughes wrote: > Does anyone know why WireShark is loading 443 to HTTP, 636 to LDAP, > 993 to IMAP and 995 to POP? I need 443 associated to something else. This is hard-coded in the source code: From epan/dissectors/packet-ssl.c: ssl_dissector_

Re: [Wireshark-users] Exporting raw packet data?

On Mon, Nov 13, 2006 at 11:03:19PM -0500, Small, James wrote: > I agree that it would be nice to have something like this for UDP but > that means someone would have to write the dissector/re-assembler. > Probably not an easy task. Feel free to add this to the wish list at http://wiki.wireshar

Re: [Wireshark-users] TCP keep -alives

On Thu, Nov 16, 2006 at 07:41:41AM -0800, imfaus wrote: > From parsing through the documentation, I did'nt see any explanation > on keep-alives or how wire shark knows the TCP packet is in fact a > "keep-alive" packet. I have a particular capture and I am lead to > believe that there might be s

Re: [Wireshark-users] Mac OS X Help

On Thu, Nov 23, 2006 at 07:00:56PM +, Robert Craig wrote: > I have just installed wireshark on my intel duo MacBook using > DarwinPorts. It starts up fine (as root) but as soon as I click "List > available capture interfaces..." my wireless disconnects and refuses > to reconnect whilst wire

Re: [Wireshark-users] cflow v9 dissector oddity

On Sun, Nov 26, 2006 at 11:10:05PM -0500, Yann Berthier wrote: >On a capture of netflow v9 traffic from 2 routers, where r1 exports >data flowsets using template id 257 and template flowsets of said id >of 21 fields, and r2 exports a template flowset for id == 257 of 23 >fields, wi

Re: [Wireshark-users] How do you compile a new protocol into Wireshark

On Sun, Dec 03, 2006 at 11:17:04AM -0600, ALEX BOYDSTON wrote: > I have downloaded cygwin, gtk, glib and I'm still having difficulty > compiling my new protocol into Wireshark. Can you please give me > updated detailed instructions on what is necessary to compile a new > dll plugin for WireSha

Re: [Wireshark-users] Please help

On Tue, Dec 05, 2006 at 02:04:46PM -0600, Bruno, Pasquale A [CompuCom] wrote: > Our network has HP Laserjet 9000MFP Printers that have a function > called Scan To E-Mail on them. The problem is the Printers keep losing > connection to the SMTP gateway. And then after a while they come back

Re: [Wireshark-users] decoding RTP outside of conversations preference

On Wed, Dec 06, 2006 at 01:57:40PM -0800, Bill Fassler wrote: > Guy suggested I try turning this preference on (see below), but I > couldn't easily find how to do this. Can someone tell me? I am using > WireShark 0.99.3 (svn Rev 19011) Try going to Edit -> Preferences, then expand the Protoco

Re: [Wireshark-users] Malformed packet when using IPMI RMCP+

On Thu, Dec 07, 2006 at 10:39:42AM -0600, Kota, Sudhindra wrote: > I am running Wireshark on a Windows 2003 Server (Enterprise > Edition). I have a tool which uses IPMI 2.0 RMCP+ to communicate with > a Baseboard Management Controller (BMC). When I view this in Wireshark > I see lots of "Malf

Re: [Wireshark-users] Malformed packet when using IPMI RMCP+

On Thu, Dec 07, 2006 at 01:04:58PM -0600, Kota, Sudhindra wrote: > I found this on the Wireshark-dev list. I think it is a patch for > Wireshark. > > http://www.wireshark.org/lists/wireshark-dev/200606/msg01818.html Thanks. The same patches work on Unix as on Windows. That patch must have be

Re: [Wireshark-users] Malformed packet when using IPMI RMCP+

On Thu, Dec 07, 2006 at 01:10:44PM -0800, Stephen Fisher wrote: > On Thu, Dec 07, 2006 at 01:04:58PM -0600, Kota, Sudhindra wrote: > > > I found this on the Wireshark-dev list. I think it is a patch for > > Wireshark. > > > > http://www.wireshark.org/lists/wire

Re: [Wireshark-users] DNS traffic - newbie question

On Mon, Dec 11, 2006 at 11:33:14AM -0800, Scott Parkis wrote: > I am looking at my capture. My machine is connected via a swith to the > LAN. I have a ton of standard queries coming from my machine going out > to the LAN. Not sure why, I am not making the DNS request. It does go > to my interna

Re: [Wireshark-users] DNS traffic - newbie question

I could be wrong, it's been a while since I ran Wireshark without my own preferences :) On Mon, Dec 11, 2006 at 12:29:30PM -1100, Hans Nilsson wrote: > Is that really the default? I thought it was off as default. > > You're probably seeing DNS requests from Wireshark. By default, it > > does

Re: [Wireshark-users] why HTTP PDU is not reassambled

On Fri, Dec 15, 2006 at 10:09:26PM +0800, Xiaoguang Liu wrote: > in the attachment, frame 7,8,9 shoud be a single HTTP request. Why > wireshark did not reassamble them? Test on Version 0.99.5-SVN-20139 > (SVN Rev 20139), windows xp sp2. I do eanble all reasamble HTTP . > options. I believe

Re: [Wireshark-users] cflow v9 dissector oddity

On Wed, Dec 20, 2006 at 01:23:14AM +0900, Motonori Shindo wrote: > I have addressed this issue. Please find attached the patch against > the current svn repository. > > As per NetFlow V9 protocol, Template ID is guaranteed to be unique per > Observation Domain (identified by Source ID) and the

Re: [Wireshark-users] captured file can not be understood by Tshark

On Wed, Jan 03, 2007 at 03:25:43PM +0800, joyce wrote: > Thanks for your reply. What the "libpcap-format file header" looks > like? See here: http://wiki.wireshark.org/Development/LibpcapFileFormat Steve ___ Wireshark-users mailing list Wireshark-u

Re: [Wireshark-users] VoIP Calls - Enhancement Request

On Tue, Jan 02, 2007 at 10:39:35PM -, Keith French wrote: > VoIP calls is excellent for H.323 calls. However, is there any chance > that the start & end times could reflect the current settings in the > main Wireshark display for date & time. > > It currently only displays based on seconds

Re: [Wireshark-users] Analysing MSN traffic

On Sun, Jan 07, 2007 at 11:39:23PM -, Antonio Cassidy wrote: > Can anyone point me towards some papers which better describe the > processes MSN is making. I'm not familiar with the MSN protocol, but this comment from the source code of the Wireshark dissector may help: /* * The now-expir

Re: [Wireshark-users] MacOS X Package 0.99.4 done

On Thu, Jan 04, 2007 at 10:55:26PM +0100, Andreas Fink wrote: > The MacOS X Package I built today for Wireshark 0.99.4 under Tiger > 10.4.8 on i386 and ppc are now downloadable on > > http://www.finkconsulting.com/page7.php This is a great effort done. I think it is a good service to the

Re: [Wireshark-users] wireshark throughput calculation

On Fri, Jan 05, 2007 at 03:26:02PM +0100, To Van Phu wrote: > Can someone explain how Wireshark calculates the throughput displayed > in the TCP Throughput Graph? It's calculated for each packet --> > packet size/ time interval but which time interval does it take to > give the result? > > Is

Re: [Wireshark-users] wireshark throughput calculation

On Mon, Jan 08, 2007 at 02:03:49PM -0800, Stephen Fisher wrote: > On Fri, Jan 05, 2007 at 03:26:02PM +0100, To Van Phu wrote: > > > > Is it the time elapsed since the previous packet? > > Yes. This is the relevent code from gtk/tcp_graph.c in function > tput_make_elmtl

Re: [Wireshark-users] Analysing MSN traffic

On Mon, Jan 08, 2007 at 07:29:22PM -, Antonio Cassidy wrote: > By removing the first 105 and last 104 chars we're left with the > content of the text file. I have tried this with other text files and > it's the same number of characters both at the start and at the end. These are probably

Re: [Wireshark-users] TCP out of order segments

On Thu, Jan 11, 2007 at 03:10:46AM -0500, L SB wrote: > Would asymmetric routing be a problem if the machines exist on the > same subnet? No, since there is no routing going on there. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.

Re: [Wireshark-users] Appending to the dump file

On Fri, Jan 12, 2007 at 04:23:25PM -0600, Andrew Chalk wrote: > Every time I open a dump file with > > pcap_dump_open() What is your question? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/lis

Re: [Wireshark-users] Wireshark SVN crashs when opening certain kerberos traces

On Wed, Jan 17, 2007 at 11:12:53AM +0800, Xiaoguang Liu wrote: > Version 0.99.5-SVN-20446 (SVN Rev 20446) > on windows xp sp2 > > please check the trace attached. I can reproduce the crash and am looking into it. Steve ___ Wireshark-users mailing li

Re: [Wireshark-users] Wireshark SVN crashs when opening certain kerberos traces

On Wed, Jan 17, 2007 at 02:02:38PM -0800, Stephen Fisher wrote: > On Wed, Jan 17, 2007 at 11:12:53AM +0800, Xiaoguang Liu wrote: > > > Version 0.99.5-SVN-20446 (SVN Rev 20446) > > on windows xp sp2 > > > > please check the trace attached. > > I can reprod

Re: [Wireshark-users] no more new SVN build found at http://www.wireshark.org/download/automated/win32/

On Thu, Jan 18, 2007 at 07:09:51PM +0800, Xiaoguang Liu wrote: > the latest one on web is till > "wireshark-setup-0.99.5-SVN-20446.exe16-Jan-2007 > > 06:34 15M" This has been fixed. Steve ___

Re: [Wireshark-users] wireshark SSL traces

On Fri, Jan 19, 2007 at 04:20:11PM +0530, Tejus AG wrote: > Will wireshark be supporting decoding of TLS ECDHE/ECDH (elliptic > curve diffie hellman) extensions anytime soon ? I don't know of any current plans to do so. You may want to open a bug marked as an enhancement requesting this at ht

Re: [Wireshark-users] OUI Look Up Tool on Wireshark site?

On Sun, Jan 21, 2007 at 06:30:46PM -0500, Small, James wrote: > Here's another set - I heard that some vendors ask the IEEE not to > publish their blocks but I don't know if that's true... That is true. Wireshark resolves MAC addresses to names using a plain-text file called manuf that is a co

Re: [Wireshark-users] Specify SSL Keys_list towireshark-0.99.5-SVN-20434

On Wed, Jan 17, 2007 at 12:59:25PM -0800, Vijay Sitaram wrote: > Looks like you hit the nail right on the head! I ran the configure > command as follows: > > $ ./configure --with-ssl --enable-threads --with-pcre --with-lua > 'CFLAGS=-DHAVE_LUA_5_1' > > However, the output of the configure shows

Re: [Wireshark-users] Decode SSL?

On Mon, Jan 22, 2007 at 11:41:43AM -0500, [EMAIL PROTECTED] wrote: > Thanks for the reply, Mike. I have been able to bring up the > rsasnakeoil capture file, and my wireshark on Linux build does > recognize and decode the SSL. So I know my build is capable of > decoding SSL. But I don't unde

Re: [Wireshark-users] Using the SSL rsasnakeoil example

On Mon, Jan 22, 2007 at 12:05:32PM -0500, [EMAIL PROTECTED] wrote: > I'm using "127.0.0.1:443:Z:\Tools\Wiresharkrsasnakeoil2.key" on my > Windows system, but I'm not sure if that is the expected path-to-file > format. You're missing the field that specifies the protocol contained within the ss

Re: [Wireshark-users] How to decode non-standard SSL traffic

On Mon, Jan 22, 2007 at 02:20:41PM -0500, [EMAIL PROTECTED] wrote: > When I'm decoding a SSL-encrypted HTTP session, the values to put in > 'port' and 'protocol' are obvious. But what about an openssl > s_client/s_server session? I can see that the port is 4433 (which can > be over-ridden).

Re: [Wireshark-users] [ANNOUNCE] WinPcap 4.0 has been released

On Tue, Jan 30, 2007 at 10:33:51PM -0200, Persio Pucci wrote: > Maybe I am a little late for that, but also, would that be possible to > add IO graphs the possibility to select bits (kbps) to the Y axis? :D > > Hope I am not asking too much... or maybe 0.99.6 ;) > > On 1/30/07, Persio Pucci <[E

Re: [Wireshark-users] WAN Capacity Planning

On Wed, Jan 31, 2007 at 07:37:10PM -0200, Persio Pucci wrote: > I am troubleshooting some frame-relay circuits, and looking for > evidences that can help me calculate a WAN upgrade on the circuits. > What should I be looking at (retransmissions? delay/delta?) and is > there any general formula

Re: [Wireshark-users] IO Graphs doubling bytes?

On Wed, Jan 31, 2007 at 04:09:26PM -0200, Persio Pucci wrote: > I am trying to calculate traffic peaks on some of my captures. In one > of them (that one that I converted from Acterna, as a matter of fact), > where on the IO graph it gives me aprox 3750 bytes visually, once I > export to CSV us

Re: [Wireshark-users] V0.99.5 & Coloring Rules

On Sat, Feb 03, 2007 at 12:02:55PM -, Keith French wrote: > Since upgrading to Wireshark V0.99.5 all captured packets are > displayed in the summary window as white text on a black background, > instead of using my Coloring Rules. > > My Coloring Rules worked fine under V0.99.4. I have trie

Re: [Wireshark-users] Statistics grouped by port?

On Tue, Feb 06, 2007 at 03:41:08PM -0500, Brad Johnson wrote: > Hello everyone - longtime Ethereal/Wireshark user, first time poster. Welcome to the list! > Wireshark will group packets by "TCP endpoints", in other words > pairings of IP addresses and TCP destination ports. It will tell me > h

Re: [Wireshark-users] Modification request: csv export

On Tue, Feb 06, 2007 at 08:27:26PM +0100, Joerg Mayer wrote: > I don't think so: If we print the character that is used to separate > the fields inside a field, then we'll either need to allow users to > change the separator or we'll need to surround the whole value by "", > because no importin

Re: [Wireshark-users] Statistics grouped by port?

On Wed, Feb 07, 2007 at 01:11:44PM -0500, Brad Johnson wrote: > Hopefully it can be a feature request for a future version. The > developers can probably use a variation of the code that does the > Endpoint statistics and add it very easily. Could you go to http://bugs.wireshark.org/ and open a

Re: [Wireshark-users] all UDP packets from localhost have wrong check sum

On Fri, Feb 09, 2007 at 10:58:52AM +0100, Toralf F?rster wrote: > Is there any chance for wireshark to sniff UDP packets with a correct > check sum if the check sum is set in the hardware ? See here for the > issue I had : http://bugzilla.kernel.org/show_bug.cgi?id=7938 I don't know of any way

Re: [Wireshark-users] Save the bytes of a particular field from all the displayed packets in one file

On Wed, Feb 07, 2007 at 01:54:48PM -0600, Frank Bulk wrote: > Anyone reading the last few weeks of postings should be detecting a > recurring theme...people want to extract images and audio with the > correct file headers and names from packet streams that may or may not > be contiguous. I'm w

Re: [Wireshark-users] Save the bytes of a particular field from all the displayed packets in one file

On Sat, Feb 10, 2007 at 08:12:36PM -0600, Frank Bulk wrote: > To be clear, you're not attempting at getting streaming audio or > video, it's just fixed-length files within transfer protocols such FTP > or HTTP, right? Right. Steve ___ Wireshark-use

Re: [Wireshark-users] Checksum Display Filters

On Sun, Feb 11, 2007 at 08:20:00PM -, Keith French wrote: > Is there any difference from a logical point of view when using a > display filter to find packets with bad IP checksums between these two > expressions:- > > ip.checksum_bad == 1 > or > ip.checksum_good == 0 > > As a checksum can

Re: [Wireshark-users] Help on Tshark

On Wed, Feb 14, 2007 at 02:31:51PM +0800, ARAMBULO, Norman R. wrote: > Right now we are using tshark in capturing packets, some SIP calls > were not displayed properly like the data shows http & etc. > Then we notice that some protocols know to ethereal were not > displayed by wireshark. What c

Re: [Wireshark-users] Filtering Network address

On Tue, Feb 20, 2007 at 08:20:43AM +0700, Muhammad Ghazali wrote: > How can filter to capture only packet coming and going to 1.1.1.1? Using the display filter near the top of the Wireshark window, type in: ip.addr == 1.1.1.1 > I want to measure the response time of a web application and the

Re: [Wireshark-users] Save the bytes of a particular field from all the displayed packets in one file

On Wed, Feb 07, 2007 at 01:54:48PM -0600, Frank Bulk wrote: > Anyone reading the last few weeks of postings should be detecting a > recurring theme...people want to extract images and audio with the > correct file headers and names from packet streams that may or may not > be contiguous. I hav

Re: [Wireshark-users] Save the bytes of a particular field from all the displayed packets in one file

Thanks for everyone's comments so far. I am working on implementing the suggestions. I've started this thread over on the wireshark-dev mailing list for those who want to follow along. It starts here: http://www.wireshark.org/lists/wireshark-dev/200702/msg00648.html Steve _

Re: [Wireshark-users] Get rid of LLC

On Thu, Feb 22, 2007 at 09:07:20PM +0100, Martin Andersson wrote: > I have a Netgear wlan and when capturing on the machine (connected > over the wlan to the Netgear), it constantly recives LLC packets. How > can capture/filter them out, since they are very annoying. Go to the Analyze menu and

Re: [Wireshark-users] Using multiple files with tshark

On Wed, Feb 28, 2007 at 05:11:48PM -, McGlinchy, Alistair wrote: > D:\>tshark -b duration:60 -w test.cap -f http > tshark: Multiple capture files requested, but no maximum capture > file size was specified. > At line 1288 of tshark.c there seems that the command validation only >

Re: [Wireshark-users] Question on Internet PerformanceTroubleshooting

On Fri, Mar 02, 2007 at 04:24:01PM -0500, Small, James wrote: > One off the wall idea - the site had two T1's (3.0 Mbps) multiplexed > via PPP before. The problems seem to start close to around when they > added a third T1 (again via PPP) for a total of approx 4.5Mbps. Is > there any chance t

Re: [Wireshark-users] Help installing 0.99.5

On Thu, Mar 08, 2007 at 01:56:23PM -0500, Leonard, Thomas J wrote: > After running I received these errors: > > ts2s141% ./wireshark > 18:37:15 Warn radius: Could not find the radius directory This will go away once you install Wireshark. > (lt-wireshark:18674): GLib-GObject-WARNING

Re: [Wireshark-users] locking up when viewing video captures

On Thu, Mar 08, 2007 at 09:19:56PM -0500, phat pig wrote: > I have been successful in reassembling image files (gif,jpg) from my > capture files. > > I saw an archived thread where someone was successful in reassembling > videos using the same method. What method are you using? > So far thoug

Re: [Wireshark-users] locking up when viewing video captures

On Thu, Mar 08, 2007 at 09:35:13PM -0800, Stephen Fisher wrote: > On Thu, Mar 08, 2007 at 09:19:56PM -0500, phat pig wrote: > > > So far though, wireshark is locking up when I click on 'media type'. > > > > Size does not seem to matter. > > >

Re: [Wireshark-users] STOP !!

This seems to be a problem only with 0.99.5 as the developer versions of 0.99.6 aren't affected. On Mon, Feb 26, 2007 at 09:50:46AM +0200, Mr Chancellor wrote: > I have exactly the same outputs in 2 different machines. The "STOP" popup > sometimes says that it "couldn't get the interfaces list"

Re: [Wireshark-users] Sniffing across 2 network types

On Mon, Feb 26, 2007 at 10:00:27AM +, Antonio cassidy wrote: > I have a wireless router that servers all the traffic to my house. > Connected to 1 of the Ethernet ports on the router is a linux box. > > Is it possible to sniff the traffic on the network (wireless clients) > using this wire

Re: [Wireshark-users] Using multiple files with tshark

On Thu, Mar 01, 2007 at 12:38:01PM -, McGlinchy, Alistair wrote: > While you are there, could you cast your eyes over this extension to > your fix to allow for the "files:value" criteria too. This works but > requires multiple uses of the -b flag (rather than the -b and -a > flags). > >

Re: [Wireshark-users] bandwidth measurement

On Thu, Mar 01, 2007 at 03:50:38PM -0800, Chet Seligman wrote: > I have two primary applications, Lotus Notes and JD Edwards, and > several others. I would like to measure the bandwidth of each. How > would I do it? Try the Statistics -> IO Graphs and enter a display filter for your applicatio

Re: [Wireshark-users] Question on InternetPerformanceTroubleshooting

On Fri, Mar 02, 2007 at 05:01:09PM -0500, Small, James wrote: > I believe the 3 T1 are multiplexed using multilink PPP using an Adtran > router if I remember correctly. > > Is there any way to tell if this PPP bundle is causing out of order > packets or other issues? Not really that I know of.

Re: [Wireshark-users] Need some troubleshooting tips

On Sun, Mar 04, 2007 at 11:39:18AM -0800, Alan D. wrote: > Months later I fineally realized that I was actually having lag spikes > in other games, the only difference was those games didn't completely > freeze me in place when a lag spike would occur. Using Wireshark I > discovered that what

Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header

On Tue, Mar 13, 2007 at 02:12:51PM -0400, Small, James wrote: > I am dealing with packets that are modified by a vendor device. The > packets are standard Ethernet frames with IP. Once the frames/packets > traverse the Vendor device, a new proprietary header is inserted > between the Ethernet

Re: [Wireshark-users] How to use Wireshark's log files to show data in HTML format

On Thu, Mar 15, 2007 at 09:52:56AM +0530, Abhishek Chavan wrote: > Can somebody tell me how to use the saved log files of wireshark to > view data in graphical format in html format?? What log files of Wireshark are you referring to? Steve ___ Wires

Re: [Wireshark-users] unreadablity due to poor use of colours (Win32)

On Fri, Mar 16, 2007 at 12:02:10AM +1100, Louis Solomon [SteelBytes] wrote: > just downloaded and installed latest release (0.99.5) on a w2k3 box > that I remotly admin (via RDC). can't use it though, as the latest > edition (unlike previous ver of wireshark that I had on same machine) > has r

Re: [Wireshark-users] How to know how much data transferred

On Mon, Mar 19, 2007 at 10:27:13AM +0530, Abhishek Chavan wrote: > Can somebody tell me how i can find out how much data in bytes or > kilobytes and not in terms of packets and frames is getting > transferred and to see it in as an output Try Statistics -> Summary. Steve

Re: [Wireshark-users] How to know how much data transferred

On Mon, Mar 19, 2007 at 12:27:17PM +0530, Abhishek Chavan wrote: > ya it can be seen in tht but i need to show in a proper format any > idea?? What format do you need? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.w

Re: [Wireshark-users] Support for Microsoft LLTD Protocol

On Tue, Mar 20, 2007 at 06:08:23PM +0530, Manish Rajpal wrote: > I would like to know if there is a version of wireshark that supports > the Microsoft's Link Layer Topology Discovery (LLTD) protocol. Wireshark doesn't appear to support it at this time (I checked Help -> Supported Protocols). D

Re: [Wireshark-users] Wireshark sudo

On Tue, Apr 03, 2007 at 02:35:49PM +, [EMAIL PROTECTED] wrote: > I've tried changing the umask under which the script to launch > wireshark runs, but that gets ignored. So maybe it is Wireshark itself > (rather then the shell) setting the permissions of saved files? Yes, Wireshark sets the

Re: [Wireshark-users] Decoding AOL Email Packets

On Fri, Apr 13, 2007 at 03:36:50PM -0400, John Dowse wrote: > I have the captured packet and can decode them as smtp packets or AIM. > I can see the routing information and the subject line, but the > message body is not legible. How do i decode the actual message > itself? Any help would be gr

Re: [Wireshark-users] How to propose a new feature?

On Fri, Apr 13, 2007 at 05:21:21PM +0200, Michael Roth wrote: > I can't find any way on www.wireshark.org to propose a new feature - > how is this done? > I wanted to propose a programming API, e.g. a DLL version of > tshark.exe which you could load once and then call on a per frame > basis to

  1   2   3   >