Re: [Wireshark-users] Newbie question
(When replying, please try to arrange things so that it's clear what text is quoted from the message and what text is your reply) On Sep 23, 2007, at 4:25 PM, Tom Maugham wrote: > On Sep 23, 2007, at 6:19 PM, Sake Blok wrote: > >> Sometimes it's even worse, the driver will not send any packets >> to the system when the card is put in promiscuous mode. In those >> cases you need to disable "Capture in promiscuous mode" in the >> capture options screen to be able to see your own packets in >> wireshark. > > That's what appears to be the case. Is there any way around this? Either: 1) find a wireless adapter that supports promiscuous mode, if any exist - see http://www.micro-logix.com/WinPcap/Supported.asp 2) switch to an OS less hostile to promiscuous-mode 802.11 capture, such as Linux or one of the BSDs; 3) buy an AirPcap adapter and use that: http://www.cacetech.com/products/airpcap_family.htm 4) run Vista on your machine and use the latest version of Network Monitor from Microsoft: http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&DisplayLang=en >> Not quite ;-) What I meant was that if you use to wired PC to >> capture the packets instead of the wireless PC, you will also not >> see the all the packets. This is because the PC is connected to >> a switch, which learns to which of it's ports each system is >> connected to and only forwards traffic destined for the connected >> system(s) out a port. You might want to read the Wiki-article >> about that again. It will give you some insight in what kind >> of traffic you can expect when you connect the PC to some type >> of device. > > It appears that I must use the wired pc to see the traffic to/from > that pc > which unfortunately I cannot do. I can only use the laptop. Then you'll have to plug the laptop into a *wired* port on the router - and configure the router so that a copy of all traffic to and from the wired PC gets sent to the port into which you've plugged the laptop. That might or might not be possible; you'd have to find documentation on the router to see if that's possible. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok Sent: Sunday, September 23, 2007 6:19 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Newbie question On Sun, Sep 23, 2007 at 05:38:57PM -0400, Tom Maugham wrote: > Thanks for the info... > > It appears that I have two problems: > 1) The adapter in my laptop needs to be > set to promiscuous mode and I cannot see any way to do that Not quite, Wireshark puts the capturing interface it uses in promiscuous mode by default. Unfortunately a lot of wlan-drivers don't pass the packets that are not destined to the card to the system when the card is put into promiscuous mode. In short, you will only see the packets to and from your own pc instead of all the packets on the wire^H^H^H^Hair Sometimes it's even worse, the driver will not send any packets to the system when the card is put in promiscuous mode. In those cases you need to disable "Capture in promiscuous mode" in the capture options screen to be able to see your own packets in wireshark. That's what appears to be the case. Is there any way around this? > and 2) I won't > be able to see packets to/from the hard-wired pc. Is that correct? Not quite ;-) What I meant was that if you use to wired PC to capture the packets instead of the wireless PC, you will also not see the all the packets. This is because the PC is connected to a switch, which learns to which of it's ports each system is connected to and only forwards traffic destined for the connected system(s) out a port. You might want to read the Wiki-article about that again. It will give you some insight in what kind of traffic you can expect when you connect the PC to some type of device. It appears that I must use the wired pc to see the traffic to/from that pc which unfortunately I cannot do. I can only use the laptop. Hope this helps, Cheers, Sake > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok > Sent: Sunday, September 23, 2007 2:23 PM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] Newbie question > > On Sun, Sep 23, 2007 at 02:03:09PM -0400, Tom Maugham wrote: > > I have just installed Wireshark on a laptop which I want to use to monitor > > my home network. My setup is three desktops connected to a Westell 327W > > Verizon DSL wirless router. One desktop is hardwired and the other two and > > the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and > all > > the other desktops and the laptop are XP Home SP2. > > > > When I initiate Wireshark on the laptop it seems to see everything that is > > occurring on the laptop but not very much on the other PCs. Why is that? > Am > > I expecting too much from Wireshark or do I not have it configured > properly? > > Have a look at http://wiki.wireshark.org/CaptureSetup/WLAN : > > - - > Capturing WLAN traffic on Windows depends on WinPcap and on the underlying > network adapters and drivers. Unfortunately, most drivers/adapters support > neither monitor mode, nor seeing 802.11 headers when capturing, nor > capturing non-data frames. > > Promiscuous mode can be set; unfortunately, it's often crippled. In this > mode many drivers don't supply packets at all, or don't supply packets sent > by the host. > - - > > Also when you try to capture all the traffic on the PC with the hard-wired > connection, you won't see all the packets since the network is switched. > Have a look at http://wiki.wireshark.org/CaptureSetup/Ethernet for > more details on what traffic you are able to see on which type of > network-connections. > > Hope this helps, Cheers, > > > Sake > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question
On Sun, Sep 23, 2007 at 05:38:57PM -0400, Tom Maugham wrote: > Thanks for the info... > > It appears that I have two problems: > 1) The adapter in my laptop needs to be > set to promiscuous mode and I cannot see any way to do that Not quite, Wireshark puts the capturing interface it uses in promiscuous mode by default. Unfortunately a lot of wlan-drivers don't pass the packets that are not destined to the card to the system when the card is put into promiscuous mode. In short, you will only see the packets to and from your own pc instead of all the packets on the wire^H^H^H^Hair Sometimes it's even worse, the driver will not send any packets to the system when the card is put in promiscuous mode. In those cases you need to disable "Capture in promiscuous mode" in the capture options screen to be able to see your own packets in wireshark. > and 2) I won't > be able to see packets to/from the hard-wired pc. Is that correct? Not quite ;-) What I meant was that if you use to wired PC to capture the packets instead of the wireless PC, you will also not see the all the packets. This is because the PC is connected to a switch, which learns to which of it's ports each system is connected to and only forwards traffic destined for the connected system(s) out a port. You might want to read the Wiki-article about that again. It will give you some insight in what kind of traffic you can expect when you connect the PC to some type of device. Hope this helps, Cheers, Sake > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok > Sent: Sunday, September 23, 2007 2:23 PM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] Newbie question > > On Sun, Sep 23, 2007 at 02:03:09PM -0400, Tom Maugham wrote: > > I have just installed Wireshark on a laptop which I want to use to monitor > > my home network. My setup is three desktops connected to a Westell 327W > > Verizon DSL wirless router. One desktop is hardwired and the other two and > > the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and > all > > the other desktops and the laptop are XP Home SP2. > > > > When I initiate Wireshark on the laptop it seems to see everything that is > > occurring on the laptop but not very much on the other PCs. Why is that? > Am > > I expecting too much from Wireshark or do I not have it configured > properly? > > Have a look at http://wiki.wireshark.org/CaptureSetup/WLAN : > > - - > Capturing WLAN traffic on Windows depends on WinPcap and on the underlying > network adapters and drivers. Unfortunately, most drivers/adapters support > neither monitor mode, nor seeing 802.11 headers when capturing, nor > capturing non-data frames. > > Promiscuous mode can be set; unfortunately, it's often crippled. In this > mode many drivers don't supply packets at all, or don't supply packets sent > by the host. > - - > > Also when you try to capture all the traffic on the PC with the hard-wired > connection, you won't see all the packets since the network is switched. > Have a look at http://wiki.wireshark.org/CaptureSetup/Ethernet for > more details on what traffic you are able to see on which type of > network-connections. > > Hope this helps, Cheers, > > > Sake > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question
Thanks for the info... It appears that I have two problems: 1) The adapter in my laptop needs to be set to promiscuous mode and I cannot see any way to do that and 2) I won't be able to see packets to/from the hard-wired pc. Is that correct? Thanks, Tom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok Sent: Sunday, September 23, 2007 2:23 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Newbie question On Sun, Sep 23, 2007 at 02:03:09PM -0400, Tom Maugham wrote: > I have just installed Wireshark on a laptop which I want to use to monitor > my home network. My setup is three desktops connected to a Westell 327W > Verizon DSL wirless router. One desktop is hardwired and the other two and > the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and all > the other desktops and the laptop are XP Home SP2. > > When I initiate Wireshark on the laptop it seems to see everything that is > occurring on the laptop but not very much on the other PCs. Why is that? Am > I expecting too much from Wireshark or do I not have it configured properly? Have a look at http://wiki.wireshark.org/CaptureSetup/WLAN : - - Capturing WLAN traffic on Windows depends on WinPcap and on the underlying network adapters and drivers. Unfortunately, most drivers/adapters support neither monitor mode, nor seeing 802.11 headers when capturing, nor capturing non-data frames. Promiscuous mode can be set; unfortunately, it's often crippled. In this mode many drivers don't supply packets at all, or don't supply packets sent by the host. - - Also when you try to capture all the traffic on the PC with the hard-wired connection, you won't see all the packets since the network is switched. Have a look at http://wiki.wireshark.org/CaptureSetup/Ethernet for more details on what traffic you are able to see on which type of network-connections. Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question
On Sun, Sep 23, 2007 at 02:03:09PM -0400, Tom Maugham wrote: > I have just installed Wireshark on a laptop which I want to use to monitor > my home network. My setup is three desktops connected to a Westell 327W > Verizon DSL wirless router. One desktop is hardwired and the other two and > the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and all > the other desktops and the laptop are XP Home SP2. > > When I initiate Wireshark on the laptop it seems to see everything that is > occurring on the laptop but not very much on the other PCs. Why is that? Am > I expecting too much from Wireshark or do I not have it configured properly? Have a look at http://wiki.wireshark.org/CaptureSetup/WLAN : - - Capturing WLAN traffic on Windows depends on WinPcap and on the underlying network adapters and drivers. Unfortunately, most drivers/adapters support neither monitor mode, nor seeing 802.11 headers when capturing, nor capturing non-data frames. Promiscuous mode can be set; unfortunately, it's often crippled. In this mode many drivers don't supply packets at all, or don't supply packets sent by the host. - - Also when you try to capture all the traffic on the PC with the hard-wired connection, you won't see all the packets since the network is switched. Have a look at http://wiki.wireshark.org/CaptureSetup/Ethernet for more details on what traffic you are able to see on which type of network-connections. Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question
Hi. It is because Wireshark capture all packets which go to and out your interface while your wireless router select the packets and send them to relevant machines. That mean only the packet to or from your machine can be captured by wireshark unless your network using a hub for connection between other machines. On 9/24/07, Tom Maugham <[EMAIL PROTECTED]> wrote: > > I have just installed Wireshark on a laptop which I want to use to > monitor my home network. My setup is three desktops connected to a Westell > 327W Verizon DSL wirless router. One desktop is hardwired and the other two > and the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and > all the other desktops and the laptop are XP Home SP2. > > > > When I initiate Wireshark on the laptop it seems to see everything that is > occurring on the laptop but not very much on the other PCs. Why is that? Am > I expecting too much from Wireshark or do I not have it configured properly? > > > > Thanks in advance for any help you can provide… > > > > Regards, > > Tom > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > > ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Newbie question
I have just installed Wireshark on a laptop which I want to use to monitor my home network. My setup is three desktops connected to a Westell 327W Verizon DSL wirless router. One desktop is hardwired and the other two and the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and all the other desktops and the laptop are XP Home SP2. When I initiate Wireshark on the laptop it seems to see everything that is occurring on the laptop but not very much on the other PCs. Why is that? Am I expecting too much from Wireshark or do I not have it configured properly? Thanks in advance for any help you can provide. Regards, Tom ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question about capture point
I haven't kept up on all aspects of current cards, but this was not the case historically - with the exception of 3Com, who has been blocking datalink errors for years.I haven't kept current with the last generation or so, about when gigabit became common. When I looked into TOE cards a few years ago the TOE feature could be disabled (one issue was ENABLING it for some OSes!); IIRC the checksum offloading could be disabled as well. Still, getting to fully promiscuous capture isn't easy - support is required right up the line. If you really need to see all datalink errors these days a hardware analyzer is probably best. Randy Grein Network Engineer "Gianluca Varenni" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 06/29/2007 08:51 AM Please respond to Community support list for Wireshark To "Community support list for Wireshark" cc Subject Re: [Wireshark-users] Newbie question about capture point I might be wrong, but I don't think many OSes and network cards do provide corrupted packets (wrong FCS or link layer errors) even when put into promiscuous mode. This is because usually the MAC chip on the cards discards them without even moving them to host memory (for performance reasons). Also, consider that one of the issues is that newer network cards perform a lot of processing (TCP offloading, or checksum computation, just to name two of them) directly in hardware. Capturing the packets that actually get transmitted on the network is much harder in this case, as the OS (hence WinPcap) sees the packets that are sent from host to the network card, not the packets that actually get transmitted. Hope it helps GV - Original Message - From: <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Friday, June 29, 2007 8:03 AM Subject: Re: [Wireshark-users] Newbie question about capture point > Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the > Windows protocol analyzer problems. NDIS never did fully specify a > promiscuous mode, so it's left up to the vendor who writes the driver. > Card vendors supply some promiscuous functionality, but AFAIK none pass on > all error packets. So you may see packets destined for other hosts, > broadcasts, etc. but you may not see runts or giants. You may not see > framing errors. Some, like the older 3Com (I'm not sure if they still do) > filter all errors in hardware, so you won't even see ethernet collisions > in a hub environment - but in that case it doesn't matter what the drivers > do, and you're stuck in any OS. Some commercial protocol analyzer vendors > supply a custom driver for a few cards, or even a custom card and driver > that will capture all error packets. > > > Randy Grein > Network Engineer > > > > "Gajan Nadarajan" <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 06/28/2007 11:25 AM > Please respond to > Community support list for Wireshark > > > To > wireshark-users@wireshark.org > cc > > Subject > [Wireshark-users] Newbie question about capture point > > > > > > > Hello, > > I am new to wireshark and was wonder where exactly does wireshark capture > eth packets or frames on the windows stack( or somwhere on NDIS)? > > Would it be before it reaches the driver? > > Thank you.___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > - - > > CONFIDENTIALITY NOTICE: The information in this message may be proprietary > and/or confidential, and is intended only for the use of the individual(s) > to whom this email is addressed. If you are not the intended recipient, > you are hereby notified that any use, dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this communication in error, please notify us immediately by replying to > this email and deleting this email from your computer. Nothing contained > in this email or any attachment shall satisfy the requirements for > contract formation or constitute an electronic signature. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - - CONFIDENTIALITY NOTICE: The information in this message may be proprietary and/or confidential, and is intended only for the use of the individual(s) to whom this
Re: [Wireshark-users] Newbie question about capture point
I might be wrong, but I don't think many OSes and network cards do provide corrupted packets (wrong FCS or link layer errors) even when put into promiscuous mode. This is because usually the MAC chip on the cards discards them without even moving them to host memory (for performance reasons). Also, consider that one of the issues is that newer network cards perform a lot of processing (TCP offloading, or checksum computation, just to name two of them) directly in hardware. Capturing the packets that actually get transmitted on the network is much harder in this case, as the OS (hence WinPcap) sees the packets that are sent from host to the network card, not the packets that actually get transmitted. Hope it helps GV - Original Message - From: <[EMAIL PROTECTED]> To: "Community support list for Wireshark" Sent: Friday, June 29, 2007 8:03 AM Subject: Re: [Wireshark-users] Newbie question about capture point > Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the > Windows protocol analyzer problems. NDIS never did fully specify a > promiscuous mode, so it's left up to the vendor who writes the driver. > Card vendors supply some promiscuous functionality, but AFAIK none pass on > all error packets. So you may see packets destined for other hosts, > broadcasts, etc. but you may not see runts or giants. You may not see > framing errors. Some, like the older 3Com (I'm not sure if they still do) > filter all errors in hardware, so you won't even see ethernet collisions > in a hub environment - but in that case it doesn't matter what the drivers > do, and you're stuck in any OS. Some commercial protocol analyzer vendors > supply a custom driver for a few cards, or even a custom card and driver > that will capture all error packets. > > > Randy Grein > Network Engineer > > > > "Gajan Nadarajan" <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 06/28/2007 11:25 AM > Please respond to > Community support list for Wireshark > > > To > wireshark-users@wireshark.org > cc > > Subject > [Wireshark-users] Newbie question about capture point > > > > > > > Hello, > > I am new to wireshark and was wonder where exactly does wireshark capture > eth packets or frames on the windows stack( or somwhere on NDIS)? > > Would it be before it reaches the driver? > > Thank you.___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > - - > > CONFIDENTIALITY NOTICE: The information in this message may be proprietary > and/or confidential, and is intended only for the use of the individual(s) > to whom this email is addressed. If you are not the intended recipient, > you are hereby notified that any use, dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this communication in error, please notify us immediately by replying to > this email and deleting this email from your computer. Nothing contained > in this email or any attachment shall satisfy the requirements for > contract formation or constitute an electronic signature. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Newbie question about capture point
Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the Windows protocol analyzer problems. NDIS never did fully specify a promiscuous mode, so it's left up to the vendor who writes the driver. Card vendors supply some promiscuous functionality, but AFAIK none pass on all error packets. So you may see packets destined for other hosts, broadcasts, etc. but you may not see runts or giants. You may not see framing errors. Some, like the older 3Com (I'm not sure if they still do) filter all errors in hardware, so you won't even see ethernet collisions in a hub environment - but in that case it doesn't matter what the drivers do, and you're stuck in any OS. Some commercial protocol analyzer vendors supply a custom driver for a few cards, or even a custom card and driver that will capture all error packets. Randy Grein Network Engineer "Gajan Nadarajan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 06/28/2007 11:25 AM Please respond to Community support list for Wireshark To wireshark-users@wireshark.org cc Subject [Wireshark-users] Newbie question about capture point Hello, I am new to wireshark and was wonder where exactly does wireshark capture eth packets or frames on the windows stack( or somwhere on NDIS)? Would it be before it reaches the driver? Thank you.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - - CONFIDENTIALITY NOTICE: The information in this message may be proprietary and/or confidential, and is intended only for the use of the individual(s) to whom this email is addressed. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this email and deleting this email from your computer. Nothing contained in this email or any attachment shall satisfy the requirements for contract formation or constitute an electronic signature. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Newbie question about capture point
Hello, I am new to wireshark and was wonder where exactly does wireshark capture eth packets or frames on the windows stack( or somwhere on NDIS)? Would it be before it reaches the driver? Thank you. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] newbie question
On Wed, Aug 16, 2006 at 11:34:15AM -0700, Guy Harris wrote: > Stephen Fisher wrote: > > > You can specify a capture filter to tshark (or wireshark while it's > I assume you meant "You can specify a display filter to tshark ...", > as that's a display filter (and as the person who asked the question > already has the capture files). Thanks for the clarification. Yes, I meant display filter :) Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] newbie question
Stephen Fisher wrote: > You can specify a capture filter to tshark (or wireshark while it's > running) for the field that you are looking for. In the case of FTP, > the password is shown in the info column so you only need to filter for > the request command "PASS": > > tshark -r ftp.request.command == "PASS" > > 1 0.00 10.134.121.235 -> 10.134.9.203 FTP 71 Request: PASS I assume you meant "You can specify a display filter to tshark ...", as that's a display filter (and as the person who asked the question already has the capture files). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] newbie question
On Wed, Aug 16, 2006 at 09:00:31AM +0200, Krekan wrote: > Hello all, I am new to Ethereal. I would like to ask when I got > file about 1 mb full of data captured how do I extract certain > information such as password from those sniffed data. I run ethereal > start to capture and when the size of file reaches limit which I set I > get a file. The contents of this file I can only view in ethereal When > I open it in regular viewer only bunch of binary data is seen. How can > I filter for example ftp or pop Passwords? You can specify a capture filter to tshark (or wireshark while it's running) for the field that you are looking for. In the case of FTP, the password is shown in the info column so you only need to filter for the request command "PASS": tshark -r ftp.request.command == "PASS" 1 0.00 10.134.121.235 -> 10.134.9.203 FTP 71 Request: PASS Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] newbie question
Hello all, I am new to Ethereal. I would like to ask when I got file about 1 mb full of data captured how do I extract certain information such as password from those sniffed data. I run ethereal start to capture and when the size of file reaches limit which I set I get a file. The contents of this file I can only view in ethereal When I open it in regular viewer only bunch of binary data is seen. How can I filter for example ftp or pop Passwords?ThanxKrekan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users