Re: [Wireshark-users] tshark --print-a-specific-field ?
Hi Guy Thanks for adding the documentation for -Tfields. The documentation for the -e / -E options was correctly added in the patch; it was only the -Tfields entry itself that I missed, and the current entry that points back to -e looks fine to me. Cheers Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Harris Sent: 29 May 2007 20:03 To: Community support list for Wireshark Subject: Re: [Wireshark-users] tshark --print-a-specific-field ? Stephen Fisher wrote: Check out the new -Tfields and -e options in the latest Wireshark developer versions (they were added after 0.99.5 was released if I remember correctly). The tshark man page describes them. ...in recent SVN versions. I added documentation for -T fields, but I didn't add the -T fields option; whoever added them should look at the man page changes to make sure they completely and correctly document the option. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies. Detica Limited is registered in England under No: 1337451. Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Bandwidth Utilization CSV??
Hi. Is there a way to produce a bandwidth utilization table? That is, a table that would show bandwidth utilization as a function of time, over the course of a capture file? It looks like the Statistics / TCP Stream Graph / Throughput Graph provides this information (B/s over Time), but I have some questions about it that I don't see addressed in the User Guide... * Can I get a CSV corresponding to the Throughput Graph? * When I click my mouse on the graph, it changes the scale of the axes, but I can't figure out how to control exactly how these scales change? Thx for any help. Michael Michael Feeny CAI - Core Applications Integration AIM - Application Infrastructure Management Office: 609-274-2761 Mobile: 484-995-1745 AOL IM: feenyman99 Pager: 888-merril0 This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Capturing packets between 2 physical interfaces in same machine
Hi- I just installed Wireshark version 0.99.5 on Windows XP. My laptop has 2 interfaces - ethernet wireless LAN. I want to capture packets sent between the 2 interfaces. I tried capture on either interface with default settings (promiscuous on), but I see only packets received from other hosts. I could understand that packets sent between loopback addresses cannot be captured. But, I was hoping that capture between multiple physical interfaces would work. Any idea why this does not work? Regards, Nagaraj ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Installation problem.
Hi All, I am trying to install wireshark-0.99.5 on Solaris 9. I installed following packages. Downloaded from sunfreeware.com libpcap-0.9.5-sol9-sparc-local zlib-1.2.3-sol9-sparc-local glib-2.13.0-sol9-sparc-local gtk-2.2.4-sol9-sparc-local pcre-7.1-sol9-sparc-local libgcc-3.4.6-sol9-sparc-local sed-4.1.5-sol9-sparc-local When I tried to ./configure got following error messages checking for gtk-config... no checking for GTK - version = 1.2.0... no *** The gtk-config script installed by GTK could not be found *** If GTK was installed in PREFIX, make sure PREFIX/bin is in *** your path, or set the GTK_CONFIG environment variable to the *** full path to gtk-config. checking for glib-config... no checking for GLIB - version = 1.2.0... no *** The glib-config script installed by GLIB could not be found *** If GLIB was installed in PREFIX, make sure PREFIX/bin is in *** your path, or set the GLIB_CONFIG environment variable to the *** full path to glib-config. configure: error: GLib distribution not found. So I am using following packages to configure system SUNWGtkr GTK - The GIMP Toolkit (Root) system SUNWGtku GTK - The GIMP Toolkit (Usr) system SUNWGlib GLIB - Library of useful routines for C programming After this configure completed successfully with following option. The Wireshark package has been configured with the following options. Build wireshark : yes Build tshark : yes Build capinfos : yes Build editcap : yes Build dumpcap : yes Build mergecap : yes Build text2pcap : yes Build idl2wrs : yes Build randpkt : yes Build dftest : yes Install setuid : no Use plugins : yes Build lua plugin : no Build rtp_player : no Use GTK+ v2 library : no Use pcap library : yes Use zlib library : yes Use pcre library : yes Use kerberos library : no Use GNU ADNS library : no Use GNU crypto library : no Use SSL crypto library : no Use IPv6 name resolution : no Use Net-SNMP library : no Use gnutls library : no But make is now creating problem. After executing make I am getting following error messages. Root # /usr/ccs/bin/make /usr/bin/perl ./make-version.pl . Version configuration file version.conf not found. Using defaults. This is not a SVN build. svnversion.h is up-to-date. /usr/ccs/bin/make all-recursive Making all in tools Making all in lemon gcc -D_U_= -o lemon gcc: No input files *** Error code 1 make: Fatal error: Command failed for target `lemon' Current working directory /var/tmp/pkgs/wireshark-0.99.5/tools/lemon *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /var/tmp/pkgs/wireshark-0.99.5/tools *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /var/tmp/pkgs/wireshark-0.99.5 *** Error code 1 make: Fatal error: Command failed for target `all' Can anyone tell what is the problem. Thanks regards, Vijay ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capturing packets between 2 physical interfacesin same machine
Are you sure packets are actually transmitted on the wire/wireless and not just routed internally by the IP stack? GV - Original Message - From: Nagaraj Turaiyur To: wireshark-users@wireshark.org Sent: Wednesday, May 30, 2007 4:52 AM Subject: [Wireshark-users] Capturing packets between 2 physical interfacesin same machine Hi- I just installed Wireshark version 0.99.5 on Windows XP. My laptop has 2 interfaces - ethernet wireless LAN. I want to capture packets sent between the 2 interfaces. I tried capture on either interface with default settings (promiscuous on), but I see only packets received from other hosts. I could understand that packets sent between loopback addresses cannot be captured. But, I was hoping that capture between multiple physical interfaces would work. Any idea why this does not work? Regards, Nagaraj -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Installation problem.
A Kumar, Vijay (Vijay) wrote: But make is now creating problem. After executing make I am getting following error messages. Root # /usr/ccs/bin/make /usr/bin/perl ./make-version.pl . Version configuration file version.conf not found. Using defaults. This is not a SVN build. svnversion.h is up-to-date. /usr/ccs/bin/make all-recursive Making all in tools Making all in lemon gcc -D_U_= -o lemon gcc: No input files *** Error code 1 make: Fatal error: Command failed for target `lemon' Current working directory /var/tmp/pkgs/wireshark-0.99.5/tools/lemon *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /var/tmp/pkgs/wireshark-0.99.5/tools *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /var/tmp/pkgs/wireshark-0.99.5 *** Error code 1 make: Fatal error: Command failed for target `all' Can anyone tell what is the problem. If you're determined to compile Wireshark yourself, you might try using GNU make instead of Sun's make. If you just want to get Wireshark up and running, you might want to use Blastwave.org instead of Sunfreeware. Once you have Blastwave set up (http://www.blastwave.org/howto.html) you can run 'pkg-get install wireshark' to install Wireshark. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Comparing packets
Hello all, I'm trying to export data as a CSV file but I need to modify the data it exports a bit so I can do clever graphy things with it. My main problem is the H.261 packets in a bunch of files I've got. When I apply a filter (h261.stream) it shows all the packets I'm interested in, but when I export it, it comes up as: 181 1324.014027 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx H.261 H.261 message So I have no way to compare packets just using the data above. I've found that I can disable the analyser for H.261 packets (Analyze - Enabled Protocols - untick H.261) and it shows the data I need. For example, packet 181 it shows: 181 1324.014027 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx RTP Payload type = ITU-T H.261, SSRC 2008229573, Seq=54520, Time=1725612773, Mark That is exactly what I need as I need the Seq part to compare packets. Naturally, I have to cancel the filter, but I filter by right clicking on the packet above, clicking on Conversation Filter and clicking on UDP. Then when I export it as a CSV file, then one column shows: Payload type=ITU-T H.261, SSRC=2008229573, Seq=54520, Time=1725612773, Mark Is there a way (either from Wireshark or Excel/NeoOffice or anything else such as a shell script) to strip the data down just to the 54520 part? Thinking about it, something like a shell script to delete everything but the 54520 part from that column will be useful, but will have to work out how to make it not delete anything else. Any pointers to a helpful guide, or do you have any better idea? Thanks very much for your help in advance! Regards - Piers ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Bandwidth Utilization CSV??
On Wed, May 30, 2007 at 07:19:33AM -0400, Feeny, Michael (GPCT-CAI) wrote: Hi. Is there a way to produce a bandwidth utilization table? That is, a table that would show bandwidth utilization as a function of time, over the course of a capture file? The bandwidth utilized in both directions added together for the entire capture file can be found by going to Statistics - Summary and looking in the box at the bottom. The capinfos program that comes with Wireshark will also show this information about a capture file without having to open it in Wireshark. It looks like the Statistics / TCP Stream Graph / Throughput Graph provides this information (B/s over Time), but I have some questions about it that I don't see addressed in the User Guide... * Can I get a CSV corresponding to the Throughput Graph? Not at this time. If you're interested in this feature being added, please open a bug report (and mark it as an enhancement request) at http://bugs.wireshark.org. * When I click my mouse on the graph, it changes the scale of the axes, but I can't figure out how to control exactly how these scales change? Are you clicking the middle button? That zooms in or out. You can modify how it zooms by finding that window (that may be hidden behind the graph at first) titled Graph 1 - Control. Hope this helps, I don't use that graph usually so I'm not that familiar with it either. Let us know if you still have questions about it. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] dcerpc.cn_call_id display filter problem when reassembled PDU
Hi, I captured DCERPC traffic and then I did a filter to isolate a particular call ID with that filter : dcerpc.cn_call_id == 96 I went trough that problem: When selecting the option Allow subdissector to reassemble TCP streams checked the filter catches only the Request. When deselecting the option Allow subdissector to reassemble TCP streams the filter catches both the Request and The Response. The frame is identified as limited during capture but I know it's not, I did a full frame capture. Might it be because the frame is exactly 1514 bytes long or I might be wrong with something ? I attached a small capture that has what I described. Regards. === André Noël dcerpc.pcap Description: dcerpc.pcap ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] SSL Question
Hi, I would like to run tshark to capture encrupted ssl messages so I can read off of standard out and decrypt it using our certificate. But when I run a command like this. C:\Program Files\Wiresharktshark -i 2 -R ssl.app_data -T text -V -l -d tcp.port==8443,ssl The application data dump looks like this Secure Socket Layer SSLv3 Record Layer: Application Data Protocol: Application Data Content Type: Application Data (23) Version: SSL 3.0 (0x0300) Length: 5631 Encrypted Application Data: D25EFAFBA41786F64DA3B304F8603FEDFCA31C1AA2BA 6E65... It looks like its truncating the data. How can I get it to dump all of the encrypted data to standard out and not truncate it. Thanks Al ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Apple Mac OS X crash on start
Hi folks, I'm trying to build Wireshark on an Apple MacBook Pro running OS X 10.4.9. Here's my wireshark --version output: enterprise:~/Documents mboltz$ wireshark --version wireshark 0.99.5 Copyright 1998-2007 Gerald Combs [EMAIL PROTECTED] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GTK+ 2.10.12, with GLib 2.13.2, with libpcap 0.9.4, with libz 1.2.3, without libpcre, without Net-SNMP, without ADNS, without Lua, without GnuTLS, without Gcrypt, with MIT Kerberos, without PortAudio, without AirPcap. NOTE: this build doesn't support the matches operator for Wireshark filter syntax. Running on Darwin 8.9.1, with libpcap version 0.9.4. Built using gcc 4.0.1 (Apple Computer, Inc. build 5367). I built everything in the following manner: As of this writing (30 may 2007), the latest versions were: pkg-config 0.21 found at www.freedesktop.org freetype 2.3.4 found at freetype.sourceforge.net gettext 0.16 found at ftp.gnu.org or mirror glib 2.13.2 found at ftp.gtk.org/pub/glib cairo 1.4.6 found @ www.cairographics.org pango 1.17.0 found at ftp.gtk.org/pub/pango atk 1.19.1 found at ftp.gnome.org and gtk+ 2.10.12 [ I switched atk to 1.18.0, because 1.19.1 complained about missing gnome-something or other, and I certainly don't want to build Gnome for OS X] I then built everything from source in this way: PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/local/lib/pkgconfig:/usr/ X11R6/lib/pkgc onfig export PKG_CONFIG_PATH configure/make/make install pkg-config configure/make/make install freetype configure/make/make install gettext configure --without-libjpeg --without-libpng --without-libtiff for rest: configure/make/make install glib configure/make/make install cairo configure/make/make install pango configure/make/make install atk configure/make/make install gtk+ and for cairo had to switch to --disable-png instead. Then compiled wireshark 0.99.5 with configure/make/make install. Actually, the make install was a sudo make install, the rest were just as me in my ~/src directory. Wireshark seemed to compile cleanly, but when I go to start it under X11 now, it loads the splash for init dissectors, and then crashed with: mboltz$ wireshark (wireshark:12581): GdkPixbuf-CRITICAL **: gdk_pixbuf_new_from_file: assertion `filename != NULL' failed (wireshark:12581): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed Bus error Any ideas? -- Mark Boltz Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790) reply of the Pennsylvania Assembly to the Governor November 11, 1755 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] dcerpc.cn_call_id display filter problem when reassembled PDU
On Wed, May 30, 2007 at 03:34:29PM -0400, [EMAIL PROTECTED] wrote: I captured DCERPC traffic and then I did a filter to isolate a particular call ID with that filter : dcerpc.cn_call_id == 96 I went trough that problem: When selecting the option Allow subdissector to reassemble TCP streams checked the filter catches only the Request. When deselecting the option Allow subdissector to reassemble TCP streams the filter catches both the Request and The Response. The frame is identified as limited during capture but I know it's not, I did a full frame capture. It looks like you do not have all tcp segments of the conversation in the tracefile. The DCE_RPC dissector knows it needs some more data. When allow subdissector to reassemble TCP streams is off, the first frame is dissected with all the information that is available to it. Since it does know that more data should come, hence it says something about the captured bytes. I agree the message is a bit misleading. Once you turn on allow subdissector to reassemble TCP streams, the dissector tries to collect the data it knows should be there. Unfortunately the data is not there because some tcp-segments are missing. Therefor it does not dissect the packet and the filter fails to see it... The remedy is to collect all data of a conversation so that tcp-reassembly is able to reconstruct all the higher-level PDU's :) I hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Installation problem.
Hi All, I am trying to install wireshark-0.99.5 on Solaris 9. I installed following packages. Downloaded from sunfreeware.com libpcap-0.9.5-sol9-sparc-local zlib-1.2.3-sol9-sparc-local glib-2.13.0-sol9-sparc-local gtk-2.2.4-sol9-sparc-local pcre-7.1-sol9-sparc-local libgcc-3.4.6-sol9-sparc-local sed-4.1.5-sol9-sparc-local When I tried to ./configure got following error messages checking for gtk-config... no checking for GTK - version = 1.2.0... no *** The gtk-config script installed by GTK could not be found *** If GTK was installed in PREFIX, make sure PREFIX/bin is in *** your path, or set the GTK_CONFIG environment variable to the *** full path to gtk-config. checking for glib-config... no checking for GLIB - version = 1.2.0... no *** The glib-config script installed by GLIB could not be found *** If GLIB was installed in PREFIX, make sure PREFIX/bin is in *** your path, or set the GLIB_CONFIG environment variable to the *** full path to glib-config. configure: error: GLib distribution not found. So I am using following packages to configure system SUNWGtkr GTK - The GIMP Toolkit (Root) system SUNWGtku GTK - The GIMP Toolkit (Usr) system SUNWGlib GLIB - Library of useful routines for C programming After this configure completed successfully with following option. The Wireshark package has been configured with the following options. Build wireshark : yes Build tshark : yes Build capinfos : yes Build editcap : yes Build dumpcap : yes Build mergecap : yes Build text2pcap : yes Build idl2wrs : yes Build randpkt : yes Build dftest : yes Install setuid : no Use plugins : yes Build lua plugin : no Build rtp_player : no Use GTK+ v2 library : no Use pcap library : yes Use zlib library : yes Use pcre library : yes Use kerberos library : no Use GNU ADNS library : no Use GNU crypto library : no Use SSL crypto library : no Use IPv6 name resolution : no Use Net-SNMP library : no Use gnutls library : no But make is now creating problem. After executing make I am getting following error messages. Root # /usr/ccs/bin/make /usr/bin/perl ./make-version.pl . Version configuration file version.conf not found. Using defaults. This is not a SVN build. svnversion.h is up-to-date. /usr/ccs/bin/make all-recursive Making all in tools Making all in lemon gcc -D_U_= -o lemon gcc: No input files *** Error code 1 make: Fatal error: Command failed for target `lemon' Current working directory /var/tmp/pkgs/wireshark-0.99.5/tools/lemon *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /var/tmp/pkgs/wireshark-0.99.5/tools *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /var/tmp/pkgs/wireshark-0.99.5 *** Error code 1 make: Fatal error: Command failed for target `all' Can anyone tell me what is the problem. Thanks regards, Vijay ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] having trouble compiling wireshark
Rohit Grover wrote: I've installed libpcap 0.9.5 (from source) on my debian system and done a 'make install' to setup libpcap.a. But I get the following error when running ./configure for wireshark (0.99.5): ... checking pcap.h usability... yes checking pcap.h presence... yes checking for pcap.h... yes checking for pcap_open_live in -lpcap... no checking for pcap_open_live in -lpcap with -lcfg -lodm... no checking for pcap_open_live in -lpcap with -lpfring... no What does the config.log file say about libpcap? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
