Re: [Wireshark-users] Terminal Server traffic
Hi, When I switch off the TCP dissector preference analyze TCP sequence numbers, all that is left are duplicate packets for the vlan. Apply this filter to see: ip.src == 10.10.10.0/24 ip.dst == 10.10.10.0/24 Thanx, Jaap Albert Jurado wrote: I've attached a small capture file. Maybe someone can take a look at it and make something of it. If you look for the following ip address (10.10.10.23) you'll should see the out of order packets. Albert Jurado Network Manager First Commercial Insurance Company 2300 W 84 St. Hialeah, FL 33016 Phone: (305) 820-4848 ex. 1206 Mobile: (305) 873-4400 Email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaap Keuter Sent: Monday, March 10, 2008 7:38 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Terminal Server traffic Hi, Well a packet coming in has to come out somewhere. If the router passes them both to the sniffer you'll see it twice (with a different MAC address, of course, and maybe a different VLAN tag, and a TTL-1, but still. Thanx, Jaap Albert Jurado wrote: Why would it see double? Albert Jurado Network Manager First Commercial Insurance Company 2300 W 84 St. Hialeah, FL 33016 Phone: (305) 820-4848 ex. 1206 Mobile: (305) 873-4400 Email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaap Keuter Sent: Monday, March 10, 2008 1:31 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Terminal Server traffic Hi, I may be dependant how you configured the monitoring port on the core router. If it captures both ingress and egress packets it start to see double. The details I leave to the network operator buffs ;) . Thanx, Jaap Albert Jurado wrote: As of last week we started to monitor traffic from our internal Terminal Server to our internal SQL server using wireshark. Our network is segmented in the following way: VLAN for servers Data VLAN for each floor in the building (six in total). We installed wireshark on a separate workstation plugged into our core router with a monitoring port configured Our first capture revealed over 40% of the traffic as “out-of-order” packets. When we performed a capture from the terminal server there was no such traffic. I wondering if this type of behavior is normal for terminal server communication. I hope someone can shed some light on this matter for me, it would greatly appreciated. Thanks! *Albert Jurado* ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Nondeterministic 200 ms delay between sends (5 Frames per Sec)
On Fri, Mar 07, 2008 at 02:50:43PM +0100, Kovacs Peter Tamas wrote: I thought it might be a network problem, so I've run Wireshark on the capture machine, and looked at the trace. All I've seen is that packets are sent in 200 ms intervals. Some packets are sent our rapidly, then nothing happens for 200 ms, then another bunch of packets are sent. No errors, no warnings in the expert info, nothing strange. It's simply the host that waits ~200 ms for some unknown reason. It does sound like nagle and Delayed ACK doing their dance together. The nagle algorythm will make the tcp stack send out only frames of size MSS (Maximum segment size) unless the previously sent data has been ACKed. When all data has been ACKed, it will send all data in it's send buffer (less then MSS octets). Delayed acking will make the tcp-stack wait before sending an ACK until a data frame needs to be sent. This makes it possible to piggyback on the data-frame. Usually the time-out to wait for data to be sent is 100ms or 200ms. So, if the data that needs to be sent from host-1 to host-2 has a length that is not a multiple of MSS octets, the last tcp-segment will not be sent because of the nagle algorythm on host-1. Since host-2 does not need to send any data back to host-1, it will wait till the time-out before sending the ACK for the last segment with size MSS. When host-1 receives this ACK it will send the last segment. For large transfers, the 100-200ms delay will not be a big problem, but for small transfers it can really kill the performance. We've already tried TCP_NODELAY, now all our sockets are created with this, but it does not help. We tried changing the network adapters, increasing buffer sizes, nothing helped so far. Did you enable TCP_NODELAY on the *receiving* end? Another thing that might help is to send all data with the TCP PUSH flag set. This should overrule nagle and make the tcp-stack send it's data immediately. Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] end-to-end delay calculation
so ... it is not reliable if i substract the time i hav in the client minus the time i have in the server to get my end the end delay? On 12/03/2008, Hansang Bae [EMAIL PROTECTED] wrote: Fabiana moreno wrote: Hello there, I know wireshark is not able to calculate the end-to-end delay of a packet when streaming. I was just wondering if adjusting the clocks of my two computers(sender and receiver) to the network time protocol and having the sniffer at both ends i could calculate the end-to-end-delay tracing each packet. Does this sound logical? It is within the limits of ntp. Unless there is a WAN involved, the packets are flying around at an order of magnitude faster than what ntp can provide (ms resolution) -- Thanks, Hansang ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] 0.99.8 Startup Error with GTK1 Interface
Hi, Earlier today I installed Wireshark 0.99.8 with the GTK2 user interface. It worked but because I was on a Windows Server 2000 with 256 colour display it was unusable. Re-reading the instructions and finding a post which outlined a similar issue, I found that I need to install the GTK1 user interface. I have now done this and spent the last couple of hours trying to work out why it won't work. I've uninstalled and reinstalled the software, rebooted between installs and installations, checked the registry, all done numerous times. Everytime I start up Wireshark with the GTK1 user interface I get an error saying wireshark.exe - Application Error. The application failed to initialize properly, click OK to terminate the application. I can re-install the GTK2 interface and it works fine (apart from the fact that you can't see a thing in the application.) The only thing that I can think of is that the GTK1 install requires the GTK MS Windows Engine but when you select the GTK1 type of install the windows engine is not selected and cannot be selected, not even by choosing the custom type of install. (But that's only my theory.) Any help or tips on how to resolve this would be very much appriciated. Kind regards, Tom ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Using wireshark to process my own capture file
I have software-generated capture files of variable-length packets (my own, experimental, protocol) preceded by standard pcap headers. All of the header fields are correct. I will never have to process live data. There can never be anything unexpected in the file--really! In any case, what I build will never reach the real world. The value I put in the network field of the pcap header is not used--not even close--in the current libpcap source. I'll be running Wireshark on a Linux (Red Hat, 64-bit) server. I am building a dissector plugin for these packets, which will be a big job. What I'm hoping to hear is that I don't have to deal with libpcap--even that I can use a standard Linux Wireshark binary and attach my plugin (if I can figure out how) and all this just works. If something else is needed I'm willing to patch the Wireshark source and recompile it. Can someone give me an idea what file(s) might need to be patched? Much thanks. Gil Berglass [EMAIL PROTECTED] ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] help in capturing Modbus traffic
Dear Wireshark-users: Our Nicaraguan non-profit development organization is in the process of trying to determine a operator panel periodic freeze. This operator panel receives instructions from a controller. The operating panel and controller automate the operations of a 930 kW small hydro plant that provides electricity to a number of rural towns and villages. The representative of the control system in Finland indicates that we should tap directly into the cable that sends data back and forth between the AC800M controller and the 235 Operator Panel. This is a special cable that has a female 9-pin RS-232 plug on one end and an RJ-45 male plug on the other end. A direct serial connection. How can one capture Modbus traffic or in other words obtain a trace file from this serial connection? The control system representative also says that the software must support MODBUS protocol. When you open the Wireshark main page, and drop-down the HELP menu, there is a part of the HELP that gives a list of 911 protocols and packet types supported by Wireshark. On this list we find MODBUS/TCP but not MODBUS. The representative from Finland thinks that MODBUS is different from MODBUS/TCP, and that we need Wireshark to support the MODBUS protocol to analyze the AC800M-to-Operator Panel traffic. Is Modbus/Tcp different from Modbus and if so can wireshark capture traffic in the Modbus protocol or possibly translate from one protocol to the other? Thank you for your help, Cheers, Niko Niko Kozobolidis, P. Eng. ATDER-BL 202 - 1236 West 11th Avenue Vancouver, BC V6H 1K5 CANADA tel. 604.253.3297 email. [EMAIL PROTECTED] ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Using wireshark to process my own capture file
Hi, Why not go for these: /* Reserved for private use. */ { 147, WTAP_ENCAP_USER0 }, { 148, WTAP_ENCAP_USER1 }, { 149, WTAP_ENCAP_USER2 }, { 150, WTAP_ENCAP_USER3 }, { 151, WTAP_ENCAP_USER4 }, { 152, WTAP_ENCAP_USER5 }, { 153, WTAP_ENCAP_USER6 }, { 154, WTAP_ENCAP_USER7 }, { 155, WTAP_ENCAP_USER8 }, { 156, WTAP_ENCAP_USER9 }, { 157, WTAP_ENCAP_USER10 }, { 158, WTAP_ENCAP_USER11 }, { 159, WTAP_ENCAP_USER12 }, { 160, WTAP_ENCAP_USER13 }, { 161, WTAP_ENCAP_USER14 }, { 162, WTAP_ENCAP_USER15 }, This is what they are there for, as far as I understand. Thanx, Jaap Gil Berglass wrote: I have software-generated capture files of variable-length packets (my own, experimental, protocol) preceded by standard pcap headers. All of the header fields are correct. I will never have to process live data. There can never be anything unexpected in the file--really! In any case, what I build will never reach the real world. The value I put in the network field of the pcap header is not used--not even close--in the current libpcap source. I'll be running Wireshark on a Linux (Red Hat, 64-bit) server. I am building a dissector plugin for these packets, which will be a big job. What I'm hoping to hear is that I don't have to deal with libpcap--even that I can use a standard Linux Wireshark binary and attach my plugin (if I can figure out how) and all this just works. If something else is needed I'm willing to patch the Wireshark source and recompile it. Can someone give me an idea what file(s) might need to be patched? Much thanks. Gil Berglass [EMAIL PROTECTED] ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] help in capturing Modbus traffic
Dear Wireshark-users: Our Nicaraguan non-profit development organization is in the process of trying to determine a operator panel periodic freeze. This operator panel receives instructions from a controller. The operating panel and controller automate the operations of a 930 kW small hydro plant that provides electricity to a number of rural towns and villages. The representative of the control system in Finland indicates that we should tap directly into the cable that sends data back and forth between the AC800M controller and the 235 Operator Panel. This is a special cable that has a female 9-pin RS-232 plug on one end and an RJ-45 male plug on the other end. A direct serial connection. How can one capture Modbus traffic or in other words obtain a trace file from this serial connection? The control system representative also says that the software must support MODBUS protocol. When you open the Wireshark main page, and drop-down the HELP menu, there is a part of the HELP that gives a list of 911 protocols and packet types supported by Wireshark. On this list we find MODBUS/TCP but not MODBUS. The representative from Finland thinks that MODBUS is different from MODBUS/TCP, and that we need Wireshark to support the MODBUS protocol to analyze the AC800M-to-Operator Panel traffic. Is Modbus/Tcp different from Modbus and if so can wireshark capture traffic in the Modbus protocol or possibly translate from one protocol to the other? Thank you for your help, Cheers, Niko Niko Kozobolidis, P. Eng. ATDER-BL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Capturing Modbus traffic on serial connection
Dear Wireshark-users: Our Nicaraguan non-profit development organization is in the process of trying to determine a operator panel periodic freeze. This operator panel receives instructions from a controller. The operating panel and controller automate the operations of a 930 kW small hydro plant that provides electricity to a number of rural towns and villages. The representative of the control system in Finland indicates that we should tap directly into the cable that sends data back and forth between the AC800M controller and the 235 Operator Panel. This is a special cable that has a female 9-pin RS-232 plug on one end and an RJ-45 male plug on the other end. A direct serial connection. How can one capture Modbus traffic or in other words obtain a trace file from this serial connection? The control system representative also says that the software must support MODBUS protocol. When you open the Wireshark main page, and drop-down the HELP menu, there is a part of the HELP that gives a list of 911 protocols and packet types supported by Wireshark. On this list we find MODBUS/TCP but not MODBUS. The representative from Finland thinks that MODBUS is different from MODBUS/TCP, and that we need Wireshark to support the MODBUS protocol to analyze the AC800M-to-Operator Panel traffic. Is Modbus/Tcp different from Modbus and if so can wireshark capture traffic in the Modbus protocol or possibly translate from one protocol to the other? Thank you for your help, Cheers, Niko Niko Kozobolidis, P. Eng. ATDER-BL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] help in capturing Modbus traffic
Hi, Looks like you'll need some passive tapping hardware and dedicated capture hardware to pull this one off. Then that capture tool must write a capture file in one of the many formats Wireshark understands. Then Wireshark needs to understand how to to read this information. the MODBUS part should be no problem, that is found in MODBUS/TCP as well, but the serial line protocol uses another envelope. That support has to be build in. So, no 'off the shelf' solution this way. Thanx, Jaap Niko Kozobolidis wrote: Dear Wireshark-users: Our Nicaraguan non-profit development organization is in the process of trying to determine a operator panel periodic freeze. This operator panel receives instructions from a controller. The operating panel and controller automate the operations of a 930 kW small hydro plant that provides electricity to a number of rural towns and villages. The representative of the control system in Finland indicates that we should tap directly into the cable that sends data back and forth between the AC800M controller and the 235 Operator Panel. This is a special cable that has a female 9-pin RS-232 plug on one end and an RJ-45 male plug on the other end. A direct serial connection. How can one capture Modbus traffic or in other words obtain a trace file from this serial connection? The control system representative also says that the software must support “MODBUS” protocol. When you open the Wireshark main page, and drop-down the HELP menu, there is a part of the HELP that gives a list of “ 911 protocols and packet types supported by Wireshark”. On this list we find “MODBUS/TCP” but not “MODBUS”. The representative from Finland thinks that “MODBUS” is different from “MODBUS/TCP”, and that we need Wireshark to support the “MODBUS” protocol to analyze the AC800M-to-Operator Panel traffic. Is Modbus/Tcp different from Modbus and if so can wireshark capture traffic in the Modbus protocol or possibly translate from one protocol to the other? Thank you for your help, Cheers, Niko *Niko Kozobolidis, P. Eng. * *ATDER-BL * ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] help in capturing Modbus traffic
On Mar 12, 2008, at 3:46 PM, Niko Kozobolidis wrote: Dear Wireshark-users: Our Nicaraguan non-profit development organization is in the process of trying to determine a operator panel periodic freeze. This operator panel receives instructions from a controller. The operating panel and controller automate the operations of a 930 kW small hydro plant that provides electricity to a number of rural towns and villages. The representative of the control system in Finland indicates that we should tap directly into the cable that sends data back and forth between the AC800M controller and the 235 Operator Panel. This is a special cable that has a female 9-pin RS-232 plug on one end and an RJ-45 male plug on the other end. A direct serial connection. How can one capture Modbus traffic or in other words obtain a trace file from this serial connection? The control system representative also says that the software must support MODBUS protocol. When you open the Wireshark main page, and drop-down the HELP menu, there is a part of the HELP that gives a list of 911 protocols and packet types supported by Wireshark. On this list we find MODBUS/TCP but not MODBUS. The representative from Finland thinks that MODBUS is different from MODBUS/TCP, and that we need Wireshark to support the MODBUS protocol to analyze the AC800M-to-Operator Panel traffic. Is Modbus/ Tcp different from Modbus and if so can wireshark capture traffic in the Modbus protocol or possibly translate from one protocol to the other? Well: http://en.wikipedia.org/wiki/Modbus For serial connections, two variants exist, with different representations of numerical data and slightly different protocol details. Modbus RTU is a compact, binary representation of the data. Modbus ASCII is human readable, and more verbose. Both of these variants use serial communication. The RTU format follows the commands/ data with a cyclic redundancy check checksum, while the ASCII format uses a longitudinal redundancy check checksum. Nodes configured for the RTU variant will not communicate with nodes set for ASCII, and the reverse. For connections over TCP/IP (e.g. Ethernet), the more recent variant Modbus/TCP exists. It is easier to implement than Modbus/ASCII or Modbus/RTU because it does not require a checksum calculation. Following links from there to http://www.modbus.org/ and then looking for the documentation, there's http://www.modbus.org/docs/PI_MBUS_300.pdf for an older specification for Modbus-over-serial-line, describing both ASCII and RTU, http://www.modbus.org/docs/Modbus_over_serial_line_V1_02.pdf for a newer specification, also describing both ASCII and RTU, and http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf for Modbus/TCP. If the application-layer portion of the protocol is the same for Modbus-over-serial and Modbus-over-TCP, most of Wireshark's dissection code could be used for both, although we might have to split the dissector up. However, the lowest layers transporting the application- layer PDUs are different, so, yes, MODBUS (by which I assume the representative from Finland means Modbus-over-serial, given that the device uses a serial connection) is different from Modbus-over-TCP. It appears that Modbus-over-serial uses standard asynchronous communication, with either 1) 8 bits plus a parity bit, 1 stop bit or 2) 8 bits without a parity bit, 2 stop bits so a standard computer's serial port hardware could handle it if it supports whatever the baud rate is for the controller. The framing for RTU mode is done with silent times on the serial line, which means software to capture those packets would have to look for those silent times to decide when a frame was done. For ASCII mode, a frame is terminated by a CR-LF pair. In theory, somebody could: get DLT_MODBUS_ASCII and/or DLT_MODBUS_RTU DLT_ values from tcpdump.org; write code to read Modbus packets from a serial line and supply them as DLT_MODBUS_ASCII or DLT_MODBUS_RTU, and add that to the libpcap/ WinPcap library; add support for DLT_MODBUS_ASCII and/or DLT_MODBUS_RTU to Wireshark, and build a version of Wireshark and run it using the modified version of libpcap/WinPcap; in which case if you were able to put a serial line tap of some sort on the serial line in question, you would be able to sniff the Modbus traffic in Wireshark. However, that would, as Jaap noted, not be an off-the-shelf solution. Searching for modbus analyzer in Google found some items such as http://www.commfront.com/RS232_Protocol_Analyzer_Monitor/Modbus-Control-Protocol-Analyzer.htm and http://www.modbus.org/viewdevice.php?id=453 and http://www.imperioustech.com/Pricing.html so it sounds as if