Re: [Wireshark-users] URL capture filer??
Interesting. I didn't realize that Wireshark was trying to resolve www.cnn.com or even why he would?? We use a proxy at this site, http, https, dns, ftp, requests are sent to the proxy. For example, an an nslookup fails for www.cnn.com but of course IE can resolve and get there through the proxy. I just wanted/assumed Wireshark would read the http header for www.cnn.com and then capture accordingly. That was my goal. Is there a way to do that if I am using a proxy? Thanks, Guy Harris [EMAIL PROTECTED] wrote: jacob c wrote: I have attached two jpg screenshots so you can see what I typed in and then the error I get. Please let me know what I'm doing wrong. As the message says, unknown host 'www.cnn.com'; Wireshark's unable to find the IP address corresponding to the domain name www.cnn.com. Can you get to http://www.cnn.com/ from your Web browser? If not, then it's probably because the browser is just as unable to resolve the host name www.cnn.com to an IP address as is Wireshark; if you're using Wireshark to try to debug that problem, I'd suggest using port domain as your capture filter, as, to debug a problem that's probably a DNS problem, you'd need to capture DNS traffic. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - Never miss a thing. Make Yahoo your homepage.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] URL capture filer??
That willl work. I really appreciate it. Thank you and to everybody who responded. Stephen Fisher [EMAIL PROTECTED] wrote: On Mon, Feb 04, 2008 at 03:45:56PM -0800, jacob c wrote: I just wanted/assumed Wireshark would read the http header for www.cnn.com and then capture accordingly. That was my goal. Is there a way to do that if I am using a proxy? As Guy stated, you cannot do this in a capture filters. However, you can do it in a display filter: http.host == www.cnn.com Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - Looking for last minute shopping deals? Find them fast with Yahoo! Search.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts - ericsson error
I appreciate the info. I have actually taken several captures now on individual vlans and have located the top talkers. I also tried the tshark command you mentioned below without success. I get the ericsson error as show below. Here is what happens: C:\Program Files\Wiresharktshark -r c:\captures\0_0-10mins -T fields -e ip.src tcp.flags.syn==1 Could not open file: 'Ericsson.xml', error: No such file or directory tshark: Unexpected end of filter string. C:\Program Files\Wiresharktshark -v Could not open file: 'Ericsson.xml', error: No such file or directory TShark 0.99.7 (SVN Rev 23910) Copyright 1998-2007 Gerald Combs [EMAIL PROTECTED] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GLib 2.14.3, with WinPcap (version unknown), with libz 1.2.3, with libpcre 6.4, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos. Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5. Built using Microsoft Visual C++ 6.0 build 8804 C:\Program Files\Wireshark Do you know what I should modify to resolve this? Thanks, Sake Blok [EMAIL PROTECTED] wrote: On Thu, Jan 24, 2008 at 03:26:37PM -0800, jacob c wrote: I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Well, ik Wireshark you can use the Endpoints option under statistics. This could give you the top10 list of ip-addresses generating to most packets or bytes. If you just want SYN packets to be counted, you can either create a 2nd trace file with only the SYN packets and look at the endpoint statistics in this new file. Or... you could use tshark with some command piping: tshark -r -T fields -e ip.src tcp.flags.syn==1 tcp.flags.ack==0 | sort | uniq -c | sort -rn | head I hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - Looking for last minute shopping deals? Find them fast with Yahoo! Search.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] top talkers by port usage or SYN attempts
I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Thank you, - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Editing packets with Wireshark and replay?
Is there any method with Wireshark (or other tool) to modify the ip addreseses in a packet capture before giving the file to another vendor for analysis. For example can I substitute all the packets with address 1.1.1.1 with 2.2.2.2? Thanks, - Never miss a thing. Make Yahoo your homepage.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] WSDL / XML support?
So does this reply mean that Wireshark just doesn't decode it correctly? What do you mean by HEAD fails on this? Luis EG Ontanon [EMAIL PROTECTED] wrote: 0.99.0 could decode it (no Content-Length Chunked encoding) but HEAD fails on this. On 9/13/07, jacob c wrote: I appreciate the help. I installed v0.99.6a but no luck. I am attaching the trace for your review. I do appreciate all the help. Thank you, Guy Harris wrote: On Sep 12, 2007, at 12:49 PM, jacob c wrote: I'm not totally sure I'm following but.. HTTP Reassembly is enabled (checkmarked) under Edit Prefrences HTTP if that is what you mean. Yes, that's what I mean. I am attaching a screenshot so you can see the display window. Unfortunately, we need more information than that to debug the problem; if you could give us the full capture file or, at minimum, all the packets in that TCP connection, that'd help (and would probably take less time to download from a mail server than a screenshot, as per Luis's mail). The replies do show up as HTTP Continuation in Ethereal 0.99.0 ...which means either that you didn't have HTTP reassembly enabled in 0.99.0 or it wasn't working in 0.99.0 (I forget whether it was in 0.99.0 or not; there have been changes to it since then). but not in Wireshark 0.99.5 which I am currently using 0.99.5 isn't the current version of Wireshark; 0.99.6 is. Try that. so perhaps I don't have an option configured correctly. Also, even in Ethereal 0.99.0 it does not decode the WSDL information with or without reassembly enabled. If it shows up as HTTP Continuation in 0.99.0 regardless of whether HTTP reassembly is enabled, it probably means reassembly isn't happening for some reason. Without seeing the packets we can't determine what reason that might have been in 0.99.0 and why the reassembly doesn't finish in 0.99.5. It just shows up as HTTP data but perhaps Wireshark could decode it once I get it configured correctly. -?? Only if getting it configured correctly means making the reassembly happen correctly. Wireshark doesn't dissect HTTP traffic as anything other than raw data if that traffic isn't part of the first TCP segment of a request or reply and isn't reassembled along with the first segment; that's by design (otherwise, it doesn't know *how* to dissect it - it has to see the Content-Type header, for example). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - Check out the hottest 2008 models today at Yahoo! Autos.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] WSDL / XML support?
Is there WSDL support in the current version of wireshark? I have a problem that bit for me quite a while because the analyzer didn't decoded the WSDL/XML data. It is just displayed as TCP data generically. In the frame below, you can see 9080 in the HEX data and you can see that the decoding ends at the TCP layer by looking at the Detail data. Frame 9 (278 bytes on wire, 278 bytes captured) Ethernet II, Src: Cisco_46:95:42 (00:04:4d:46:95:42), Dst: HewlettP_a4:0e:de (00:16:35:a4:0e:de) Internet Protocol, Src: 10.62.40.76 (10.62.40.76), Dst: 10.56.252.78 (10.56.252.78) Transmission Control Protocol, Src Port: http (80), Dst Port: 4792 (4792), Seq: 2697, Ack: 1214, Len: 212 Source port: http (80) Destination port: 4792 (4792) Sequence number: 2697(relative sequence number) [Next sequence number: 2909(relative sequence number)] Acknowledgement number: 1214(relative ack number) Header length: 32 bytes Flags: 0x18 (PSH, ACK) Window size: 4993 Checksum: 0x85ac [correct] Options: (12 bytes) TCP segment data (212 bytes) 00 16 35 a4 0e de 00 04 4d 46 95 42 08 00 45 00 ..5.MF.B..E. 0010 01 08 f5 30 40 00 fa 06 51 ae 0a 3e 28 4c 0a 38 (L.8[EMAIL PROTECTED](L.8 0020 fc 4e 00 50 12 b8 ff 04 d1 c0 32 f7 9b 48 80 18 .N.P..2..H.. 0030 13 81 85 ac 00 00 01 01 08 0a 09 38 09 5e 00 4b ...8.^.K 0040 ca ea 45 78 70 6f 72 74 5f 50 61 72 74 79 53 65 ..Export_PartySe 0050 72 76 69 63 65 48 74 74 70 50 6f 72 74 22 3e 0a rviceHttpPort. 0060 20 20 20 20 20 20 3c 73 6f 61 70 3a 61 64 64 72soap:addr 0070 65 73 73 20 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 ess location=ht 0080 74 70 3a 2f 2f 73 65 72 76 69 63 65 73 2e 63 61 tp://services.ca 0090 72 67 6f 2e 71 63 6f 72 70 61 61 2e 61 61 2e 63 rgo.sample.abc.c 00a0 6f 6d 3a 39 30 38 30 2f 50 61 72 74 79 53 65 72 om:9080/PartySer 00b0 76 69 63 65 73 4d 6f 64 75 6c 65 57 65 62 2f 73 vicesModuleWeb/s 00c0 63 61 2f 50 61 72 74 79 53 65 72 76 69 63 65 45 ca/PartyServiceE 00d0 78 70 6f 72 74 22 2f 3e 0a 20 20 20 20 3c 2f 77 xport/./w 00e0 73 64 6c 3a 70 6f 72 74 3e 0a 20 20 3c 2f 77 73 sdl:port. /ws 00f0 64 6c 3a 73 65 72 76 69 63 65 3e 0a 3c 2f 77 73 dl:service./ws 0100 64 6c 3a 64 65 66 69 6e 69 74 69 6f 6e 73 3e 0d dl:definitions. 0110 0a 30 0d 0a 0d 0a.0 Thank you, - Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users