[Wireshark-users] tshark help
Hi, I know nothing about wireshark but I was advised to use it to check my webserver network traffic for a possible fault... the server is not local (it runs centos4) and I (having read a bit) found tshark and thought that that would probably be the way to go (although I could be wrong)./... I did manage to get tshark to output files but I then couldn't read them (although I was aiming for a text file output it didn't seem to be text). I was using variations of the following tshark -a duration:15 -T ps -w tsharkOP.txt My questionis how can I output a file that I can then read / inspect? Or should I be approaching this differently? Any help / guidance / advice much apprecciated. Thanks Andy ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tshark help
Hi, You may be on the right track, unable to see why not from the limited description of your requirements. Still the output you desire is available if you take notice of the comment on the -w option, found in the tshark man page: -w outfile|- Write raw packet data to outfile or to the standard output if outfile is '-'. NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using ''), don't use the -w option for this. Thanx, Jaap On Mon, 13 Nov 2006, Andrew Watson wrote: Hi, I know nothing about wireshark but I was advised to use it to check my webserver network traffic for a possible fault... the server is not local (it runs centos4) and I (having read a bit) found tshark and thought that that would probably be the way to go (although I could be wrong)./... I did manage to get tshark to output files but I then couldn't read them (although I was aiming for a text file output it didn't seem to be text). I was using variations of the following tshark -a duration:15 -T ps -w tsharkOP.txt My questionis how can I output a file that I can then read / inspect? Or should I be approaching this differently? Any help / guidance / advice much apprecciated. Thanks Andy ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] How to extract ONLY the info I want from captured data(Ethereal, Windows XP)?
Hi, I have a captured data file. How do I extract ONLY the info I am interested for each packet? I want the output file contain only (Source IP, Destination IP, Source Port, Destination Port, Protocol, Received Time). Is there any command of Ethereal that I can use? Or do you have any other suggestions? Thx a lot. Regards, Sean ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Ethereal - how it reads data from NDIS driver
Hi, all. I have a WinXP SP2machine with a NDIS driver installed. Application running on this machine re-assembles VLAN-tagged Ethernet frames and sends them to a router via L2 switch. When I run Ethereal (0.99.0, WinPcap 3.1) on this machine, I can see correct VLAN-tagged Ethernet frames sent to the destination, but when I monitor (with Ethereal) theLANbetween that machine andL2 switch - the frames do not include the VLAN-tags. Its seems me strange. So, my question is - what is source of information for Ethereal on the WinXP machine ? Thanks in advance. maximb ** The contents of this email and any attachments are confidential, and are proprietary of "Shiron Satellite Communication". It is intended for the named recipient(s) only. If you have received this email in error, please notify us immediately by replying to the message and deleting it from your computer. Do not disclose the contents to anyone or make copies. **___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Ethereal - how it reads data from NDIS driver
Are you sure that the monitor port of the switch you use is configured to forward tagged frames? On 11/13/06, Maxim Bakushin [EMAIL PROTECTED] wrote: Hi, all. I have a WinXP SP2 machine with a NDIS driver installed. Application running on this machine re-assembles VLAN-tagged Ethernet frames and sends them to a router via L2 switch. When I run Ethereal (0.99.0, WinPcap 3.1) on this machine, I can see correct VLAN-tagged Ethernet frames sent to the destination, but when I monitor (with Ethereal) the LAN between that machine and L2 switch - the frames do not include the VLAN-tags. Its seems me strange. So, my question is - what is source of information for Ethereal on the WinXP machine ? Thanks in advance. maximb ** The contents of this email and any attachments are confidential, and are proprietary of Shiron Satellite Communication. It is intended for the named recipient(s) only. If you have received this email in error, please notify us immediately by replying to the message and deleting it from your computer. Do not disclose the contents to anyone or make copies. ** ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to extract ONLY the info I want from captured data(Ethereal, Windows XP)?
Hi, Sure, output as textfile, postprocess with [perl, awk, your favorite]. String together the strength of small powerful tools, instead of putting all in one. Thanx, Jaap On Mon, 13 Nov 2006, Sean WANG wrote: Hi, I have a captured data file. How do I extract ONLY the info I am interested for each packet? I want the output file contain only (Source IP, Destination IP, Source Port, Destination Port, Protocol, Received Time). Is there any command of Ethereal that I can use? Or do you have any other suggestions? Thx a lot. Regards, Sean ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Capture filter for tcp retransmissions
I found the display filter for tcp retransmissions but is there a capture filter for this? I am troubleshooting net congestion issues on our citrix server and thought that this might be a good filter to use. I wanted to run wireshark all day but didn't want too deal with loading a huge file. -Paul ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for tcp retransmissions
Paul Jacobs wrote: I found the display filter for tcp retransmissions but is there a capture filter for this? No - libpcap's capture filter mechanism doesn't support any form of state kept between packets; each packet is treated independently from previous packets, so it'd be impossible for the filter mechanism to know whether a packet is a retransmission. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] help with results
On Mon, Nov 13, 2006 at 02:02:44PM -, Andrew Watson wrote: I am a new user to wireshark so know very little... the reason I was advised to try wireshark was due to intremittent problems with my webserver whereby (usually) the first page request fails with an error message (the connection was reset in firefox)... I have managed to capture this behaviour in wireshark when requesting the site and I it lookes like step numbers 5 6 below (also attached as pcap file) are the actual errors ( TCP http 2058 [RST] Seq=1 Len=0 ) I tried the website myself and got the same error on the first try. After the first request, I can't seem to get the error back. I am hoping that someone can confirm that this is the problem and perhaps suggest what I can do to track down the cause? The webserver is running Apache 2.0.52 on CentOS4... Indeed the TCP-RST that you see in frame 56 are responsible for the message in Firefox. It tells you that the server (or maybe a load-balancer of firewall in front of the server) does not accept the http-request you sent it and so it resets the connection. Is your server hosted at a provider of do you host it on your own server? Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tshark help
Andrew Watson wrote: My questionis how can I output a file that I can then read / inspect? As Jaap Keuter noted, the output of the -w flag isn't a text file, it's a binary file containing raw packet data. Either 1) don't use the -w, just redirect the output, which will produce a text file - in UN*X text file format, *not* Windows text file format, in versions running on a UN*X (which CentOS is, being a Linux distribution), so if you're planning on reading it on a Windows system (as the .txt suggests you might be), you'll need a text editor that can handle files with LFs but no CRs at the ends of lines or 2) use -w, and read the file with TShark or Wireshark (or any other program that can read libpcap-format files) rather than with a text editor. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Exporting raw packet data?
At 06:24 PM 11/13/2006, Guy Harris wrote: On Nov 13, 2006, at 5:52 PM, Pete Fraser wrote: I want to export packet data in raw format, so that I end up with a binary file. Raw in what sense? In the sense that it's used in the Analyze-Follow TCP Stream dialogue. That is, binary data; not an ASCII representation of HEX data. And what part of the packet data do you want to export? The payload. Again, the Analyze-Follow TCP Stream capability seems to do exactly what I want (for TCP packets, but not UDP). I can select a TCP packet from a webcam, do a raw save with Analyze-Follow TCP Stream, and end up with a binary motion JPEG file that many viewers will play (after I remove some ASCII header material). And do you want to export from one packet, or multiple packets? Multiple packets. I think I can do it from one with File-Export-Selected Packet Bytes And, if it's multiple packets, to you just want to concatenate the data, or do you want some sort of record format to keep the data from different packets separated? Concatenate. What I want to do, but can't work out how, is to export a lot of packet data as a raw binary file. I develop the appropriate filter so that only the packets of interest are visible, then do File-Export-File..., select All packets, Displayed, and Packet Bytes for the only Packet Format. I would hope that I can then save as raw, but I only find ASCII, PS, XML, etc. What am I doing wrong? What you're doing wrong is assuming that Wireshark has such a capability. Sorry. It had the capability for TCP packets, so I assumed the same for UDP. I can write some code to take the text output from the File-Export-File.. process, and convert it to binary, but I thought that capability was probably in there alreadfy (it's such a great program). In order to add such a capability, we first need to know what it would do, hence the questions. Thanks for considering it. Pete ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] AirPcap
Any plans on supporting the AirPcap under linux any time soon? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Exporting raw packet data?
Replies in-line below... I didn't even realize you could do this until I read your question, but here is one way (not sure if this is exactly what you want): Open a capture Narrow down the interesting packets (For example, I do a lot of web traffic analysis so I might use a filter such as http.content_length 2) Now, let's say I see a Flash file, a GIF, or a JPEG that I want to save - just the actual binary data, not the packet headers. I would click on the interesting packet (assuming I have TCP and HTTP reassembly enabled) Next, in the packet details window (middle pane) I would click on the relevant data portion. So for a JPEG image this would be the part that reads JPEG File Interchange Format. Finally, I would use the File-Export-Selected Packet Bytes menu item. Then I would name the file and I personally change the save as type to *.* so I can set the file extension (not completely sure this is necessary but I do it out of habit). Now, if I open up this file with a graphics viewing I will see that I have a valid JPEG. Pretty cool stuff. I think that would work for small amounts of data, but I'm dealing with video streams over hundreds of packets. Out of curiosity, I just tried it on a 4.4MB video file and while a little slow, it worked well. This is definitely a slick program! You can also filter by TCP streams (but I believe you can't save as raw from the TCP Streams page). You can save as raw. It's great for video streams over TCP. I was hoping for a similar capability for UDP streams, after I'd applied a filter. You're right of course - there is a save as raw option. I noticed though that this option also saves the headers. Thus for a binary file such as an image, you have to use a hex editor or binary editing program so you don't corrupt the file when you remove the headers. The other way it just saves the binary data so it's a small convenience that saves you from removing the headers. I agree that it would be nice to have something like this for UDP but that means someone would have to write the dissector/re-assembler. Probably not an easy task. --Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Exporting raw packet data?
On Mon, Nov 13, 2006 at 11:03:19PM -0500, Small, James wrote: I agree that it would be nice to have something like this for UDP but that means someone would have to write the dissector/re-assembler. Probably not an easy task. Feel free to add this to the wish list at http://wiki.wireshark.org/WishList and perhaps someone will have a chance to add the feature :) Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users