[Wireshark-dev] Wireshark newbee
Hi, I am looking for some information on how Wireshark uses libpcap to capture the packets and dissects it i.e, the complete process from packet capture from the network to displaying to the user. I searched for such a resource for some time now but couldnt find one. If some one knows of such a material could you pls provide me the link. Thanks, Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] support for Bluetooth protocol live capture
Can anyone tell me if wireshark support live capture of bluetooth traffic. Wireshark wiki says libpcap supports live capture of bluetooth packets , Wireshark can read pcap files containing bluetooth traffic. But wireshark cannot capture bluetooth traffic. I donot understand why it is so? wont the above 2 features be sufficient for live capture? My computer doesnt have bluetooth support so I couldnt test the Bluetooth traffic with wireshark. Thanks, Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Affix bluetooth stack
Hi Tyson, I need to do a live capture on Bluetooth traffic does wireshark support capture with BLueZ stack in linux ? Vijay On Mon, Oct 31, 2011 at 3:10 AM, Tyson Key tyson@gmail.com wrote: Hi Vijay, There's no need to install Affix under KUbuntu (although installing other stuff from the repositories related to Bluetooth wouldn't hurt). Just enable Bluetooth connectivity as normal, and connect your adapter if necessary. Tyson. On 31 October 2011 08:03, vijay vijay.prasa...@gmail.com wrote: Hi, I not sure if this is the correct forum to post this but, Could some one tell me if it is possible to install affix bluetooth stack in kubuntu? Currently BLueZ bluetooth stack is installed and wireshark requires Affix stack for live capture of bluetooth traffic. The affix website says that it can be installed in a kernel with version 2.6.x or higher, and the version of the kernel I have installed is 3.0.X. Now can I install the affix stack in my OS? or Affix doesnt support Kubuntu? Thanks ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe -- Fight Internet Censorship! http://www.eff.org http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Issue with building wireshark from source
I have installed all the dependent packages - gtk3.1 , glib, pango atk and all the required packages. Now when I run ./configure in wireshark build I get the following error: checking for GTK+ - version = 2.4.0... no *** Could not run GTK+ test program, checking why... *** The test program failed to compile or link. See the file config.log for the *** exact error that occured. This usually means GTK+ is incorrectly installed. configure: error: GTK+ 2.4 or later isn't available, so Wireshark can't be compiled I have the latest version of GTK+ installed. Could some one please tell me what the issue is here? When i searched for solution many were suggesting gtk-dev package. I am using 64bit ubuntu and I could not find a suitable GTK devel package. Can some one tell me where i can find the package? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Wireshark support for TinyOS packet format
Hi, Could some one tell me if wireshark can analyze packets from a TelosB mote (802.15.4 traffic) that uses TinyOS. Existing information are pretty old and says that tinyos packet format is different from what Wireshark expects. I was wondering if newer versions of wireshark has the ability to analyze TinyOS packets? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark support for TinyOS packet format
BUMP. Any pointer would be really helpful thanks On Thu, Nov 10, 2011 at 1:34 PM, vijay vijay.prasa...@gmail.com wrote: Hi, Could some one tell me if wireshark can analyze packets from a TelosB mote (802.15.4 traffic) that uses TinyOS. Existing information are pretty old and says that tinyos packet format is different from what Wireshark expects. I was wondering if newer versions of wireshark has the ability to analyze TinyOS packets? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark support for TinyOS packet format
thanks for the response, I donot have a pcap file. You are right tinyos ships with a pulgin for wireshark, So I guess I will build a wireshark with the plugin and update the thread how everything goes. Thankyou On Fri, Nov 11, 2011 at 8:32 PM, Sam Roberts vieuxt...@gmail.com wrote: On Thu, Nov 10, 2011 at 1:34 PM, vijay vijay.prasa...@gmail.com wrote: Hi, Could some one tell me if wireshark can analyze packets from a TelosB mote (802.15.4 traffic) that uses TinyOS. Can you post a PCAP? Can you say what the protocols used are? Did you try to use wireshark, and if you did, what happened? Wireshark has 15.4 support, and I've heard rumours tinyos supports 6lowpan, but it probably supports other stuff, too, and since this isn't a good place to find TinyOS experts, you might want to provide more information. Sam ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Wireshark build crashes on startup
Hi, I build Wireshark 1.6.3 from source, It went successfully with out any issue. But when I ran it using command ./wireshark, It crashes with the following the error: -- (lt-wireshark:2564): GLib-GObject-WARNING **: invalid cast from `GtkMenuItem' to `GtkMenu' (lt-wireshark:2564): Gtk-CRITICAL **: gtk_menu_get_attach_widget: assertion `GTK_IS_MENU (menu)' failed (lt-wireshark:2564): Gtk-CRITICAL **: gtk_widget_set_sensitive: assertion `GTK_IS_WIDGET (widget)' failed GLib-ERROR **: The thread system is not yet initialized. aborting... Aborted (core dumped) - I looked up for solutions in wireshark mailing list and found this Bug 3969.https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3969 But based on the error output I think the issue is different from the above one. I have the following configuration: glib-2.0 2.12.11 gtk+2.0 2.10.11 I did ./configure --prefix=/usr \ --sysconfdir=/etc \ --enable-threads I have enabled thread during build, But still I got the same error. Thanks ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark build crashes on startup
forgot this: I using Linux Xubuntu, with kernel version : 2.6.20-15-generic On Sun, Nov 13, 2011 at 12:26 PM, vijay vijay.prasa...@gmail.com wrote: Hi, I build Wireshark 1.6.3 from source, It went successfully with out any issue. But when I ran it using command ./wireshark, It crashes with the following the error: -- (lt-wireshark:2564): GLib-GObject-WARNING **: invalid cast from `GtkMenuItem' to `GtkMenu' (lt-wireshark:2564): Gtk-CRITICAL **: gtk_menu_get_attach_widget: assertion `GTK_IS_MENU (menu)' failed (lt-wireshark:2564): Gtk-CRITICAL **: gtk_widget_set_sensitive: assertion `GTK_IS_WIDGET (widget)' failed GLib-ERROR **: The thread system is not yet initialized. aborting... Aborted (core dumped) - I looked up for solutions in wireshark mailing list and found this Bug 3969. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3969 But based on the error output I think the issue is different from the above one. I have the following configuration: glib-2.0 2.12.11 gtk+2.0 2.10.11 I did ./configure --prefix=/usr \ --sysconfdir=/etc \ --enable-threads I have enabled thread during build, But still I got the same error. Thanks ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Building wireshark 1.6.3 (SVN Rev 39702 from /trunk-1.6) gives GLib-ERROR **: The thread system is not yet initialized.
Hi, I had the same issue, I solved it by using GLib 2.28. Thanks Vijay On Mon, Nov 14, 2011 at 10:02 AM, Anders Broman anders.bro...@ericsson.comwrote: ** Hi, Putting Reply-ASAP in the Subject row is not realy useful :-( I suspect this is related to http://wiki.wireshark.org/Development/Roadmap Rev 38045http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=revrevision=38045, Rev 38046http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=revrevision=38046- Bug 6540 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6540 - Don't use g_mutex without having threads. If try applying thos two patches. Using a more modern *GTK than GTK+ 2.10.4, with GLib 2.12.3 may also help. * *Best regards* *Anders* -- *From:* wireshark-dev-boun...@wireshark.org [mailto: wireshark-dev-boun...@wireshark.org] *On Behalf Of *Krishnamurthy Mayya *Sent:* den 14 november 2011 06:39 *To:* Developer support list for Wireshark *Subject:* [Wireshark-dev] Reply-ASAP Hi all, Even though i have been able to compile the code successfully, when trying to run wireshark ( ./wireshark ) I am getting the following errors. How should i fix this. *GLib-ERROR **: The thread system is not yet initialized. aborting... Trace/breakpoint trap * The build information is mentioned below: *wireshark 1.6.3 (SVN Rev 39702 from /trunk-1.6) Copyright 1998-2011 Gerald Combs ger...@wireshark.org and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (32-bit) with GTK+ 2.10.4, with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX capabilities, without libpcre, without SMI, without c-ares, without ADNS, without Lua, without Python, with GnuTLS 1.4.1, with Gcrypt 1.4.4, without Kerberos, without GeoIP, without PortAudio, without AirPcap. NOTE: this build doesn't support the matches operator for Wireshark filter syntax. Running on Linux 2.6.27.21-ZebOS782, with libpcap version 0.9.4, with libz 1.2.3, GnuTLS 1.4.1, Gcrypt 1.4.4. Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-51). * Thanks and regards Krishnamurthy Mayya ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] real time capture with a different application
hi, Im trying to do a live capture of 802.15.4 tinyos traffic using wireshark/tshark. I use another application which captures the traffic and writes to a file. I used a pipe to display the traffic on tshark. It did display the traffic but stopped after displaying the capture file. Now, I will write new captures as it comes, So is there an option to tell tshark/wireshark to listen on the pipe continuously and display the capture as it gets written to the pipe? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] real time capture with a different application
Hi, @Steve Karg Thanks for your response. What I have done is very similar to yours, but Im using 802.15.4 header. My application continuously streams packets received into a file while a tail -f command is used to pump the new contents from the file into a pipe over which tshark/wireshark listens on. Tshark displayed the packets correctly in real time, but wireshark throws packet format error.. Since Tshark is correctly dissecting the packet im pretty sure the packet format im writing to is correct. I came across this post about a bug in wireshark related to this, http://wiki.wireshark.org/CaptureSetup/Pipes (search for bug) Could some one tell me if wireshark still has the issue? If so could it be that Im also having the same thing?? Thanks On Sat, Nov 26, 2011 at 11:47 PM, Sam Roberts vieuxt...@gmail.com wrote: On Fri, Nov 25, 2011 at 9:51 PM, vijay vijay.prasa...@gmail.com wrote: Im trying to do a live capture of 802.15.4 tinyos traffic using wireshark/tshark. I use another application which captures the traffic and writes to a file. Search the list archive for a message with subject How to send bytes to wireshark on runtime, I had to do the same with zbee traffic. Sam ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] using named pipes in 1.7.0 dev build
hi, I am using wireshark 1.7 dev build and I want to capture from a named pipe. Earlier versions had a option to type the pipe name in the box next to Capture interface from the Capture options. But 1.7 doest have this and it just lists the list of interfaces to captures from (which doesnt have the pipe name). I tried to start wireshark with command line option -i pipe name but it didnt listen to the pipe, but just went to the regular start up mode where we can select the interfaces. Could some one pls tell me how to capture from a pipe in wireshark 1.7.0. Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] capture from multiple interfaces / dumpcap usage alert in wireshark 1.7.0
Hi, I need to capture from multiple interfaces simultaneously. Wireshark captures from a pipe and eth1 separately but when i try them togather using *wireshark -k -i /tmp/pipe -i eth1* it displays some dumpcap usage error. unknown message, try to show it as a string: /usr/local/bin/dumpcap : invalid option --t I am using wireshark 1.7.0 dev version. Could someone pls tell where i am going wrong? Also pls confirm if i have the command options for capture from multiple interfaces correct (*wireshark -k -i /tmp/pipe -i eth1 *). Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Merging capture files of different link layer type
Thanks a lot. the command line tool works, but is it possible to merge the pcapng files from the GNU *merge *option under File tab?? On Sun, Jan 29, 2012 at 6:52 PM, Jose Pedro Oliveira j...@di.uminho.ptwrote: On 2012-01-30 00:20, vijay wrote: Hi, My problem is to merge two files of different link layer types. I tried merging 2 pcap files of same link type into a pcap file and it succeeded. But when i try to merge 2 pcapng files of same link type into a pcapng file i got the error *Wireshark can't save this capture in that format.* Could some one please tell why the above error occurs? Also does mergecap has support for pcapng file format ? You need to manually specify an encapsulation type. See: http://wiki.wireshark.org/Development/PcapNg#Merging_pcapng_files jpo -- José Pedro Oliveira * mailto:j...@di.uminho.pt * ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Sample Captures from wireshark repository
Hi, I downloaded some captures from the Sample Captures page tried reading it in wireshark through a pipe. I reported invalid libpcap format error. But when i directly open the file using wireshark it reads fine. I dont understand why this happen? Isnt the file having the global header? I tried to do the same thing with my own capture file. This time it worked in both these methods. Could someone pls tell me why it is? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Sample Captures from wireshark repository
Thanks for the response. Yeah i got it wrong, it was Unrecognized libpcap format . The file I downloaded has .cap extension which I believe is not pcap format. And since i am capturing in pcap format (not pcapng) it is working fine with pipes. Thanks again. On Thu, Feb 16, 2012 at 11:29 PM, Guy Harris g...@alum.mit.edu wrote: On Feb 16, 2012, at 8:16 PM, vijay wrote: I downloaded some captures from the Sample Captures page tried reading it in wireshark through a pipe. I reported invalid libpcap format error. I don't see invalid libpcap format anywhere in the Wireshark 1.6.x source; that is probably *NOT* the exact error it gave. If you mean Unrecognized libpcap format, that's an error that means the capture file is *NOT* a libpcap capture; the *ONLY* files you can capture through a pipe are pcap files. Are they, in fact, libpcap captures? But when i directly open the file using wireshark it reads fine. I dont understand why this happen? Wireshark can read a number of capture file formats other than pcap format; the other formats can only be read, not captured through a pipe. Isnt the file having the global header? My guess is that the header it has is the header for some format *other* than pcap format. I tried to do the same thing with my own capture file. This time it worked in both these methods. Could someone pls tell me why it is? Probably because your own capture file *is* a pcap file. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Custom function undefined error
Hi, Im writing a in wiretap/pacapng.c file which should be accessible from dumpcap.c. I have defined it in the pcapng.h header file and also included the header #include wiretap/pcapng.h inside dumpcap.c. But still build fails in dumpcap.c with error that the function is undefined. Is there anything should be done to make my function accessible inside dumpcap.c?? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Custom function undefined error
yeah, it works. thanks a lot On Mon, Feb 27, 2012 at 12:44 AM, Guy Harris g...@alum.mit.edu wrote: On Feb 26, 2012, at 10:34 PM, vijay wrote: Im writing a in wiretap/pacapng.c file which should be accessible from dumpcap.c. I have defined it in the pcapng.h header file and also included the header #include wiretap/pcapng.h inside dumpcap.c. But still build fails in dumpcap.c with error that the function is undefined. Is there anything should be done to make my function accessible inside dumpcap.c?? Yes. Put it in pcapio.c, not in wiretap/pcapng.c; dumpcap isn't, and won't be, linked with Wiretap. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Err when using a pipe
Hi, I start wireshark from command line : sudo ./wireshark -k -i /tmp/pipe I have a capture dump in libpcap format which i wite into the pipe (/tmp/pipe) after starting wireshark. Everytime i do this wireshark displays the contents of the file but at the end it shows segmentation fault. The capture file is from my previous run of wireshark saved in libpcap format. Wireshark perfectly works with the same file when open though GUI. I am using wireshark 1.6.5 on linux. Could some one pls tell me why this behavior occurs? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Wireshark 1.6.5 : No packet colorization not available
Hi, I am using Wireshark 1.6.5 in Ubuntu. Packet colorization is not available when I start Wireshark from command line with with the interface specified and along with option K. ./wireshark -k -i eth3 But when if i select the interface from GUI packet colorization is available. ./wireshark then the interface is selected from the list in GUI. I could go and manually set the color for a specific packet based on the protocol, but the default colorization does not occur. I checked it packet colorization is disabled but it is ON. Could some one please tell me whats happening here? Is there any option that needs to be specified in the command line to have the packets colors? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Err when using a pipe
I digged in bit further and found where the SIGSEV is signaled. Its coming from the p_stats(). Here is what i got in gdb [New Thread 0xb78acb70 (LWP 3668)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb78acb70 (LWP 3668)] 0x00f6f433 in pcap_stats () from /usr/lib/libpcap.so.0.8 looks like the seg-fault if thrown by libpcap. Has anyone else experianced the similar thing while using Wireshark 1.6.5 (im running it in Ubuntu on VirtualBox)? I got this when i start wireshark from the command line through: *./wireshark -k -i /tmp/pipe* It waits for any input from the pipe and when i did cat capturefile.pcap /tmp/pipe, wireshark displayed the contents partially (97 pckts out of 110) and crashed with *Segmentation fault*. On Fri, Mar 2, 2012 at 7:33 PM, vijay vijay.prasa...@gmail.com wrote: Hi, I start wireshark from command line : sudo ./wireshark -k -i /tmp/pipe I have a capture dump in libpcap format which i wite into the pipe (/tmp/pipe) after starting wireshark. Everytime i do this wireshark displays the contents of the file but at the end it shows segmentation fault. The capture file is from my previous run of wireshark saved in libpcap format. Wireshark perfectly works with the same file when open though GUI. I am using wireshark 1.6.5 on linux. Could some one pls tell me why this behavior occurs? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Err when using a pipe
This is from dumpcap. Here is the complete stack. It occurring *while writing the IDB* #0 0x00ac7433 in pcap_stats () from /usr/lib/libpcap.so.0.8 #1 0x080513de in libpcap_write_interface_statistics_block (fp=0x805af70, interface_id=0, pd=0x0, bytes_written=0x80572fc, err=0xbfffd2a8) at pcapio.c:472 #2 0x080501c8 in capture_loop_close_output (stats_known=value optimized out, stats=value optimized out, capture_opts=value optimized out) at dumpcap.c:2467 #3 capture_loop_start (stats_known=value optimized out, stats=value optimized out, capture_opts=value optimized out) at dumpcap.c:3127 #4 0x08051224 in main (argc=value optimized out, argv=value optimized out) at dumpcap.c:3916 And one more important stuff i could figure out is that this segmentation fault occurs only when *wireshark is capturing in PCAPNG forma*t. I c*hanged the capture format to LIBPCAP and it worked fine*. The wireshark wiki tells that the capture file being used with pipe should be in LIBPCAP format and *my capture file is in LIBPCAP* only. Only wireshark capture format is PCAPNG. On Sun, Mar 4, 2012 at 3:27 PM, Guy Harris g...@alum.mit.edu wrote: On Mar 4, 2012, at 2:23 AM, vijay wrote: I digged in bit further and found where the SIGSEV is signaled. Its coming from the p_stats(). Here is what i got in gdb [New Thread 0xb78acb70 (LWP 3668)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb78acb70 (LWP 3668)] 0x00f6f433 in pcap_stats () from /usr/lib/libpcap.so.0.8 Is this in Wireshark or in dumpcap? The only code I can find in the top of the 1.6 branch that calls pcap_stats() is in dumpcap. And what's the full stack trace? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Err when using a pipe
Is it possible to tell how longer would it be before Wireshark 1.6.6 is released ? On Mon, Mar 5, 2012 at 1:31 AM, Guy Harris g...@alum.mit.edu wrote: On Mar 4, 2012, at 8:24 PM, Jeff Morriss wrote: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5939 It's scheduled to be fixed in 1.6.6. ...and I backported the relevant part (a tiny fraction of the change responsible for fixing it in the trunk; that change added a bunch of new functionality, so it's not appropriate for the 1.6 branch in its entirety) to 1.6 and checked it in. I've also scheduled that change for the 1.4 branch. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Wireshark with TelosB motes
Hi, I want to capture IEEE 802.15.4 traffic from a TelosB mote (a sensor node which has a serial interface). Currently i have written an separate application that will grab the packets from the serial interface and pass it on to Wireshark in Libpcap format. My question is why is Wireshark no able to capture from a TelosB mote by itself. does Libpcap have no support to capture from TelosB mote? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] TCP error not visible in linux
Hi, I have Wireshark 1.6.5 installed in Windows (host OS) and ubuntu (guest OS through VirtualBox). When i run wireshark simultaneously on both the platforms Windows version reports TCP errors like (lost segment/out of order/ack for lost segment and so on). But the linux version doesnt report any such error. Is there any configuration that is missing on my linux version? Also the linux version doesnt give colors to packets based on the protocol, but the windows version does. I have enabled packet colorization setting in both. Any idea what wrong here? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] CSMA backoff time
Hi, Does Wireshark provide a way to see the total time it took to send a packet i.e the total back off time? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] dissector plugin
Hello, i am trying to write a plugin dissector for tinyos packets. I have a couple of questions with it: it is a network layer protocol with a simple strucure : AM_type, payload. The dissector samples have a port number field to associate the dissector with the incoming packets. Now wireshark cannot grab these packets directly but i am sending these packets to Wireshark over a pipe. Now what value shoudl i give for the port number and how does wireshark know when to use this dissector since there is not port no field in my packet. PS: This is a dissector for network layer packet in IEEE 802.15.4 stack. Complete frame format: FCS | Seq# | Addressing Info |* AM_type | Payload* | CRC Thnks, Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Reassembly problem with ipv6-in-ipv6 fragmented traffic (both ipv6 headers are fragmented).
Hi, wireshark is not properly reassembling the packets with ipv6-in-ipv6 header when both the ipv6 headers are fragmented. I have attached the two capture files one with inner fragmented packets (this is working fine) the other with both the headers fragmented(this is not working). Thanks, Vijay inner_ipv6_fragmented.pcap Description: Binary data both_ipv6_fragmented.pcap Description: Binary data ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Reassembly problem with ipv6-in-ipv6 fragmented traffic (both ipv6 headers are fragmented).
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5638 On Mon, Jan 31, 2011 at 10:07 PM, Stephen Fisher st...@stephen-fisher.comwrote: On Mon, Jan 31, 2011 at 02:27:46PM +0530, vijay mohan wrote: wireshark is not properly reassembling the packets with ipv6-in-ipv6 header when both the ipv6 headers are fragmented. I have attached the two capture files one with inner fragmented packets (this is working fine) the other with both the headers fragmented(this is not working). Thanks for your report. Please open a bug report for this and attach the sample capture files you provided at https://bugs.wireshark.org so we don't forget about this issue. Thanks! ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] SCTP De-chunking support
Hi, Yes, highlighting would work too. Ultimately the application info corresponding to display filter should be visible easily without the need to scroll through the entire frame. Any suggestions on how to achieve this? I think GUI coloring implementation would paint the entire frame with the same color,wouldn't it? Vineeth On Fri, Jan 11, 2013 at 1:44 AM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: On Jan 10, 2013, at 8:49 PM, vineeth vijay wrote: Hi, Dissection is fine. What I was wondering is whether it is possible to show these individual data chunks as separate frames themselves. But they are in the same frame. I really prefer not to show them in a way they have not been on the wire. Basically agreed on the above point. Changing the default behavior may not be good due to all the copied lower layer bytes and resulting increase in the size of capture in case there are 4-5 chunks per packet. But still feel it would be a nice optional feature to have when doing actual offline analysis. I do understand that it is sometimes hard to find the application layer packet when using display filters and there are multiple application layer packets bundled in a single frame. I also have traces with a large number of bundled chunks. Hence, when i apply display filter , only the chunks with exact matches should be visible. Is this supported currently? No. Filtering is based on packets. Not sure how to improve that. We can't show 'half' of a packet. However, there might be ways to draw your attention to the upper layer packet which matches the filter. Regarding above point, would like to suggest that the packet information being displayed can be restricted to the PDU which actually matches the display filter. E.g out of an SCTP packet carrying 3-4 M3UA chunks, the pinfo of only the chunk matching the filter can be displayed? Thinking about this... What about displaying only the frames, which match a display filter (like today). However, it might be helpful to highlight that part (like the M3UA packet) which matches the display filter. This should allow to find the upper layer packet pretty fast. What do you think? Best regards Michael Vineeth On Fri, Jan 11, 2013 at 12:54 AM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: On Jan 10, 2013, at 5:31 PM, vineeth vijay wrote: Hi, Dissection is fine. What I was wondering is whether it is possible to show these individual data chunks as separate frames themselves. But they are in the same frame. I really prefer not to show them in a way they have not been on the wire. Hence, when i apply display filter , only the chunks with exact matches should be visible. Is this supported currently? No. Filtering is based on packets. Not sure how to improve that. We can't show 'half' of a packet. However, there might be ways to draw your attention to the upper layer packet which matches the filter. Best regards Michael Currently , i use the below tool for this purpose: http://frox25.no-ip.org/~mtve/wiki/SctpDechunk.html Regards, Vineeth what problem are you trying to solve? Wireshark supports dissecting the upper layer paylaod for bundled DATA chunks for ages... Best regards Michael Vineeth ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists
Re: [Wireshark-dev] SCTP De-chunking support
Hi, I understood the idea. It would help in easier detection of the relevant upper layer info in large packets. What i would like to know is how it could be implemented. Setting some sort of flag for the filter specific chunk bytes, so that GUI/GTK colors it differently? Sorry, but i am not much familiar with GTK. Vineeth On Fri, Jan 11, 2013 at 4:08 AM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: On Jan 10, 2013, at 9:44 PM, vineeth vijay wrote: Hi, Yes, highlighting would work too. Ultimately the application info corresponding to display filter should be visible easily without the need to scroll through the entire frame. Any suggestions on how to achieve this? I think GUI coloring implementation would paint the entire frame with the same color,wouldn't it? No, what I mean is the following: Assume you have an SCTP packet with 5 DATA chunks each containing an M3UA message. The packet is shown because you filtered for a field in the third M3UA message. Then only the third M3UA part would be colored specifically. The rest of the packet is shown, but not in this color. Do you get the idea from my description? Would that address your issue? Best regards Michael Vineeth On Fri, Jan 11, 2013 at 1:44 AM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: On Jan 10, 2013, at 8:49 PM, vineeth vijay wrote: Hi, Dissection is fine. What I was wondering is whether it is possible to show these individual data chunks as separate frames themselves. But they are in the same frame. I really prefer not to show them in a way they have not been on the wire. Basically agreed on the above point. Changing the default behavior may not be good due to all the copied lower layer bytes and resulting increase in the size of capture in case there are 4-5 chunks per packet. But still feel it would be a nice optional feature to have when doing actual offline analysis. I do understand that it is sometimes hard to find the application layer packet when using display filters and there are multiple application layer packets bundled in a single frame. I also have traces with a large number of bundled chunks. Hence, when i apply display filter , only the chunks with exact matches should be visible. Is this supported currently? No. Filtering is based on packets. Not sure how to improve that. We can't show 'half' of a packet. However, there might be ways to draw your attention to the upper layer packet which matches the filter. Regarding above point, would like to suggest that the packet information being displayed can be restricted to the PDU which actually matches the display filter. E.g out of an SCTP packet carrying 3-4 M3UA chunks, the pinfo of only the chunk matching the filter can be displayed? Thinking about this... What about displaying only the frames, which match a display filter (like today). However, it might be helpful to highlight that part (like the M3UA packet) which matches the display filter. This should allow to find the upper layer packet pretty fast. What do you think? Best regards Michael Vineeth On Fri, Jan 11, 2013 at 12:54 AM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: On Jan 10, 2013, at 5:31 PM, vineeth vijay wrote: Hi, Dissection is fine. What I was wondering is whether it is possible to show these individual data chunks as separate frames themselves. But they are in the same frame. I really prefer not to show them in a way they have not been on the wire. Hence, when i apply display filter , only the chunks with exact matches should be visible. Is this supported currently? No. Filtering is based on packets. Not sure how to improve that. We can't show 'half' of a packet. However, there might be ways to draw your attention to the upper layer packet which matches the filter. Best regards Michael Currently , i use the below tool for this purpose: http://frox25.no-ip.org/~mtve/wiki/SctpDechunk.html Regards, Vineeth what problem are you trying to solve? Wireshark supports dissecting the upper layer paylaod for bundled DATA chunks for ages... Best regards Michael Vineeth ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark
Re: [Wireshark-dev] Export higer level PDUs, Unbundled PDUs decrypted PDUs etc
Hi Anders, Do you mean ability to export only the payload protocol from tunneled/encapsulated captures like GTP-U etc? If yes, +1 :) Have been looking for such functionality for some time. Regards, Vineeth On Thu, Apr 18, 2013 at 2:23 PM, Anders Broman anders.bro...@ericsson.comwrote: Hi, I think these topics in various forms has been cropping up lately, would it be possible/useful to have a generic feature to “Export” to a new file* *** From a dissector using a tap writing a to a generic DLT with a pseudo header containing pseudo data such as extracts from lover layers like IP port or whatever can be useful and an Indication what the next level protocol is. As an example if I have decrypted and reassembled SIP traffic it could be useful to be able to export that to a new file Just containing the SIP traffic and the IP port combination used. The header would then Indicate the protocol as SIP and the meta data would be of type TLV and added to as Needs arises. Just a rough idea… ** ** Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Export higer level PDUs, Unbundled PDUs decrypted PDUs etc
Yes, and this function would take arguments of original frame, offset where the interesting payload starts and length of this payload. Correct?? Regards, Vineeth On Thu, Apr 18, 2013 at 9:52 PM, Anders Broman a.bro...@bredband.netwrote: vineeth vijay skrev 2013-04-18 18:11: Hi Anders, Do you mean ability to export only the payload protocol from tunneled/encapsulated captures like GTP-U etc? If yes, +1 :) Yes that could be one use case. Probably every protocol using the function would have to have code supporting it. Regards Anders Have been looking for such functionality for some time. Regards, Vineeth On Thu, Apr 18, 2013 at 2:23 PM, Anders Broman anders.bro...@ericsson.com wrote: Hi, I think these topics in various forms has been cropping up lately, would it be possible/useful to have a generic feature to “Export” to a new file From a dissector using a tap writing a to a generic DLT with a pseudo header containing pseudo data such as extracts from lover layers like IP port or whatever can be useful and an Indication what the next level protocol is. As an example if I have decrypted and reassembled SIP traffic it could be useful to be able to export that to a new file Just containing the SIP traffic and the IP port combination used. The header would then Indicate the protocol as SIP and the meta data would be of type TLV and added to as Needs arises. Just a rough idea… Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Wireshark for Mac 10.14.5
Hi I am trying to install Wireshark for Mac OS version 10.14.5 but I don’t see .dmg file anywhere. When I try to download from supported version of Wireshark it gets me .png? Can you please help me in I installing Wireshark on my Mac? Thanks Pooja ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
