Re: [Wireshark-users] What is the maximum data rate supported by wireshark
- Original Message - From: "Jeff Morriss" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Friday, April 04, 2008 9:31 AM Subject: Re: [Wireshark-users] What is the maximum data rate supported by wireshark > > > Tapas Chatterjee wrote: >> Hi, >> My System configuration is given below: >> >> * PC, Intel(R) Xeon(TM) CPU 3.00 GHz, Dual CPU Dual core,3 GB RAM >> * Linux OS (RHEL 4.0) >> * Ethernet NIC adapter (10/100 Mb/s) >> >> And now my queries are: >> 1) Can wireshark support the data rate 70- 80 Mbps? >> 2) What is the maximum data rate supported by wireshark? > > Wireshark will capture the traffic as fast as it can depending on your > hardware. I don't usually have to worry about data rates so I'm not > sure what your machine is capable of. > > But, if you're worried about the data rate don't use Wireshark to do the > capturing: use 'dumpcap' instead. It simply captures the packets and > writes them to a file (or series of files) allowing you to do the (CPU- > and memory-intensive) analysis offline. Also, measure the maximum data rate supported by your hard-drive. I usually use iometer to measure how fast my harddrive is. Hope it helps GV > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] WireShark for Itanium servers
You won't be able to use Wireshark on an Itanium machine on Windows, as WinPcap (the underlying capture engine used by wireshark) does not support Itanium processors. On Itanium and Windows at best you will be able to use Wireshark to open capture files. Have a nice day GV - Original Message - From: Brendan Patterson To: wireshark-users@wireshark.org Sent: Sunday, March 09, 2008 8:51 PM Subject: [Wireshark-users] WireShark for Itanium servers To whom it may concern, I was wondering if you have any comments about running WireShark on an Itanium server running Windows Data centre Server? Just looking to see if I would be expecting any errors with doing this. Many Thanks, Brendan Patterson The information contained in this e-mail is confidential and may be legally privileged. If you have received it in error, you may not read, use, copy or disclose this email. If you are not the intended recipient, please let us know by reply e-mail immediately and then delete this email from your system. We shall not be responsible for any changes to, or interception of, this email or any attachment after it leaves our information systems. We accept no responsibility for viruses or defects in this email or any attachments. -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark only capturing TCP handshake
If it's not a firewall problem (e.g. because the firewall is a specific piece of hardware on the LAN, and not a software product), another possibility is TCP chimney, i.e. your network card performs TCP offloading. In this case the card is responsible for dealing with the TCP sessions almost completely and WinPcap/Wireshark do not see the packets. Have a nice day GV - Original Message - From: "Jaap Keuter" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Tuesday, March 04, 2008 1:20 PM Subject: Re: [Wireshark-users] Wireshark only capturing TCP handshake > Hi, > > Let me ask you: The firewall is on the troubled platform? And this > firewall > has rules for incoming non-local connections? Bet your firewall is > interfering > in the network stack. > > Thanx, > Jaap > > John Temples wrote: >> I'm trying to capture some incoming HTTP connections with Wireshark >> 0.99.8 on a Windows Server 2003 system. The only thing Wireshark >> captures is the three packets in the three-way handshake of the TCP >> connection; no other packets related to the connection are captured. >> However, the connection completes successfully. No capture filter is >> active in Wireshark. >> >> When running Wireshark on the PC that originates the connection, the >> entire transaction is successfully captured on the originating PC. >> >> When the connection originates from a PC on the same LAN as the >> Windows 2003 Server system, Wireshark on the Windows 2003 Server >> system successfully captures the entire transaction. >> >> The problem only occurs when the connection originates from the >> Internet. The LAN in question has a SonicWALL firewall with no >> special configuration. >> >> What could cause Wireshark not to see the entire connection? >> >> -- >> John W. Temples, III > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] [ANNOUNCE] WinPcap 4.1 beta3 has been released
As of today, WinPcap 4.1 beta3 is available in the download section of the WinPcap website, http://www.winpcap.org/install/ . This new software release includes a couple fixes to the BPF filter engine in the kernel, as well as several fixes and additions to the BPF compiler for filters on wireless traffic (802.11). Full details can be found in the change log attached at the end of this message. Being a beta release, as usual, we encourage people to test it and report any anomaly or strange behavior to the WinPcap mailing lists. Gianluca Varenni WinPcap Team Changelog from WinPcap 4.1 beta2 - (from libpcap) Make some arguments of some pcap functions const pointers if that makes sense. - (from libpcap) Add some additional checks to bpf_validate(), from OpenBSD. - (from libpcap) Use bpf_validate() in install_bpf_program(), so we validate programs even when they're being processed by userland filters. - (from libpcap) Get rid of BPF_MAXINSNS - we don't have a limit on program size in libpcap/WinPcap. - (from libpcap) Support for the "addr1", "addr2", "addr3", and "addr4" link-layer address filtering keywords for 802.11. - (from libpcap) Support for filtering over 802.11 frame types with the keywords "type" and "subtype". - Bug fixing: + Fixed a bug when generating wireless filters in the form "link src host ...". The source address was not retrieved properly. + Added some more logic in the installer to account for errors while installing the Network Monitor component (NetMon). If NetMon is not available, we install a version of packet.dll that doesn't depend on it. + Fixed two bugs in the original OpenBSD filter validation code, one that caused it to reject all filters that used multiply instructions, and another that caused it to reject all filters that used divide instructions. + Fixed a bug in the filter engine in the driver. When the packet to filter is split into two buffers, under some circumstances the engine was not checking the right bytes in the packet. smime.p7s Description: S/MIME cryptographic signature ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Running wireshark as a scheduled task?
On windows you have at (on the command line) and the scheduled tasks (from the control panel). Have a nice day GV - Original Message - From: "Guy Harris" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Wednesday, November 28, 2007 10:20 AM Subject: Re: [Wireshark-users] Running wireshark as a scheduled task? > DePriest, Jason R. wrote: > >> Use tshark instead (http://www.wireshark.org/docs/man-pages/tshark.html). >> >> Try >> -aduration:10800 (3 hours in seconds) >> >> For writing the results to a file, you can either redirect the output >> with '>' for decoded stuff or just use '-w' to write it out raw so you >> can open it with Wireshark later. > > ...and note that neither Wireshark nor TShark themselves have any > mechanism for *starting* them at a specified time. > > However, the OS on which you're running it might, e.g. cron or at on > UN*Xes. I think there's some equivalent on Windows NT ("NT" meaning NT > 4.0, 2000, XP, Server 2K3, Vista, and Server 2K8), but I don't know what > it is offhand. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Linksys WPC 54g promiscuous capture on XP-sp2
It's entirely possible that the newer drivers from Linksys do not support promiscuous mode any more (promiscuous mode is a feature of the miniport driver for the network card, it's not an OS feature). Does it fail to go into promiscuous mode or you simply don't capture any packet? GV - Original Message - From: "John Bayly" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 20, 2007 6:28 AM Subject: [Wireshark-users] Linksys WPC 54g promiscuous capture on XP-sp2 > I'd been using Ethereal on my laptop using XP Pro-sp2 > and a Linksys WPC54g v.1 (and a v.1.2 card) for quite > some time. I never had any issues about capturing in > promiscuous mode. > I hadn't used for a while, and then found the > Wireshark had superseded Ethereal, so I downloaded > WinPCAP 4.02 and Wireshark. > However, I now cannot capture in promiscuous mode. > > I'm using XP Pro-sp2 and I've tried every combination > using the following: > WPC54g v.1 > WPC54g v.1.2 > Card driver v.3.3 > Card driver v.3.6 > Card driver v.4.1 > WinPCAP v.3.1 > WinPCAP v.4.0.2 > > I've also tried using tshark.exe and windump.exe to > capture, to no avail. > > Does anyone have an idea what might be causing this, > especially as I used to have no problems. > > I'm wondering if MS have broken promiscuous capture as > the configuration that used to work on another Laptop > in our office appears to have stopped working too. > > Thanks in advance, > John > > > ___ > Yahoo! Answers - Got a question? Someone out there knows the answer. Try > it > now. > http://uk.answers.yahoo.com/ > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] [ANNOUNCE] WinPcap 4.1 beta2 has been released
As of today, WinPcap 4.1 beta2 is available in the download section of the WinPcap website, http://www.winpcap.org/install/ . This new software release includes several improvements and changes to both the library itself and its developer's pack. First of all, it fixes a security vulnerability in the kernel driver reported by the iDefense Labs in the security advisory available at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=625 It also includes the latest available snapshot of libpcap (1.0 branch). From the developer's point of view, this version ships with a cleaned up update of the developer's pack. Some header files that were wrongly included in the old developer's pack (including some coming from the Microsoft platform SDK) have been removed. Other files have been consolidated or split into internal header files (used for the build of the binaries) and public header files. Full details can be found in the change log attached at the end of this message. Being a beta release, as usual, we encourage people to test it and report any anomaly or strange behavior to the WinPcap mailing lists. In particular, we strongly encourage all the developers to try compiling all their WinPcap-based applications against the new WinPcap developer's pack and report any compilation issue to the winpcap-bugs mailing list (winpcap-bugswinpcap.org). Gianluca Varenni WinPcap Team Changelog from WinPcap 4.0.1 - Disabled support for monitor mode (also called TME, Table Management Extensions) in the driver. This module suffers from several security vulnerabilities that could result in BSODs or privilege escalation attacks. This fix addresses a security vulnerability reported by the iDefense Labs at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=625 - Added a small script to integrate the libpcap sources into the WinPcap tree automatically. - Moved the definition of all the I/O control codes to ioctls.h. - Cleaned up and removed some build scripts for the developer's pack. - Migrated the driver compilation environment to WDK 6000. - Enabled PreFAST driver compilation for the x64 build. - Added some doxygen directives to group the IOCTL codes and JIT definitions in proper groups. - Integrated the IOCTL codes into one single set shared by packet.dll and driver. - Modified the installer to return the win32 error code instead of -1 in case of failure in the error messages. - Added some #define directives to selectively disable the TME functionality for WAN (i.e. Netmon-assisted) devices. - Added a VS2005 project to easily edit the files of the driver. - Removed some useless #include directives in the driver and packet.dll. - Migrated several conditional directives (#ifdef/#endif) to the defines of the DDK/WDK e.g. _X86_ and _AMD64_. - Added a check to warn users that remote-ext.h should not be included directly. - Removed ntddndis.h from the WinPcap sources. It's included into the Microsoft Platform SDK. - Removed devioctl.h from the WinPcap sources. It's included into the Microsoft DDK/WDK. - Removed ntddpack.h from the WinPcap sources. It's an old header file from the original DDK Packet sample, and it's not used by WinPcap. - Removed several useless files from the WinPcap developer's pack: + all the TME extension header files + devioctl.h + gnuc.h + ntddndis.h + ntddpack.h + pcap-int.h. - Bug fixing: + Fixed a possible buffer overrun on x64 machines with more that 32 CPUs/cores. + Fixed an implicit cast problem compiling the driver on x64. + Fixed a bug in the installer causing a mis-detection of a previous WinPcap installation. + Fixed two bugs related to memory deallocation in packet.dll. We were using free() instead of GlobalFreePtr(), and there was a missing check as to when to deallocate a chunk of memory. + Added a missing NULL pointer check in pcap_open(). + Moved a misplaced #ifdef WIN32 in pcap_open(). + Fixed a bug in the send routine of the driver that could cause a crash under low resources conditions. = smime.p7s Description: S/MIME cryptographic signature ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] [Winpcap-bugs] RE: Starting Wireshark CaptureBlocksNetworkTraffic
Joe, unfortunately, there is no easy solution to the problem. Several VPN clients use a mix of layers to tunnel the traffic (a lot of them use a virtual network miniport and an intermediate driver). WinPcap sits on top of this stack, and quite frequently cannot capture all the traffic going on such virtual interfaces, or rather even block the traffic. This behavior is still not clear to us (and it doesn't seem to be documented anywhere in the Microsoft documentation). I hate to say that: unfortunately WinPcap does not support such VPN client. Have a nice day GV - Original Message - From: MORSBACH, JOSEPH R (JOE), ATTOPS To: Community support list for Wireshark Cc: winpcap-bugs2 Sent: Tuesday, November 13, 2007 7:00 AM Subject: [Winpcap-bugs] RE: [Wireshark-users] Starting Wireshark CaptureBlocksNetworkTraffic You're definitely right about it being WinPCap... I get the same result when simply running windump on that interface.. My situation is a little different than the gentleman's that started this thread.. 1) I have NO software firewall running 2) I am using AT&T AGN client 6.3 When attempting to capture, I am capturing on the VPN Interface... I can see the outbound packets but no responses come back... This gives the appearance of network traffic being blocked completely because applications are not getting their responses. Once I stop the capture, normal operation resumes. Joe Morsbach Sr. Technical Specialist AT&T Integrated Mobile Services 908.824.9007 (Single Reach) AIM: sta49fireboy Yahoo!: sta49fireboy -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gianluca Varenni Sent: Monday, November 12, 2007 4:28 PM To: Community support list for Wireshark Cc: winpcap-bugs2 Subject: Re: [Wireshark-users] Starting Wireshark Capture BlocksNetworkTraffic This is definitely a WinPcap issue and not a wireshark one (wireshark receives packets from WinPcap). I would say that either the Symantec firewall, the VPN client or the AT&T ipsec client (is that an ipsec client or a firewall) are interacting really badly with the WinPcap protocol driver. Can you please try disabling the AT&T firewall? Also, from which adapter are you trying to capture? The ethernet adapter or on the VPN? Have a nice day GV - Original Message - From: MORSBACH, JOSEPH R (JOE), ATTOPS To: wireshark-users@wireshark.org Sent: Monday, November 12, 2007 12:03 PM Subject: Re: [Wireshark-users] Starting Wireshark Capture Blocks NetworkTraffic Was there ever resolution to this? I am having the same trouble. Thanks From: David Pruitt <[EMAIL PROTECTED]> Date: Fri, 6 Apr 2007 11:28:18 -0400 AT&T Network Client - IBM Version 5.09.2 Firewall name and version is AT&T IPSec Application version 5.09.2 Service is Managed VPN - IPSec Dual Access Microsoft Windows XP 5.01.2600 SP2 Also have Symantec Client Firewall installed but currently disabled. Thank You! David J. Pruitt "Gianluca Varenni" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 04/06/2007 11:13 AM Please respond to Community support list for Wireshark <[EMAIL PROTECTED]> To "Community support list for Wireshark" <[EMAIL PROTECTED]> cc Subject Re: [Wireshark-users] Starting Wireshark Capture Blocks NetworkTraffic Which VPN client are you using? Have a nice day GV - Original Message - From: David Pruitt To: [EMAIL PROTECTED] Sent: Friday, April 06, 2007 7:52 AM Subject: [Wireshark-users] Starting Wireshark Capture Blocks Network Traffic Hello, I downloaded and installed Wireshark version 0.99.5 with WinPcap 4.0 and am trying to capture some detailed TCP/IP packet transmissions from my client application connecting via DSL using VPN software to connect to a remote server on my business WAN. Once I start the Wireshark capture, all of my applications on the client side cannot connect to my work network over the VPN connection. I am able to access other web sites not using the VPN. Any suggestions would be appreciated. Thank You! David J. Pruitt ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- ___ Winpcap-bugs maili
Re: [Wireshark-users] Starting Wireshark Capture Blocks NetworkTraffic
This is definitely a WinPcap issue and not a wireshark one (wireshark receives packets from WinPcap). I would say that either the Symantec firewall, the VPN client or the AT&T ipsec client (is that an ipsec client or a firewall) are interacting really badly with the WinPcap protocol driver. Can you please try disabling the AT&T firewall? Also, from which adapter are you trying to capture? The ethernet adapter or on the VPN? Have a nice day GV - Original Message - From: MORSBACH, JOSEPH R (JOE), ATTOPS To: wireshark-users@wireshark.org Sent: Monday, November 12, 2007 12:03 PM Subject: Re: [Wireshark-users] Starting Wireshark Capture Blocks NetworkTraffic Was there ever resolution to this? I am having the same trouble. Thanks From: David Pruitt <[EMAIL PROTECTED]> Date: Fri, 6 Apr 2007 11:28:18 -0400 AT&T Network Client - IBM Version 5.09.2 Firewall name and version is AT&T IPSec Application version 5.09.2 Service is Managed VPN - IPSec Dual Access Microsoft Windows XP 5.01.2600 SP2 Also have Symantec Client Firewall installed but currently disabled. Thank You! David J. Pruitt "Gianluca Varenni" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 04/06/2007 11:13 AM Please respond to Community support list for Wireshark <[EMAIL PROTECTED]> To "Community support list for Wireshark" <[EMAIL PROTECTED]> cc Subject Re: [Wireshark-users] Starting Wireshark Capture Blocks NetworkTraffic Which VPN client are you using? Have a nice day GV - Original Message - From: David Pruitt To: [EMAIL PROTECTED] Sent: Friday, April 06, 2007 7:52 AM Subject: [Wireshark-users] Starting Wireshark Capture Blocks Network Traffic Hello, I downloaded and installed Wireshark version 0.99.5 with WinPcap 4.0 and am trying to capture some detailed TCP/IP packet transmissions from my client application connecting via DSL using VPN software to connect to a remote server on my business WAN. Once I start the Wireshark capture, all of my applications on the client side cannot connect to my work network over the VPN connection. I am able to access other web sites not using the VPN. Any suggestions would be appreciated. Thank You! David J. Pruitt -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] [ANNOUNCE] WinPcap 4.0.2 has been released
As of today, WinPcap 4.0.2 is available in the download section of the WinPcap website, http://www.winpcap.org/install/ . This maintenance release addresses a security vulnerability reported by the iDefense Labs in a soon-to-be-released advisory. Full details can be found in the change log attached at the end of this message. Gianluca Varenni WinPcap Team Changelog from WinPcap 4.0.1 - Disabled support for monitor mode (also called TME, Table Management Extensions) in the driver. This module suffers from several security vulnerabilities that could result in BSODs or privilege escalation attacks. This fix addresses a security vulnerability reported by the iDefense Labs. - Bug fixing: * Added a missing NULL pointer check in pcap_open() * Fixed a misplaced #ifdef WIN32 directive in pcap_open(). * Fixed a bug in the send routine of the driver that could cause a crash under low resources conditions. * Fixed a bug in the installer causing a mis-detection of a previous WinPcap installation * Minor cleanup of some #define directives in the driver (to disable the TME extensions). = smime.p7s Description: S/MIME cryptographic signature ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Promiscuous mode on Averatec
What is the chipset of the wireless card? Have a nice day GV - Original Message - From: Tom Maugham To: wireshark-users@wireshark.org Sent: Friday, October 26, 2007 11:09 AM Subject: [Wireshark-users] Promiscuous mode on Averatec I have an Averatec model 7100 laptop using Wireshark. Unfortunately I cannot get the wireless adapter to run in promiscuous mode. Does anyone know of a driver that I could install that would set the adapter into promiscuous mode? Thanks, Tom -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Two questions on wireshark
- Original Message - From: "Sake Blok" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Wednesday, September 26, 2007 3:59 PM Subject: Re: [Wireshark-users] Two questions on wireshark > On Wed, Sep 26, 2007 at 03:41:09PM +0200, Matthias Feurstein wrote: >> >> 1: How good does Wireshark perform with gigabit ethernet? For example >> occasionally I have a burst of "ACKed Lost Segment" packets (about a >> dozen, >> sometimes more, sometimes less) coming from the hw we are testing. It >> looks >> like erroneous behavior by the component I am testing since there is very >> little time between these packets (some us's) but I wonder if maybe >> wireshark might miss some packets? > > Wireshark itself does not perform as good since it needs to keep state of > conversations. It shows you an indication on how many packets it was > not able to process in the discarded packets in the summary. > > However, Wireshark uses the executable dumpcap to do the actual > capturing. Dumpcap has been written to do *just* that. Capture > packets and write them to disk. It is very good at it's task :-) > > Whether it can keep up with a full Gbit/s load is up to the type > of card used, the drivers and OS used and the CPU and mem specs > of the machine running it. I haven't tested it myself, but I think > a decent PC with a decent Gbit card should be able to capture a > full Gbit/s load. > > Anyone able to share some hardware specs and the performance that > can be seen with that hardware? > Has anyone any updated testbeds/numbers/whatever on this? Have a nice day GV ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] [ANNOUNCE] WinPcap 4.1 beta has been released
As of today, WinPcap 4.1 beta is available in the download section of the WinPcap website, http://www.winpcap.org/install/ . This software release contains some important security bug fixes to the kernel driver, as well as the update of libpcap to the 0.9.6 branch. Also, it includes some major experimental fixes to the filter compiler to improve filtering over 802.11 networks. Finally this new version includes support for the Per Packet Info (PPI) encapsulation that will be available in the upcoming version of AirPcap. Full details can be found in the change log attached at the end of this message. Being a beta release, as usual we encourage people to test it and report any anomaly or strange behavior to the WinPcap mailing lists. Gianluca Varenni WinPcap Team Changelog from WinPcap 4.0.1 - Added support for the Per Packet Info (PPI) link type. - wpcap.dll has been updated to the libpcap 0.9.6 branch from http://www.tcpdump.org. - Bug fixing: + Fixed a bug in pcap_open_live() by which we were silently ignoring a failure when switching into promiscuous mode. This fix solves the outstanding issue of wireless cards that fail to go into promiscuous mode and do not capture any packet. + Experimental fixes to the BPF compiler (pcap_compile()) to better support filters over 802.11. + Minor fixes to remove several PFD (PreFAST for Drivers) warnings. + (from libpcap 0.9.6) added additional filter operations for 802.11 frame types + (from libpcap 0.9.6) fixes to discard unread packets when changing filters. = smime.p7s Description: S/MIME cryptographic signature ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] [ANNOUNCE] WinPcap 4.0.1 has been released
As of today, WinPcap 4.0.1 is available in the download section of the WinPcap website, http://www.winpcap.org/install/ . This maintenance release addresses a security vulnerability reported by the iDefense Labs. Full details can be found in the change log attached at the end of this message. Gianluca Varenni WinPcap Team Changelog from WinPcap 4.0 == - Bug fixing: * Fixed a bug in the dispatcher of the BIOCGSTATS IOCTL that caused a BSOD if the parameters passed from user level were invalid. This fix addresses a security vulnerability reported by the iDefense Labs. * Fixed a bug in the routine installing NetMon. A request to reboot was not caught properly, resulting in an installation error message. * Minor fixes to remove several PFD (PreFAST for Drivers) warnings. * Added a missing check for the Mdl in the write dispatcher routine. = smime.p7s Description: S/MIME cryptographic signature ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question about capture point
I might be wrong, but I don't think many OSes and network cards do provide corrupted packets (wrong FCS or link layer errors) even when put into promiscuous mode. This is because usually the MAC chip on the cards discards them without even moving them to host memory (for performance reasons). Also, consider that one of the issues is that newer network cards perform a lot of processing (TCP offloading, or checksum computation, just to name two of them) directly in hardware. Capturing the packets that actually get transmitted on the network is much harder in this case, as the OS (hence WinPcap) sees the packets that are sent from host to the network card, not the packets that actually get transmitted. Hope it helps GV - Original Message - From: <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Friday, June 29, 2007 8:03 AM Subject: Re: [Wireshark-users] Newbie question about capture point > Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the > Windows protocol analyzer problems. NDIS never did fully specify a > promiscuous mode, so it's left up to the vendor who writes the driver. > Card vendors supply some promiscuous functionality, but AFAIK none pass on > all error packets. So you may see packets destined for other hosts, > broadcasts, etc. but you may not see runts or giants. You may not see > framing errors. Some, like the older 3Com (I'm not sure if they still do) > filter all errors in hardware, so you won't even see ethernet collisions > in a hub environment - but in that case it doesn't matter what the drivers > do, and you're stuck in any OS. Some commercial protocol analyzer vendors > supply a custom driver for a few cards, or even a custom card and driver > that will capture all error packets. > > > Randy Grein > Network Engineer > > > > "Gajan Nadarajan" <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 06/28/2007 11:25 AM > Please respond to > Community support list for Wireshark > > > To > wireshark-users@wireshark.org > cc > > Subject > [Wireshark-users] Newbie question about capture point > > > > > > > Hello, > > I am new to wireshark and was wonder where exactly does wireshark capture > eth packets or frames on the windows stack( or somwhere on NDIS)? > > Would it be before it reaches the driver? > > Thank you.___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > - - > > CONFIDENTIALITY NOTICE: The information in this message may be proprietary > and/or confidential, and is intended only for the use of the individual(s) > to whom this email is addressed. If you are not the intended recipient, > you are hereby notified that any use, dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this communication in error, please notify us immediately by replying to > this email and deleting this email from your computer. Nothing contained > in this email or any attachment shall satisfy the requirements for > contract formation or constitute an electronic signature. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Does Wireshark work on Windows Vista Business?
You need to run wireshark with elevated privileges. Please try starting wireshark by right-clicking on the wireshark link and choosing "run as administrator". This is a side effect of user account control (UAC) introduced in Vista. Even if you are logged in as an administrator, you do not have full privileges, you need to "elevate" your credentials to have full privileges needed to run wireshark (or better, to use winpcap which is part of wireshark). Have a nice day GV - Original Message - From: Kjeld Bak To: wireshark-users@wireshark.org Sent: Sunday, June 24, 2007 5:07 AM Subject: [Wireshark-users] Does Wireshark work on Windows Vista Business? When I start Wireshark 0.99.5 on Windows Vista Business the program cannot see any interfaces at all. I have both an ethernet and a wireless adapter, but the "Interface" drop-down box in "Capture Options" is totally empty. Hope someone can help me. Kjeld Bak -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] ipv6 on vista
- Original Message - From: boojum To: Community support list for Wireshark Sent: Thursday, June 21, 2007 9:06 AM Subject: Re: [Wireshark-users] ipv6 on vista Thanks - No capture filter No display filter Lots - a technical term - of traffic is captured Just an idea: is it possible that the IPv6 packets get tunneled into IPv4? I really do not have any idea why the packets are not captured. Also, can you see the packets at the other end of the IPv6 ping? GV Adapter is Ethernet On 6/21/07, Gianluca Varenni <[EMAIL PROTECTED]> wrote: Are you using any capture or display filter? Do you see any whatsoever traffic when pinging? What type of adapter are you using? Ethernet or wireless? Have a nice day GV - Original Message - From: boojum To: wireshark-users@wireshark.org Sent: Thursday, June 21, 2007 6:56 AM Subject: [Wireshark-users] ipv6 on vista Running the current configuration: Wireshark Version 0.99.5 (SVN Rev 20677) Running on Windows Vista, build 6000, with WinPcap version 4.0 (packet.dll version 4.0.0.755) IPv6 is enabled on Vista (I can ping the IPv6 address) No IPv6 traffic shows up in wireshark - no capture filters. Ideas? -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] ipv6 on vista
Are you using any capture or display filter? Do you see any whatsoever traffic when pinging? What type of adapter are you using? Ethernet or wireless? Have a nice day GV - Original Message - From: boojum To: wireshark-users@wireshark.org Sent: Thursday, June 21, 2007 6:56 AM Subject: [Wireshark-users] ipv6 on vista Running the current configuration: Wireshark Version 0.99.5 (SVN Rev 20677) Running on Windows Vista, build 6000, with WinPcap version 4.0 (packet.dll version 4.0.0.755) IPv6 is enabled on Vista (I can ping the IPv6 address) No IPv6 traffic shows up in wireshark - no capture filters. Ideas? -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Windows leaking packets that Wiresharkdoesn't detect!
- Original Message - From: "Joerg Mayer" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Monday, June 18, 2007 8:39 AM Subject: Re: [Wireshark-users] Windows leaking packets that Wiresharkdoesn't detect! > On Sun, Jun 17, 2007 at 12:09:55PM +0800, Surg Junk wrote: >> A few days ago I noticed on the status page of my wireless connection >> that I >> was constantly sending packets, far more packets than I was receiving. >> Believing this to be suspicious I ran virus and spyware scans, disabled >> any >> unnecessary services, ended any process I knew I didn't require but still >> couldn't trace the cause of the leaky packets. >> >> I then used wireshark thinking this would definitely lead me to the >> source >> of the packets but having ran the scan a number of times, it doesn't >> produce >> any results. That's not to say wireshark isn't working. If I start up >> internet explorer or irc, wireshark immediately captures and displays the >> packets but if I just have wireshark capturing and nothing else running, >> I >> can see the sent packets going up on the wireless connection status page >> but >> nothing is captured. > > On windows, wireshark has problems capturing on wireless interfaces. > Maybe that is the problem. Please see > http://wiki.wireshark.org/CaptureSetup and then check the wireless > link on that page. > Well, if the user is able to capture packets sent by his browser, that might be something else. One of the things that could cause such issues is NDIS Intermediate drivers. WinPcap sits on top of them, so if you have some IM driver generating traffic on its own, WinPcap won't see it, but the statistics of your network card would probably increase. Just my two cents GV > ciao > Joerg > -- > Joerg Mayer <[EMAIL PROTECTED]> > We are stuck with technology when what we really want is just stuff that > works. Some say that should read Microsoft instead of technology. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capturing packets between 2 physical interfacesin same machine
Are you sure packets are actually transmitted on the wire/wireless and not just routed internally by the IP stack? GV - Original Message - From: Nagaraj Turaiyur To: wireshark-users@wireshark.org Sent: Wednesday, May 30, 2007 4:52 AM Subject: [Wireshark-users] Capturing packets between 2 physical interfacesin same machine Hi- I just installed Wireshark version 0.99.5 on Windows XP. My laptop has 2 interfaces - ethernet & wireless LAN. I want to capture packets sent between the 2 interfaces. I tried capture on either interface with default settings (promiscuous on), but I see only packets received from other hosts. I could understand that packets sent between loopback addresses cannot be captured. But, I was hoping that capture between multiple physical interfaces would work. Any idea why this does not work? Regards, Nagaraj -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Unable to load WinPcap error
Can you please send a WinPcap bug report as explained at the lonk above? http://www.winpcap.org/bugs.htm Have a nice day GV - Original Message - From: Nirupama Ganeshkumar To: wireshark-users@wireshark.org Sent: Monday, May 14, 2007 6:40 PM Subject: [Wireshark-users] Unable to load WinPcap error Hello All, I'm running Wireshark Version 0.99.4 (SVN Rev 19757) over Windows XP. If I try to show the capture options, or list available interfaces, or start a live capture, I get the following error: Unable to load WinPcap (wpcap.dll); Wireshark will not be able to capture packets. I have installed WinPcap 4.0. It is under "C:\Program Files\WinPcap" and wpcap.dll is in "C:\WINDOWS\system32". Wireshark is installed in "C:\Program Files\Wireshark". I've looked through the WinPcap FAQ and can actually see nfs running. Am I missing something? Do I need to do something additional or change my setup in some manner? Thanks. -- Switch to Yahoo!7 Mail: Transfer all your contacts and emails from Hotmail and other providers to Yahoo!7 Mail. Switch now -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Starting Wireshark Capture Blocks Network Traffic
Which VPN client are you using? Have a nice day GV - Original Message - From: David Pruitt To: wireshark-users@wireshark.org Sent: Friday, April 06, 2007 7:52 AM Subject: [Wireshark-users] Starting Wireshark Capture Blocks Network Traffic Hello, I downloaded and installed Wireshark version 0.99.5 with WinPcap 4.0 and am trying to capture some detailed TCP/IP packet transmissions from my client application connecting via DSL using VPN software to connect to a remote server on my business WAN. Once I start the Wireshark capture, all of my applications on the client side cannot connect to my work network over the VPN connection. I am able to access other web sites not using the VPN. Any suggestions would be appreciated. Thank You! David J. Pruitt -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] TCP capture problem,
I suppose you see the same behavior with windump. Right? Do you have any sort of - personal firewall - VPN software - antivirus - tunneling protocol installed on the failing machines? If windump causes the same behavior, can you please file a bug report as explained at http://www.winpcap.org/bugs.htm Have a nice day GV - Original Message - From: Jarkko Nevala To: Community support list for Wireshark Sent: Thursday, March 15, 2007 6:31 AM Subject: Re: [Wireshark-users] TCP capture problem, Hi. Thank you for answering. Now I'm using the latest versions, just downloaded them, before I had Ethereal with winpcap 3.1. There is not any difference in their behaviour though. There is one thing more to mention about TCP. Sessions opened before capturing stay open, for example SSH. Opening a new one during capturing is not possible. br. JN 2007/3/15, Anders Broman (AL/EAB) <[EMAIL PROTECTED]>: Hi, What version of Wireshark and WinPcap are you using? Wiresark 0.99.5 and WinPcap 4.0 are the latest versions. Best regards Anders From: [EMAIL PROTECTED] on behalf of Jarkko Nevala Sent: Thu 3/15/2007 1:23 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] TCP capture problem, Hi, I'm having problems with packet capturing. When I turn it on, no TCP-traffic gets through. Web browser, SSH-client and all the other applications using TCP just freeze. No such problems with UDP though, for example SIP-clients can register and make calls without any difficulties. I guess this could be a problem of Winpcap, but I do not have any idea how to fix it. Does anyone else have this kind of trouble. There is at least 7 computers at my work with Win XP SP2, that has this problem. Thank you in advance. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Network Interface not getting detected
Can you please send a WinPcap bug report as explained here http://www.winpcap.org/bugs.htm ? Thanks GV - Original Message - From: "Midhun Chandran" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Saturday, February 10, 2007 4:45 AM Subject: Re: [Wireshark-users] Network Interface not getting detected > Hi Gianluca, > > I have tried Wireshark-0.99.5 which uses WinPcap-4.0, and saw the same > behavior that no interfaces are getting detected. > > Thanks, > Midhun >> Can you please try WinPcap 4.0? >> >> Have a nice day >> Gianluca Varenni >> WinPcap Team >> >> >> - Original Message - >> From: "Midhun Chandran" <[EMAIL PROTECTED]> >> To: >> Sent: Friday, February 09, 2007 4:14 AM >> Subject: [Wireshark-users] Network Interface not getting detected >> >> >> >>> Hi, >>> >>> I have installed Wireshark-0.99.4 (WinPcap-3.1) on Windows 2003 server >>> installed as a virtual machine over VMWare. >>> >>> When I start Wireshark, the capture window does not list any interfaces >>> in the interface dropdown. I also installed WinDump and >>> ran the command 'WinDump -D' and this also did not return any >>> interfaces. >>> >>> When I check the network properties for the LAN it shows the adapter as >>> 'SWSoft Virtual Network Adaptor'. >>> >>> Has anybody seen similar problems ? Are there any known issues while >>> running wireshark on VMs ? >>> >>> Thanks in advance, >>> Midhun >>> >>> P.S I have also tried Wireshark 0.99.5 with the same behavior. >>> >>> DISCLAIMER >>> == >>> This e-mail may contain privileged and confidential information which is >>> the property of Persistent Systems Pvt. Ltd. It is intended only for the >>> use of the individual or entity to which it is addressed. If you are not >>> the intended recipient, you are not authorized to read, retain, copy, >>> print, distribute or use this message. If you have received this >>> communication in error, please notify the sender and delete all copies >>> of >>> this message. Persistent Systems Pvt. Ltd. does not accept any liability >>> for virus infected mails. >>> ___ >>> Wireshark-users mailing list >>> Wireshark-users@wireshark.org >>> http://www.wireshark.org/mailman/listinfo/wireshark-users >>> >> >> ___ >> Wireshark-users mailing list >> Wireshark-users@wireshark.org >> http://www.wireshark.org/mailman/listinfo/wireshark-users >> > > > DISCLAIMER > == > This e-mail may contain privileged and confidential information which is > the property of Persistent Systems Pvt. Ltd. It is intended only for the > use of the individual or entity to which it is addressed. If you are not > the intended recipient, you are not authorized to read, retain, copy, > print, distribute or use this message. If you have received this > communication in error, please notify the sender and delete all copies of > this message. Persistent Systems Pvt. Ltd. does not accept any liability > for virus infected mails. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Network Interface not getting detected
Can you please try WinPcap 4.0? Have a nice day Gianluca Varenni WinPcap Team - Original Message - From: "Midhun Chandran" <[EMAIL PROTECTED]> To: Sent: Friday, February 09, 2007 4:14 AM Subject: [Wireshark-users] Network Interface not getting detected > Hi, > > I have installed Wireshark-0.99.4 (WinPcap-3.1) on Windows 2003 server > installed as a virtual machine over VMWare. > > When I start Wireshark, the capture window does not list any interfaces > in the interface dropdown. I also installed WinDump and > ran the command 'WinDump -D' and this also did not return any interfaces. > > When I check the network properties for the LAN it shows the adapter as > 'SWSoft Virtual Network Adaptor'. > > Has anybody seen similar problems ? Are there any known issues while > running wireshark on VMs ? > > Thanks in advance, > Midhun > > P.S I have also tried Wireshark 0.99.5 with the same behavior. > > DISCLAIMER > == > This e-mail may contain privileged and confidential information which is > the property of Persistent Systems Pvt. Ltd. It is intended only for the > use of the individual or entity to which it is addressed. If you are not > the intended recipient, you are not authorized to read, retain, copy, > print, distribute or use this message. If you have received this > communication in error, please notify the sender and delete all copies of > this message. Persistent Systems Pvt. Ltd. does not accept any liability > for virus infected mails. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] [ANNOUNCE] WinPcap 4.0 has been released
As of today, WinPcap 4.0 is available in the download section of the WinPcap website, http://www.winpcap.org/install/ . This software release contains major improvements to the kernel driver, which has been thoroughly reviewed (and partially rewritten). As a result, WinPcap 4.0 is extremely more reliable and stable than previous versions! The 4.0 version also adds the long awaited stable support for x64 platforms, including Windows XP and the upcoming Vista. Finally, this release includes support for the CACE Technologies Wireless AirPcap Adapters, the first open and affordable solution for Wi-Fi capture on the Windows platform. Full details of the changes can be found in the change log attached at the end of this message. As always, we profoundly thank all the users that tested the development versions of WinPcap 4.0, it would not have been possible without your help and precious suggestions. Thanks! Gianluca Varenni WinPcap Team Changelog from WinPcap 4.0 beta3 - Added support for Vista x64 by digitally signing all the binaries of the WinPcap distribution. - Better error handling in the installer - if the installation of the Microsoft Network Monitor Driver (NetMon) fails. - Improved the documentation layout and readability - updated the style sheet and migrated to Doxygen 1.5.1. = ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help on tcpdump or dumpcap
Also, the disks can definitely be a bottleneck for such a network speed. The links Jaap was referring to don't seem to talk about that. I would definitely use a separate disk, maybe SCSI 10k RPM. Or a fast SATA. Have a nice day GV - Original Message - From: "Jaap Keuter" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Wednesday, January 17, 2007 10:30 PM Subject: Re: [Wireshark-users] Help on tcpdump or dumpcap > Hi, > > That is some serious speed. That requires adequate hardware and > processing. Google the net for high speed network capture and see what's > been said. like: > http://www.tcpdump.org/lists/workers/2005/01/msg00031.html and this > http://luca.ntop.org/nCap.pdf > > Thanx, > Jaap > > On Thu, 18 Jan 2007, ARAMBULO, Norman R. wrote: > >> Sebastien Tandel, >> >> Thanks for the info, yup we already tried it but it seems it doesnt work. >> What we are trying to do is capture packets and save it in another file >> >> where tshark or tethereal process it, we tried using tcpdump or dumpcap >> but it doesnt work, the network is relatively high about approx. >> 500Mb/sec. >> >> Can someone help me. Thanks >> > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] ANNOUNCE: WinPcap 4.0 beta3 has been released
WinPcap 4.0 beta3 is available as of today in the download section of the WinPcap website, http://www.winpcap.org/install/ . This new release includes some major cleanup to the code base of packet.dll aimed at having more stable and easily maintainable code. It also includes a more coherent use of the tracing macros, as well as some bug fixes related to AirPcap support and the use of WinPcap in conjunction with some VPN clients. Moreover, starting from this release, the support for Windows 95/98/ME has been dropped. Full details can be found in the changelog attached at the end of this message. Being a beta release, as usual we encourage people to test it and report any anomaly or strange behavior to the WinPcap mailing lists. The final release of WinPcap 4.0 is expected to be available by the end of January 2007. Gianluca Varenni WinPcap Team Changelog = - Removed support for Windows 9x/ME. Sources still available. - Enabled the generation of PDB files for the release build, too. - Raised the compilation warning level to /W4 for packet.dll and wanpacket.dll. Fixed a large amount of warnings. - Added some initial support for the NpfIm capture engine into packet.dll. Such support is still disabled at compilation time. - Rewritten the packet.dll debugging code completely to make use of the new TRACE_xxx macros. - Moved all the code managing strings to the strsafe.h ones (StringCchXXX). - Refreshed the Vista build configuration of packet.dll. Now we fully support AirPcap adapters and the IP Helper API on Vista x86. - Added support for AirPcapWrite() into packet.dll, i.e. support for transmission with AirPcap adapters. - Minor cleanup in the scripts to build the developer's pack. - Bug fixing: + Added a check for bogus return values from NdisRequest() (Query). The Nortel Contivity VPN Client V04_65.18 has a bug in the driver by which a request for OID_GEN_LINK_SPEED pretends to have written a buffer larger than the one passed as input (BytesWritten > InputBufferLength). + Fixed a bug where, in certain scenarios, the AirPcap adapter entries in the adapter list were duplicated. + Fixed some memory leaks in packet.dll when dealing with AirPcap adapters. + Fixed several ancillary packet.dll APIs that were crashing if used with AirPcap adapters. + PacketSetReadTimeout() was returning failure in case of AirPcap adapters. + Fixed a couple of bugs in the UserLevelBridge sample. + Added a missing return value check in the tcptop sample. + Fixed a dependency problem in the wpcap.dll project. + Fixed some minor errors and typos in the documentation. = ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] FW: Ethereal Capture Interface Problem
Ken, it's probably a WinPcap issue. Do you have a VPN client installed on your machine (like the Nortel one)? Can you please try running windump (www.winpcap.org/windump) and see if you have the same problem? If so, please file a bug report as explained here http://www.winpcap.org/bugs.htm Have a nice day GV - Original Message - From: "Kreisman, Ken (AGRE)" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 24, 2006 3:54 PM Subject: [Wireshark-users] FW: Ethereal Capture Interface Problem > > > > >> I have downloaded latest wireshark and am running winPcap3.1. After >> restarting my computer I can capture network traffic withou any >> problems. Upon exiting from ethereal and restarting ethereal when I >> attempt to capture, Selecting > Interface I get an error "Can't get >> list of interfaces: PacketGetAdapterNames: There are no more files. >> (18)" . If I restart my computer I can use ethereal and sucessfully >> capture info but after leaving the program and returning to ethereal >> the problem returns. Below is a screen shot of the error. Thanks, Ken >> >> >> >> >> >> >> >> >> >> > > ** > The information contained in, or attached to, this e-mail, may contain > confidential information and is intended solely for the use of the > individual or entity to whom they are addressed and may be subject to > legal privilege. If you have received this e-mail in error you should > notify the sender immediately by reply e-mail, delete the message from > your system and notify your system manager. Please do not copy it for any > purpose, or disclose its contents to any other person. The views or > opinions presented in this e-mail are solely those of the author and do > not necessarily represent those of the company. The recipient should > check this e-mail and any attachments for the presence of viruses. The > company accepts no liability for any damage caused, directly or > indirectly, by any virus transmitted in this email. > ** > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] ANNOUNCE: WinPcap 4.0 beta2 has been released
WinPcap 4.0 beta2 is available as of today in the download section of the WinPcap website, http://www.winpcap.org/install/. This release fixes a bug in the capture driver that could cause a system crash when setting a new filter or changing the kernel buffer size. This build also includes the official version of libpcap v0.9.5 available on the tcpdump website. Being a beta release, as usual we encourage people to test it and report any anomaly or strange behavior to the WinPcap mailing lists. The complete change log is attached at the end of this message. Gianluca Varenni WinPcap Team Changelog = - wpcap.dll has been updated to libpcap 0.9.5 from http://www.tcpdump.org. - Bug fixing: + Fixed a synchronization problem when accessing the BPF filter and the kernel buffer in the npf.sys kernel driver. Instead of using some custom made synchronization code, the standard Windows spinlocks are used. = ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] API and virtual network interface
- Original Message - From: "Ulf Lamping" <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Thursday, September 14, 2006 1:30 AM Subject: Re: [Wireshark-users] API and virtual network interface > Steffen Röttig wrote: >> do you know something about writing a virtual network card? >> regards, steff >> > Well, not really. > > Basically you'll need a kernel mode device driver that will fake the > system to be a network card. > > On Windows you'll probably need the Windows NT-DDK (device driver kit) > which isn't freely available. You do need the DDK, and it's actually freely downloadable from the Microsoft website. The latest one (Win2003SP1) is available as part of the KMDF http://www.microsoft.com/whdc/driver/wdf/KMDF_pkg.mspx You can find a sample of a virtual NDIS miniport driver (i.e. a virtual network card driver) in the samples, it's called netvmini. > > I've never done this myself (except for a DOS device driver for my own > diploma several years ago) so I won't be much help here. > > In general, writing a kernel mode device driver isn't usually an easy > task. I can confirm this. Or better, let's say that it's definitely not as developing a user mode application... If you plan to go in this direction, I can give you some pointers for more help/documentation. Have a nice day GV > > Regards, ULFL > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] ANNOUNCE: WinPcap 4.0 beta1 has been released
WinPcap 4.0 beta1 is available as of today in the download section of the WinPcap website, http://www.winpcap.org/install/. This release addresses some bugs in WinPcap 4.0 alpha1 reported by our users (problems sending OID requests to the WinPcap driver, and empty packets while capturing from dialup/VPN adapters). This build also includes support for wireless capture through the CACE Technologies AirPcap adapter, and a major rewriting of the transmit capabilities exposed by pcap_send() and pcap_inject(). Moreover, a deeper testing of the library on Vista Beta2 has been performed. Being a beta release, as usual we encourage people to test it and report any anomaly or strange behavior to the WinPcap mailing lists. The complete change log is attached at the end of this message. Gianluca Varenni WinPcap Team Changelog = - Added support for AirPcap adapters. - Rewritten the transmit code in the driver (NPF_Write()), in order to improve its solidity: + the IRP is not marked as pending + we use a different algorithm to stop transmitting when the packets are all pending + added a new NdisEvent for the management of the transmit operations. + added a counter used upon transmission with NPF_Write() to keep track of the number of pending packets. - Added a global version header file that is used for all the modules of WinPcap. - Updated the license in the installer and on the web to account for the third party source files used by WinPcap and libpcap. - Updated the documentation that explains how to write an application based on wpcap.dll. - Removed some useless files in the source tree (these files that are automatically generated by the build process or no longer in use). - Removed some useless files from the developer's pack. - Bug fixing: + Fixed a bug by which the caplen field of a WAN packet was set to a random number (usually 0 for the first packets of a capture). This was causing WinPcap not to work at all on dialup/VPN adapters. + Fixed a bug in the BIOCSETOID/BIOCREQUESTOID code: in one error management path we were not releasing the NDIS binding context with NPF_StopUsingBinding(). + Fixed a bug in some samples (when compiled under VS2005): localtime() accepts a time_t variable, which happens to be a 32bit value with VS6/VS2003, and a 64bit value when compiled under VS2005. + Fixed a bug in some samples: added a const qualifier for the packet data returned by pcap_next_ex(). + Fixed a couple of bugs in the remote capture code that were causing wpcap.dll to fail when a read timeout occurred, and a failure to use the remote capture deamon (rpcapd) when compiled on a big-endian machine. + Added the usual #ifndef/#define and #ifdef _cplusplus stuff to win32_extensions.h + Minor fixes to the samples. + Minor fixes to avoid some compilation warnings under Cygwin. + Minor layout fixes to the documentation. = ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark on Windows 2003 x64?
- Original Message - From: "Bob Doolittle" <[EMAIL PROTECTED]> To: Sent: Tuesday, August 22, 2006 2:08 PM Subject: [Wireshark-users] Wireshark on Windows 2003 x64? > Hi, > > I installed the 4.0 Alpha 1 version of WinPCap which is supposed to work > with W2K3 x64, and installed 0.99.2 of wireshark, but my captures always > come up empty. > > I'm an experienced ethereal user from other platforms, so it's probably > not > "operator error", but I've never tried this on an x64 platform before. > > Any tips? Known problems? > > Also note I'm running VMware Server on this machine, and it's done > some voodoo network interface plumbing. Is VMware known to cause issues? I've never used VMware on x64, but I do have it on several 32bit machines, and it doesn't cause any problem to WinPcap. Which type of adapter were you trying to use? What is wired or wireless? Can you please try capturing with WinDump and see if it works or not? WinDump is available at www.winpcap.org/windump Have a nice day GV > > Please respond to me directly as I'm not on the mailing list. > > Thanks, > Bob > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users