[Wireshark-users] Passive Web Access Monitoring
Dear All, I have question about ability of tshark to monitoring web access on network traffic. I want to tap/sniff traffic of my clients to monitoring web-access activity of clients. Output of this monitoring is logfile look like squid access.log such as: 1159259853.197667 x.x.x.x TCP_MISS/404 3036 GET http://nannooknew0.tripod.com/Image/hearts11.gif - DIRECT/209.202.22 6.100 text/html How to use tshark command and parameter to reach this output? Thank Chong ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Arbitrarily labelling src / dst IPs?
Hi all, I have to look at a lot of tcpdumps on a regular basis and am finding that all of the IPs are merging into one and difficult to keep track of when I'm looking at a trace. Is there a way of arbitrarily labelling certain src / dst IPs eg. 10.1.1.3 = PROXY 192.168.9.1 = WWW1 192.168.9.20 = WWW2 172.16.34.34 = CLIENT Obviously I'd like to be able to do this within WireShark itself but if necessary I could pre-process the tcpdump files against a match-list (maybe I'll write a script if there's nothing else out there). I cannot use DNS resolution as all of the dumps are from client sites and generally use RFC1918 addressing so DNS lookup will not work (and I would rather not create a new Zone file for each tcpdump I analyse). I've tried using my /etc/hosts file but it doesn't seem to work (on Win32 at least). I would find this very, very useful. Thanks in advance SM -- Simon Mullis _ [EMAIL PROTECTED] ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?
Hi, From the MAN page: -8 Name Resolution (hosts) If the personal hosts file exists, it is used to resolve IPv4 and IPv6 addresses before any other attempts are made to resolve them. The file has the standard hosts file syntax; each line contains one IP address and name, separated by whitespace. The same directory as for the personal preferences file is used. -8 So this is very possible indeed :) Thanx, Jaap On Wed, 27 Sep 2006, Simon Mullis wrote: Hi all, I have to look at a lot of tcpdumps on a regular basis and am finding that all of the IPs are merging into one and difficult to keep track of when I'm looking at a trace. Is there a way of arbitrarily labelling certain src / dst IPs eg. 10.1.1.3 = PROXY 192.168.9.1 = WWW1 192.168.9.20 = WWW2 172.16.34.34 = CLIENT Obviously I'd like to be able to do this within WireShark itself but if necessary I could pre-process the tcpdump files against a match-list (maybe I'll write a script if there's nothing else out there). I cannot use DNS resolution as all of the dumps are from client sites and generally use RFC1918 addressing so DNS lookup will not work (and I would rather not create a new Zone file for each tcpdump I analyse). I've tried using my /etc/hosts file but it doesn't seem to work (on Win32 at least). I would find this very, very useful. Thanks in advance SM -- Simon Mullis _ [EMAIL PROTECTED] ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?
Jaap - Many thanks! Who would have thought that reading the manual would be so productive ;-) Regards, SM On 9/27/06, Jaap Keuter [EMAIL PROTECTED] wrote: Hi, From the MAN page: -8 Name Resolution (hosts) If the personal hosts file exists, it is used to resolve IPv4 and IPv6 addresses before any other attempts are made to resolve them. The file has the standard hosts file syntax; each line contains one IP address and name, separated by whitespace. The same directory as for the personal preferences file is used. -8 So this is very possible indeed :) Thanx, Jaap On Wed, 27 Sep 2006, Simon Mullis wrote: Hi all, I have to look at a lot of tcpdumps on a regular basis and am finding that all of the IPs are merging into one and difficult to keep track of when I'm looking at a trace. Is there a way of arbitrarily labelling certain src / dst IPs eg. 10.1.1.3 = PROXY 192.168.9.1 = WWW1 192.168.9.20 = WWW2 172.16.34.34 = CLIENT Obviously I'd like to be able to do this within WireShark itself but if necessary I could pre-process the tcpdump files against a match-list (maybe I'll write a script if there's nothing else out there). I cannot use DNS resolution as all of the dumps are from client sites and generally use RFC1918 addressing so DNS lookup will not work (and I would rather not create a new Zone file for each tcpdump I analyse). I've tried using my /etc/hosts file but it doesn't seem to work (on Win32 at least). I would find this very, very useful. Thanks in advance SM -- Simon Mullis _ [EMAIL PROTECTED] ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Simon Mullis _ [EMAIL PROTECTED] ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Command Syntax Problem with tethereal
You need to specify -b for each option you use, so the syntax would be: tethereal -b duration:60 -b filesize:1000 -b files:5 -i hme0 -N nt -w /var/tmp/hme0.pcap P.S. Please send future e-mails in text mode instead of HTML only. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] symbolic decode of ESP payload
I am trying to decode packets carried in ESP transport mode. I set up IPSec to use NULL encryption and authentication. When I configure ESP with the SA's, it shows me the decoded data in the ESP payloads. But I want it to symbolically decode that. Specifically, if a TCP segement spans multiple ESP packets, I expect Wireshark to re-assemble and symbolically decode whatever is inside. I know it can do this with Diameter. Does it not do it for ESP? --- Joe Harvell ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users