[Wireshark-users] H1 Protocol Decode
I'm looking for information from anyone who has been able to successfully use the H1 Dissector that comes with WireShark. I am viewing transmissions between devices that are supposed to be using the Siemens H1 protocol riding on the COTP transport. COTP is decoded well but the H1 dissector doesn't seem to be decoding the H1 components contained within the COTP frame. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Using tshark to extract empty fields from pcap files
I am not officially on the list, so I am not so sure where to go to reply to this reply. I am basically trying to capture the payload of smtp packets i.e. the mail message, and I am trying to capture the DNS responses where it shows the domain name and IP address to which it resolved. I am looking for the part of the DNS packet that has a1509.g.akamai.net: type A, class IN, addr 72.246.98.65 - as shown in the example below from a PDML file. It has field = show a1509.g.akamai.net: type A, class IN, addr 72.246.98.65, but I cannot figure out how to extract this data using tshark at a command line. Any thoughts? snipped all frame, udp, etc stuff proto name=dns showname=Domain Name System (response) size=68 pos=42 field name=dns.response_to showname=Request In: 5567 size=0 pos=42 show=5567/ field name=dns.time showname=Time: 0.014816000 seconds size=0 pos=42 show=0.014816000/ field name=dns.id showname=Transaction ID: 0x1c20 size=2 pos=42 show=0x1c20 value=1c20/ field name=dns.flags showname=Flags: 0x8400 (Standard query response, No error) size=2 pos=44 show=0x8400 value=8400 field name=dns.flags.response showname=1... = Response: Message is a response size=2 pos=44 show=1 value=1 unmaskedvalue=8400/ field name=dns.flags.opcode showname=.000 0... = Opcode: Standard query (0) size=2 pos=44 show=0 value=0 unmaskedvalue=8400/ field name=dns.flags.authoritative showname= .1.. = Authoritative: Server is an authority for domain size=2 pos=44 show=1 value=1 unmaskedvalue=8400/ field name=dns.flags.truncated showname= ..0. = Truncated: Message is not truncated size=2 pos=44 show=0 value=0 unmaskedvalue=8400/ field name=dns.flags.recdesired showname= ...0 = Recursion desired: Donapos;t do query recursively size=2 pos=44 show=0 value=0 unmaskedvalue=8400/ field name=dns.flags.recavail showname= 0... = Recursion available: Server canapos;t do recursive queries size=2 pos=44 show=0 value=0 unmaskedvalue=8400/ field name=dns.flags.z showname= .0.. = Z: reserved (0) size=2 pos=44 show=0 value=0 unmaskedvalue=8400/ field name=dns.flags.authenticated showname= ..0. = Answer authenticated: Answer/authority portion was not authenticated by the server size=2 pos=44 show=0 value=0 unmaskedvalue=8400/ field name=dns.flags.rcode showname= = Reply code: No error (0) size=2 pos=44 show=0 value=0 unmaskedvalue=8400/ /field field name=dns.count.queries showname=Questions: 1 size=2 pos=46 show=1 value=0001/ field name=dns.count.answers showname=Answer RRs: 2 size=2 pos=48 show=2 value=0002/ field name=dns.count.auth_rr showname=Authority RRs: 0 size=2 pos=50 show=0 value=/ field name=dns.count.add_rr showname=Additional RRs: 0 size=2 pos=52 show=0 value=/ field name= show=Queries size=24 pos=54 value=056131353039016706616b616d6169036e6574010001 field name= show=a1509.g.akamai.net: type A, class IN size=24 pos=54 value=056131353039016706616b616d6169036e6574010001 field name=dns.qry.name showname=Name: a1509.g.akamai.net size=20 pos=54 show=a1509.g.akamai.net value=056131353039016706616b616d6169036e657400/ field name=dns.qry.type showname=Type: A (Host address) size=2 pos=74 show=0x0001 value=0001/ field name=dns.qry.class showname=Class: IN (0x0001) size=2 pos=76 show=0x0001 value=0001/ /field /field field name= show=Answers size=32 pos=78 value=c00c000100010014000448f66219c00c000100010014000448f66241 field name= show=a1509.g.akamai.net: type A, class IN, addr 72.246.98.25 size=16 pos=78 value=c00c000100010014000448f66219 field name=dns.resp.name showname=Name: a1509.g.akamai.net size=2 pos=78 show=a1509.g.akamai.net value=c00c/ field name=dns.resp.type showname=Type: A (Host address) size=2 pos=80 show=0x0001 value=0001/ field name=dns.resp.class showname=Class: IN (0x0001) size=2 pos=82 show=0x0001 value=0001/ field name=dns.resp.ttl showname=Time to live: 20 seconds size=4 pos=84 show=20 value=0014/ field name=dns.resp.len showname=Data length: 4 size=2 pos=88 show=4 value=0004/ field name= show=Addr: 72.246.98.25 size=4 pos=90 value=48f66219/ /field field name= show=a1509.g.akamai.net: type A, class IN, addr 72.246.98.65 size=16 pos=94 value=c00c000100010014000448f66241 field name=dns.resp.name showname=Name: a1509.g.akamai.net size=2 pos=94 show=a1509.g.akamai.net value=c00c/ field name=dns.resp.type showname=Type: A (Host address) size=2 pos=96 show=0x0001 value=0001/ field name=dns.resp.class showname=Class: IN (0x0001) size=2 pos=98 show=0x0001 value=0001/ field name=dns.resp.ttl showname=Time to live: 20 seconds size=4 pos=100 show=20 value=0014/ field name=dns.resp.len showname=Data length: 4 size=2 pos=104 show=4 value=0004/ field name= show=Addr: 72.246.98.65 size=4 pos=106 value=48f66241/ /field /field /proto /packet On Wed, Mar 26, 2008 at 04:06:50PM
Re: [Wireshark-users] Howto: set some column to print?
#tshark -i 3 -o column.format:'Info, %i' That will just print the info column from Wireshark. You can not specify the info column from the �Ce option in tshark. -Rob MacKenzie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ??? Sent: March 27, 2008 8:20 AM To: wireshark-users Subject: [Wireshark-users] Howto: set some column to print? Hi, Jaap, Thank you very much! Can you tell me how to set some column to print? http://www.wireshark.org/docs/man-pages/tshark.html #TShark -i 3 -e tcp.port -T fields //It can print port #TShark -i 3 -e frame.number//It can print frame number Now I want to print info column(In wireshark window display No,Time,Source,Destination,Protocol,Info, I want the last column, only the last column),Can you help me? Can you tell me how to set the command line params ? Or Where I can find the doc? Thank you !!! 2008-03-27 赵新元 - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Learning to setup WS to see TCP and HTTP
On Mar 26, 2008, at 7:57 PM, Rudyard Wallen wrote: OK, some of that went over my head but I think I got the gist. So I guess the big question is: Is there a way to see HTTP on this network combo of wired and wireless machines that all are connected to this one router? Yes - run Wireshark/TShark, or dumpcap, or tcpdump/WinDump, on the machine that's sending out and receiving the HTTP traffic. You *might* be able to see that traffic from another machine if it's wireless traffic and you're capturing on a machine/OS/driver/wireless adapter that supports monitor mode (if it's Windows, monitor mode is only supported in Vista, and even there it's not supported by WinPcap, which is what Wireshark uses to capture traffic on Windows; you could also get an AirPcap adapter: http://www.cacetech.com/products/airpcap_family.htm and use that, but they're not cheap). If it's wired traffic (i.e., a machine plugging into an Ethernet interface on the WRT54GS), you're probably out of luck, unless the WRT54GS supports port mirroring. Update: I just connected my laptop via Ethernet to the router. My tower is running Wireshark. I see the IP address of my laptop (a Mac) but it only shows IGMP, MDNS and UDP packets for that source IP. Could I have this thing setup wrong? IGMP is for managing multicast groups, so at least some IGMP packets are probably multicast. The M in MDNS stands for... multicast, so its packets are multicast. The other UDP packets you're seeing are probably also broadcast or multicast. I.e., this is the same problem. You're plugging into a switch, which means you aren't necessarily going to see all the traffic passing through the switch; a switched Ethernet is different from a traditional Ethernet in that fashion. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark-users_Digest,_Vol_22,_Issue_75
On Fri, Mar 28, 2008 at 11:24:09AM +0800, 赵新元 wrote: #tshark -i 3 -o column.format:'Info, %i' I use this command ,but it cann't work! The ' marks only work on Unix. I just tried on Windows using a instead of ' and it works: tshark -o column.format:Info, %i Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users