Re: [Wireshark-users] saving decrypted ssl capture file
On Wed, Feb 06, 2008 at 12:49:35PM +0530, Vishal Arya wrote: is there a way to open a capture file with encrypted ssl data and use the http server's rsa key to decrypt it and save is as a new decrypted capture file. No, this is not possible. The decryption only decrypts the ssl packets for displaying. The packets will stay the same, so saving them will result in the same data in the capture file. i tried the below command but did not work $~/work/wireshark-0.99.7/tshark -V -r /tmp/rsasnakeoil2.cap -o ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key -o ssl.debug_file:/tmp/debug.txt -F libpcap -w - /tmp/test Why did you use -w - and then , you could have used -w /tmp/test straight away :-) What you could do, and maybe you had that in mind already, is use the -V flag (as you already did) and the /tmp/test together without the -w -. That would result is a textfile containing all the output from Tshark, including the decrypted traffic. Of course this file is a *text* file and not a binary *capture* file. So it can't be used in tcpflow or any other utility that is able to read libpcap files. Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Problem: i only sniff my own packets, not network packets
Hi, i'm working on a little auditory and making informs of diferents security apps for my boss and i'm having a problem: when i use WireShark over ethernet or wireless i can be able of see others burocratic packets (DNS, ZeroConf, SMB headers...) but i can't be able to see any TCP packets except mine's when i'm surfing on the net, that is not interesting because i must prove that someone can be able to connect to the corporative network and start to get data (e-mails, passwords, web pages...). A typical scenario that i did by myself showing it to my boss: 1º I have WireShark running as root on Ubuntu 7.10 on a Compaq nx7010 laptop over his wireless network card (Intel, i think is model 2010) 2º I disconnect my MacBook v2.1 (Airport Extreme wireless card, Atheros based) with MacOS X 10.5.1 from the same wireless network 3º I re-connect the MacBook again to the same wireless network 4º WireShark on the Linux detect that the MacBook has been connected to the network, and all the auto identification it send (Samba, RendezVous/ZeroConf, MDNS...) 5º I make a random search on Google with the MacBook... 6º ...WireShark doesn't detect nothing :-( And if i make web surfing on the Linux machine, i get a lot of TCP packets but are from the same machine!!! And i don't want to know what pages i'm surfing, i want the other pages. I've tried this in other network area with same results, by ethernet and by wireless without any positive result, and i don't know what to do. I thought it would be about a switch on the network, but in any case the wireless APs works as a hub, so there shouldn't be problems, and in any case if there is a switch on a network it shouldn't show so much info as DNS request or similar... The most annoying thing was to found someone using Apple File Server with Kerberos authentification (bizarre... at least for me) and don't get anything about others TCP sesions... :-( Thanks a lot, and hopping your answer. -- Sonrie, aunque solo sea una sonrisa triste, porque mas triste que una sonrisa triste es la tristeza de no saber sonreir. Emblema de Sonrissa, una empresa con mucho futuro que termino en la quiebra y lo unico que saque en claro de mis vacaciones. Aumenta el indice de lectura del pais, ¡lee mi blog! :-D http://alcor12.alcorconwireless.net/drupal/blog/2 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Problem: i only sniff my own packets, not network packets
On Wed, Feb 06, 2008 at 01:43:00PM +0100, El Piraña wrote: I've tried this in other network area with same results, by ethernet and by wireless without any positive result, and i don't know what to do. I thought it would be about a switch on the network, but in any case the wireless APs works as a hub, so there shouldn't be problems, and in any case if there is a switch on a network it shouldn't show so much info as DNS request or similar... This issue is caused by your machine being connected to a switch. The packets you do see from other machines are either broadcast, multicast or traffic going to a destination the switch does not recognize at the moment (so it floods it out all ports). Wireless does act as a hub, but it is difficult/impossible to get some wireless cards into monitor mode so they actually capture the other traffic. See http://wiki.wireshark.org/CaptureSetup/WLAN for more details. If your wireless LAN has proper encryption on it though, you still won't be able to see other machine's traffic. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Counting packets with a matching payload
Hello I have a data set with 50,000 packets in it. Many of them have a TCP/IP packet with a payload that follows a pattern. The pattern is a 1024 byte payload with 55 aa 55 aa etc hex in it. I want to filter this data set and count how many packets have this pattern it is. Any thoughts? I can do this with a decode filter on my clearsight and Network Instruments analyzers but I am stuck with how to do this in WS. Thanks Scott Sheppard ATT Labs ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Capture Filter Help
Hi. I've been googling and using the wiki but I can't figure out if this is possible. I'm trying setup a capture filter to capture only data where the ip address contains a certain part of an ip address. We have a lot of servers on a distributed network that have standard addresses. For example, I'd like to capture data on port 137 if the ip address is like 192.xxx.xxx.11 where xxx can be anything. Can this be done in a capture filter? Looks like it can be done in a display filter, but I really don't want that. Any help is appreciated. Thanks, James ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
On Wed, Feb 06, 2008 at 01:51:43PM -0500, James Pifer wrote: Hi. I've been googling and using the wiki but I can't figure out if this is possible. I'm trying setup a capture filter to capture only data where the ip address contains a certain part of an ip address. We have a lot of servers on a distributed network that have standard addresses. For example, I'd like to capture data on port 137 if the ip address is like 192.xxx.xxx.11 where xxx can be anything. Can this be done in a capture filter? Looks like it can be done in a display filter, but I really don't want that. How'bout looking at the specific locations within the ip-packet for src address or destination address: ip[0xc]==192 and ip[0xf]==11 Would match any packet from 192.x.x.11 and ip[0x10]=192 and ip[0x13]==11 would match and packet to 192.x.x.11. So the full filter would be: ((ip[0xc]==84 and ip[0xf]==11) or (ip[0x10]=84 and ip[0x13]==11)) and port 137 Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
James Pifer wrote: I'm trying setup a capture filter to capture only data where the ip address contains a certain part of an ip address. We have a lot of servers on a distributed network that have standard addresses. For example, I'd like to capture data on port 137 if the ip address is like 192.xxx.xxx.11 where xxx can be anything. Can this be done in a capture filter? Not conveniently, but it can be done: (((ip[12:4] 0xFFFF) = 0xC00B) || ((ip[16:4] 0xFFFF) = 0xC00B)) port 137 (which extracts the IP source address, ANDs it with 0xFFFF, compares it with 192.0.0.11, does the same with the IP destination address, matches if either are true, and then ANDs that with a match on port 137). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Counting packets with a matching payload
On Wed, Feb 06, 2008 at 06:42:10PM -, Scott Sheppard wrote: I have a data set with 50,000 packets in it. Many of them have a TCP/IP packet with a payload that follows a pattern. The pattern is a 1024 byte payload with 55 aa 55 aa etc hex in it. I want to filter this data set and count how many packets have this pattern it is. Any thoughts? You could use a display filter to select the frames and then use statistics (or the status bar) to count the amount of filtered frames. To build a displayfilter matching these packets, make sure the protocol that contains these 55aa55aa paterns is disabled (Analyze - Enabled Protocols). This way, tcp will hand of dissection to the data dissector. Double-click on data (xxx bytes) in the packet details pane. Then rightclick on Data: 55aa55aa55aa55... and select Apply as Filter - Selected. That should do the trick :-) Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
How'bout looking at the specific locations within the ip-packet for src address or destination address: ip[0xc]==192 and ip[0xf]==11 Would match any packet from 192.x.x.11 and ip[0x10]=192 and ip[0x13]==11 would match and packet to 192.x.x.11. So the full filter would be: ((ip[0xc]==84 and ip[0xf]==11) or (ip[0x10]=84 and ip[0x13]==11)) and port 137 Hope this helps, Cheers, Sake Sake, I'm trying this, just waiting for something to come in. I would also like to filter NBNS protocol. Right now I have a display filter like this: nbns.flags == 0x2810 || nbns.flags == 0x2910 Again, I'd rather have this in a capture filter in case I want to start saving it. What is the best capture reference? Maybe I've not come across it yet. Thanks for the help. James ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
On Wed, Feb 06, 2008 at 02:46:21PM -0500, James Pifer wrote: I would also like to filter NBNS protocol. Right now I have a display filter like this: nbns.flags == 0x2810 || nbns.flags == 0x2910 Again, I'd rather have this in a capture filter in case I want to start saving it. You could use something like: udp[0xa:2] == 0x2810 || udp[0xa:2] == 0x2910 Why? Because the udp header is 8 bytes long, and then there are two bytes for the NBNS Transaction ID. The following two bytes (starting from position 0xa (=10) relative to the start of the UDP header) will be the nbns flags. What is the best capture reference? Maybe I've not come across it yet. Start at: http://www.ethereal.com/docs/eug_html_chunked/ChCapCaptureFilterSection.html and also follow the link at the bottom of that page to: http://www.tcpdump.org/tcpdump_man.html That should get you on your way. Apart from that, it's being creative with what is offered by the libpcap filter format. Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
On Wed, Feb 06, 2008 at 10:14:29PM +0100, Sake Blok wrote: On Wed, Feb 06, 2008 at 02:46:21PM -0500, James Pifer wrote: I would also like to filter NBNS protocol. Right now I have a display filter like this: nbns.flags == 0x2810 || nbns.flags == 0x2910 Again, I'd rather have this in a capture filter in case I want to start saving it. You could use something like: udp[0xa:2] == 0x2810 || udp[0xa:2] == 0x2910 Oops, that should of course be: udp port 137 and (udp[0xa:2] == 0x2810 || udp[0xa:2] == 0x2910) Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] test case in configure script fails for gtk on Solaris with gcc
I have a Sun Blade 2000 running Solaris 10 # cat /etc/release Solaris 10 8/07 s10s_u4wos_12b SPARC Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 August 2007 and are trying to build wireshark-0.99.7, but have hit a few issues. 1) Trying to configure with gcc (/usr/sfw/bin/gcc 3.4.3 which came with Solaris and 3.4.5 from Blastwave) I find it bombs out very quickly with: ./configure CC=/opt/csw/gcc3/bin/gcc CXX=/opt/csw/gcc3/bin/g++ checking for pkg-config... /usr/bin/pkg-config checking for GTK+ - version = 2.0.0... no *** Could not run GTK+ test program, checking why... *** The test program failed to compile or link. See the file config.log for the *** exact error that occured. This usually means GTK+ is incorrectly installed. configure: error: GTK+ isn't available, so Wireshark can't be compiled This seems odd, since they are present, as can be seen if I call pkg-config from the command line. kestrel /tmp/wireshark-0.99.7 % /usr/bin/pkg-config glib-2.0 --modversion 2.4.1 kestrel /tmp/wireshark-0.99.7 % /usr/bin/pkg-config gtk+-2.0 --modversion 2.4.9 Looking at config.log, it looks to me as if the compiler is complaining about an invalid option 't'. configure:22616: result: no configure:22685: checking if profile builds must be generated configure:22698: result: no configure:22746: checking for pkg-config configure:22764: found /usr/bin/pkg-config configure:22777: result: /usr/bin/pkg-config configure:22799: checking for GTK+ - version = 2.0.0 configure:22919: /opt/csw/gcc3/bin/gcc -o conftest -D_U_=__attribute__((unused)) -g -O2 -Wall -W -Wdeclaration-after-statement -Wendif-labels -Wpointer-arith -Wno-return-type -DFUNCPROTO=15 -I/usr/local/include -mt -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/pango-1.0 -I/usr/openwin/include -I/usr/sfw/include -I/usr/sfw/include/freetype2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include-I/usr/local/include -L/usr/local/lib -R/usr/local/lib conftest.c -mt -lgtk-x11-2.0 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lmlib -lpangoxft-1.0 -lpangox-1.0 -lpango-1.0 -lgobject-2.0 -lgmodule-2.0 -lgthread-2.0 -lglib-2.0 -R/usr/lib:/usr/openwin/lib:/usr/local/lib:/usr/local/lib/X11:/usr/local/X11R6.4/lib:/usr/ucblib:/opt/hpnpl/lib:/opt/csw/lib 5 cc1: error: invalid option `t' cc1: error: invalid option `t' configure:22922: $? = 1 configure: program exited with status 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING I've tried building with Suns compiler and get a lot further, as it compiles hundreds of files OK before generating an error(s). The errors I get there will be reported in another email, as they are quite different to this which occurs during the configure process. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] test case in configure script fails for gtk on Solaris with gcc
I saw this once before. The problem is, IIRC, that one of Solaris' version of gtk2, glib, or gthread is configured to be compiled with -mt which the Sun compiler understands but GCC doesn't. Indeed Sun bug 6213382 (gthread-2.0.pc and ORBit-2.0.pc have -mt which confuses gcc) indicates the problem is with the gthread package. If you do: pkg-config --cflags --libs gthread you'll probably find that it tells you that gthread needs to be compiled with -mt. (If not try with gtk2 and glib.) Whatever package it is, you can fix the problem by editing package.pc wherever that is on your system--just replace -mt with -pthread. Dr. David Kirkby wrote: I have a Sun Blade 2000 running Solaris 10 # cat /etc/release Solaris 10 8/07 s10s_u4wos_12b SPARC Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 August 2007 and are trying to build wireshark-0.99.7, but have hit a few issues. 1) Trying to configure with gcc (/usr/sfw/bin/gcc 3.4.3 which came with Solaris and 3.4.5 from Blastwave) I find it bombs out very quickly with: ./configure CC=/opt/csw/gcc3/bin/gcc CXX=/opt/csw/gcc3/bin/g++ checking for pkg-config... /usr/bin/pkg-config checking for GTK+ - version = 2.0.0... no *** Could not run GTK+ test program, checking why... *** The test program failed to compile or link. See the file config.log for the *** exact error that occured. This usually means GTK+ is incorrectly installed. configure: error: GTK+ isn't available, so Wireshark can't be compiled This seems odd, since they are present, as can be seen if I call pkg-config from the command line. kestrel /tmp/wireshark-0.99.7 % /usr/bin/pkg-config glib-2.0 --modversion 2.4.1 kestrel /tmp/wireshark-0.99.7 % /usr/bin/pkg-config gtk+-2.0 --modversion 2.4.9 Looking at config.log, it looks to me as if the compiler is complaining about an invalid option 't'. configure:22616: result: no configure:22685: checking if profile builds must be generated configure:22698: result: no configure:22746: checking for pkg-config configure:22764: found /usr/bin/pkg-config configure:22777: result: /usr/bin/pkg-config configure:22799: checking for GTK+ - version = 2.0.0 configure:22919: /opt/csw/gcc3/bin/gcc -o conftest -D_U_=__attribute__((unused)) -g -O2 -Wall -W -Wdeclaration-after-statement -Wendif-labels -Wpointer-arith -Wno-return-type -DFUNCPROTO=15 -I/usr/local/include -mt -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/pango-1.0 -I/usr/openwin/include -I/usr/sfw/include -I/usr/sfw/include/freetype2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include-I/usr/local/include -L/usr/local/lib -R/usr/local/lib conftest.c -mt -lgtk-x11-2.0 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lmlib -lpangoxft-1.0 -lpangox-1.0 -lpango-1.0 -lgobject-2.0 -lgmodule-2.0 -lgthread-2.0 -lglib-2.0 -R/usr/lib:/usr/openwin/lib:/usr/local/lib:/usr/local/lib/X11:/usr/local/X11R6.4/lib:/usr/ucblib:/opt/hpnpl/lib:/opt/csw/lib 5 cc1: error: invalid option `t' cc1: error: invalid option `t' configure:22922: $? = 1 configure: program exited with status 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING I've tried building with Suns compiler and get a lot further, as it compiles hundreds of files OK before generating an error(s). The errors I get there will be reported in another email, as they are quite different to this which occurs during the configure process. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Build problems with Sun's compiler on Solaris 10
I've trying to build wireshark-0.99.7 on a Sun Blade 2000 workstation running Solaris 10 update 4 using Sun's studio 11 compiler suite. Here are some notes. #6 is a show-stopper, as it is stopping me building wireshark - the others are minor points I believe which need fixing, but are quite easy to fix. 1) Unlike the case with trying to build with gcc (see my post of half an hour ago on wireshark-users), the Sun compiler seems to pick up gtk properly. checking for pkg-config... /usr/bin/pkg-config checking for GTK+ - version = 2.0.0... yes (version 2.4.9) checking for pkg-config... (cached) /usr/bin/pkg-config checking for GLIB - version = 2.0.0... yes (version 2.4.1) checking whether GLib supports loadable modules... yes This is good of course, but I was not so fortunate with gcc. (Looking at the reply to that post Jeff Morriss has suggested a fix, which I have not yet tried). 2) I just installed libpcap from the file libpcap-0.9.8.tar.gz, but the wireshark configure script complains that the pcap library is more recent than the pcap header. checking whether pcap_breakloop is present and usable... broken configure: WARNING: Your pcap library is more recent than your pcap header. configure: WARNING: Wireshark won't be able to use functions not declared configure: WARNING: in that header. You should install a newer version of configure: WARNING: the header file. checking whether pcap_findalldevs is present and usable... yes checking for pcap_datalink_val_to_name... yes I've no idea why this should be so. 3) If I ignore that warning about the pcap then the rest of the program configures OK The Wireshark package has been configured with the following options. Build wireshark : yes Build tshark : yes Build capinfos : yes Build editcap : yes Build dumpcap : yes Build mergecap : yes Build text2pcap : yes Build idl2wrs : yes Build randpkt : yes Build dftest : yes Install setuid : no Use plugins : yes Build lua plugin : no Build rtp_player : no Use GTK+ v2 library : yes Use threads : no Build profile binaries : no Use pcap library : yes Use zlib library : yes Use pcre library : no Use kerberos library : no Use GNU ADNS library : no Use SMI MIB library : no Use GNU crypto library : no Use SSL crypto library : no Use IPv6 name resolution : no Use gnutls library : yes Use libcap library : no 4) There is an an error compiling plugins/ethercat/packet-ethercat-frame.c and plugins/ethercat/packet-ethercat-frame.h but I found this bug had been reported before http://www.mail-archive.com/[EMAIL PROTECTED]/msg06382.html and the patch here http://www.mail-archive.com/[EMAIL PROTECTED]/msg06391.html solved that one. 5) There are a large number of errors when trying to compile plugins/ethercat/packet-ecatmb.h but these are quite easy to solve. Basically, every structure is declared like this struct { some code }; but the sun compiler complains unless a name for the structure is given. i.e. struct { some code }ANY_NAME_YOU_WANT; Hence one can fix this by adding anything for a name. This needs to be done on lines 110, 137, 151, 180, 355, 395, 401, 454 and 459 of plugins/ethercat/packet-ecatmb.h (Looking at the patch referenced above, that was one of the issues the patch solves, but it needs to be done in another file too). 6) NOW THIS IS THE SERIOUS PROBLEM - it stops me building wireshark and I have not yet found a solution. ./configure CC=/opt/SUNWspro/bin/cc CXX=/opt/SUNWspro/bin/CC This configures OK - see above for what is configured. gmake After quite a bit of time compiling OK, the compilation process aborts with: source='packet-ecatmb.c' object='packet-ecatmb.lo' libtool=yes \ DEPDIR=.deps depmode=none /bin/bash ../../depcomp \ /bin/bash ../../libtool --tag=CC --mode=compile /opt/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I/usr/local/include -I/usr/local/include '-DPLUGIN_DIR=/usr/local/lib/wireshark/plugins/0.99.7' -D_U_= -g -I/usr/local/include -mt -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/pango-1.0 -I/usr/openwin/include -I/usr/sfw/include -I/usr/sfw/include/freetype2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -c -o packet-ecatmb.lo packet-ecatmb.c /opt/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I/usr/local/include -I/usr/local/include -DPLUGIN_DIR=\/usr/local/lib/wireshark/plugins/0.99.7\ -D_U_= -g -I/usr/local/include -mt -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include
Re: [Wireshark-users] Build problems with Sun's compiler on Solaris 10
Dr. David Kirkby wrote: 2) I just installed libpcap from the file libpcap-0.9.8.tar.gz, but the wireshark configure script complains that the pcap library is more recent than the pcap header. checking whether pcap_breakloop is present and usable... broken configure: WARNING: Your pcap library is more recent than your pcap header. configure: WARNING: Wireshark won't be able to use functions not declared configure: WARNING: in that header. You should install a newer version of configure: WARNING: the header file. checking whether pcap_findalldevs is present and usable... yes checking for pcap_datalink_val_to_name... yes I've no idea why this should be so. Well, one way that should be so would be if, for example, a hypothetical maker of UN*X boxes, whose version of UN*X includes libpcap, were to put out an online OS update that upgrades its version of libpcap as part of a tcpdump/libpcap upgrade to plug some security holes, with the upgrade to libpcap being an upgrade from a version without pcap_breakloop() to a version with pcap_breakloop(), and if that vendor were to treat header files as part of its development tools, and not to update them with that online OS update, so that you have a library with pcap_breakloop() and a header file that doesn't declare it. As you built and installed libpcap yourself, that wouldn't be it, so we'd have to look elsewhere. What are the contents of your config.log file? 6) NOW THIS IS THE SERIOUS PROBLEM - it stops me building wireshark and I have not yet found a solution. ./configure CC=/opt/SUNWspro/bin/cc CXX=/opt/SUNWspro/bin/CC This configures OK - see above for what is configured. gmake After quite a bit of time compiling OK, the compilation process aborts with: source='packet-ecatmb.c' object='packet-ecatmb.lo' libtool=yes \ DEPDIR=.deps depmode=none /bin/bash ../../depcomp \ /bin/bash ../../libtool --tag=CC --mode=compile /opt/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I/usr/local/include -I/usr/local/include '-DPLUGIN_DIR=/usr/local/lib/wireshark/plugins/0.99.7' -D_U_= -g -I/usr/local/include -mt -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/pango-1.0 -I/usr/openwin/include -I/usr/sfw/include -I/usr/sfw/include/freetype2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -c -o packet-ecatmb.lo packet-ecatmb.c /opt/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I/usr/local/include -I/usr/local/include -DPLUGIN_DIR=\/usr/local/lib/wireshark/plugins/0.99.7\ -D_U_= -g -I/usr/local/include -mt -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/pango-1.0 -I/usr/openwin/include -I/usr/sfw/include -I/usr/sfw/include/freetype2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -c packet-ecatmb.c -KPIC -DPIC -o .libs/packet-ecatmb.o packet-ecatmb.c, line 291: improper member use: Control Are you compiling with the latest version of plugins/ethercat/ecatmb.h? What, for example, are the definitions of SoeHeaderControlUnion and PETHERCAT_SOE_HEADER in that header? They should be typedef union tSoeHeaderControlUnion { struct { guint8 OpCode : 3; /* 0 = unused, 1 = readReq, 2 = readRes, 3 = writeReq, 4 = writeRes 5 = notification (command changed notification)*/ guint8 InComplete : 1; /* more follows*/ guint8 Error : 1; /* an error word follows */ guint8 DriveNo: 3; /* drive number */ guint8 DataState : 1; /* follows or requested */ guint8 Name : 1; /* follows or requested */ guint8 Attribute : 1; /* follows or requested */ guint8 Unit : 1; /* follows or requested */ guint8 Min: 1; /* follows or requested */ guint8 Max: 1; /* follows or requested */ guint8 Value : 1; /* follows or requested */ guint8 Reserved : 1; } v; struct { guint8 Control; guint8 Element; } v2; } SoeHeaderControlUnion; and typedef struct TETHERCAT_SOE_HEADER { SoeHeaderControlUnion anSoeHeaderControlUnion; SoeHeaderDataUnion anSoeHeaderDataUnion; /* typedef union tMailBoxDataUnion { guint8Data[] rest of mailbox data if (Error==0) guint16 ErrorCodeif (Error==1) } MailBoxDataUnion;*/ } ETHERCAT_SOE_HEADER, *PETHERCAT_SOE_HEADER; ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] following tcp stream or decode as using wireshark
Hi, I am using tshark to automate a testing process, and I was wondering if there is a way to decode http responses in order to look at their payload. Is this possible? Is there some way to construct response information and store them in separate file (or even within the tshark output)? thanks! ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users