Re: [Wireshark-dev] Random feature and enhancements ideas (topics for Sharkfests developers room?)

Title: Re: [Wireshark-dev] Random feature and enhancements ideas (topics for Sharkfests developers room?) Hi Anders, - The defined blocks are capture oriented should we define some analysis re-saving oriented ones. - UDP/TCP/SCTP... port map similar to the NRB (think decode as) - Read

Re: [Wireshark-dev] pcapng options

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02.11.2012 04:23, Guy Harris wrote: Is it legal to have a pcap-ng file that contains a block with options that does not contain an opt_endofopt option? My inclination would be to say yes, to indicate that option processing must stop when you

[Wireshark-dev] PCAPng Name Resolution Blocks

Hi all, can anyone tell me when Wireshark/Dumpcap will actually write a Name Resolution Block to a pcapng file? I have a file written with an older dumpcap version (I guess it was pre 1.8) that contains a NRB but the latest 1.9 build doesn't seem to do that at all. I tried with DNS queries

Re: [Wireshark-dev] Start and stop capture toolbar buttons?

Title: Re: [Wireshark-dev] Start and stop capture toolbar buttons? Either way, we aren't going to have any hard data for the expected release of 1.10 unless that gets bumped back a *lot*. The best we can do is probably a quick poll, so I've created just that:

Re: [Wireshark-dev] What is the history and status of PCAP Next Generation?

Sorry to answer this late; I saw this email a week ago but didn't manage to reply - the todo got swapped out but never swapped in again. Graham gave me a heads up (that I didn't see until now, either, *sigh*), so here I go. Q2: What is the status of pcap-ng? * it works fine, everyone's

Re: [Wireshark-dev] [Wireshark-commits] master 104a6ed: Disable IPv4 checksum verfification to match TCP and UDP.

On Sat, Mar 01, 2014 at 01:49:58PM +, Wireshark code review wrote: URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=104a6edd1fb703c5c2319c893720df86f8c9a9e7 ... 104a6ed by Gerald Combs (ger...@wireshark.org): Disable IPv4 checksum verfification to match TCP

[Wireshark-dev] Initial RTT

Hello, as promised during Sharkfest, I checked the latest developer builds for the accuracy of the calculation of initial RTT for TCP connections. So far I have only seen correct results, even in cases with heavy packet loss during the three way handshake. So I think the code is good.

Re: [Wireshark-dev] Initial RTT

2014-07-02 20:59 GMT+02:00 Jasper Bongertz jas...@packet-foo.com: Hello,   as promised during Sharkfest, I checked the latest developer builds   for the accuracy of the calculation of initial RTT for TCP   connections. So far I have only seen correct results, even in cases

Re: [Wireshark-dev] How WIRESHARK confirm the TCP OUT-OF-ORDER packet!

Hello Jeff, Out-of-order is basically a packet that arrives just a little too late to be in-sequence, but is not a retransmission. It's the original packet, which somehow got rearranged on the way to the destination so that it arrives after a packet following it in sequence. WAN optimizers

Re: [Wireshark-dev] Translation tools

Hi all, FYI, for the fun of it I started working on the German translation for the QT UI. Just in case someone else gets the same idea. Cheers, Jasper smime.p7s Description: S/MIME Cryptographic Signature ___ Sent via:

[Wireshark-dev] MPLS dissection fail

Hi all, I just added a bug report, as agreed with Alexis, regarding the dissection failure in 1.99 when a frame contains MPLS shims. This is the bug report URL: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11271 and I also attached a screen shot comparing 1.12.5 and 1.99 to this email (I

[Wireshark-dev] Dumpcap 2.x trouble

Hi all, I noticed that captures taken with Wireshark 2.x (meaning, with dumpcap coming with those versions) showing unexpected results (see Glossary below for the abbreviations). With 1.12, the dumpcap version is written to the application option field in the SHB, and the OS build in

Re: [Wireshark-dev] Writing NoOp PCAP-NG Records

Hi Paul, I see the problem, but isn't it possible to read the .etl file first to extract the interface information, write the IDBs and then reread the file to convert the blocks? Maybe this can even be done in a way skipping having to read all of the .etl file first, reading from the back instead

Re: [Wireshark-dev] Tools to anonymize pcaps with cellular/3gpp traffic

Hi Ivan, > There are a few public available tools that anonymize pcap files, > but they usually target L2-L4 layers and "standard" protocols (i.e. > dns, icmp,...) There is a good reason for this: the complexity to anonymize anything on top of L4 is a nightmare. UDP only haunts you with IP

Re: [Wireshark-dev] Tools to anonymize pcaps with cellular/3gpp traffic

Hi, I learned that there is a tool that is supposed to be supporting lots and lots of protocols (including Cellular stuff apparently), called "SafePCAP". It's not free though, and I haven't tried it, so I have no idea what it can or cannot do correctly. https://omnipacket.com/safepcap.html

Re: [Wireshark-dev] Tools to anonymize pcaps with cellular/3gpp traffic

Hi Ivan, > Only one note: AFAIK 3gpp/cellular protocols are not usually on top of > TCP/UDP (with the main exception of GTP_U/C) but on top of SCTP (or > even some SS7 stuff) Thanks, I wasn't aware, but it doesn't surprise me - and it probably makes things even more complex... Cheers, Jasper

[Wireshark-dev] Gerrit

Hi Dario, I saw you assigned a Gerrit change/ticket/thingy to me - I have to admit that I'm not really sure what to do there. I have no build environment for Wireshark at the moment, and I don't know what I'm supposed to do? Are those changes ending up in the automatic builds? Cheers,

Re: [Wireshark-dev] New syntax for range support in membership operator: tcp.port in {1662-1664}

Hi, +1 for the double dot syntax. Cheers, Jasper Sunday, April 15, 2018, 3:03:53 PM, you wrote: > Hi, > In fact I would suggest to consider double dot (‘..’) in this case. > Reasons: > * It is a sufficiently unique operator > * The minus causes too many conflicts, as you have stated > *

Re: [Wireshark-dev] [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block

Michael Richardson wrote: > Peter Wu wrote: > > Requirements for block placement: > > - No requirement. Producers are allowed to write the block anywhere. > > Disadvantages for consumers: requires a two-pass scan to collect > > secrets before they are used. > I prefer this, but I

Re: [Wireshark-dev] Gerrit

Hello Peter, I think calling it as "assigned to me" was a misinterpretation on my behalf. Dario only wanted me to be cc'd in, as you assumed. Thanks! Jasper Thursday, September 13, 2018, 11:26:07 AM, you wrote: > Hi Jasper, > On Tue, Sep 11, 2018 at 12:36:10PM +0200, Jaspe

Re: [Wireshark-dev] Wireshark hosts file location

>> On 21 Mar 2019 (Thu), at 10:16, Jasper Bongertz >> wrote: >> I just saw this: https://ask.wireshark.org/question/8014/hosts-file-manager/ >> My first impulse was "put the hosts in a profile directory and switch it via >> profiles", but when I teste

[Wireshark-dev] Wireshark hosts file location

Hi Graham, I just saw this: https://ask.wireshark.org/question/8014/hosts-file-manager/ My first impulse was "put the hosts in a profile directory and switch it via profiles", but when I tested that it didn't work (no names resolved). I'm not sure if the hosts file is even read when it's in

Re: [Wireshark-dev] Wireshark hosts file location

at all). Currently I am in the middle of rewriting the profile system and can put this on the todo list. Could you describe the behavior a little bit? kind regards Roland Am Do., 21. März 2019 um 10:17 Uhr schrieb Jasper Bongertz <jas...@packet-foo.com>: Hi Graham, I just saw this:

Re: [Wireshark-dev] Npcap 0.9-r9 causing WiFi disconnect?

Title: Re: [Wireshark-dev] Npcap 0.9-r9 causing WiFi disconnect? Hi, same here - I had strange WiFi disconnects in the past (and didn't connect it to Npcap, so that finally explains them), but not with the current version of npcap. But I guess rolling out Wireshark 3.0 with Npcap now extremely

Re: [Wireshark-dev] Wireshark hosts file location

See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11470   - Chris   From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Jasper Bongertz Sent: Thursday, March 21, 2019 6:38 AM To: Roland Knall ; Developer support list for Wireshark Subject: Re: [Wireshark-dev] Wireshark hosts file

Re: [Wireshark-dev] Wireshark on Kali linux

Title: Re: [Wireshark-dev] Wireshark on Kali linux On Wed, 6 Feb 2019 at 17:32, Guy Harris wrote: So the question is whether we should print/pop up a message if TShark/Wireshark is running as root - and, if we do, whether we should have a compile or configuration

Re: [Wireshark-dev] Passwordlist in Wireshark - User feedback wanted

Title: Re: [Wireshark-dev] Passwordlist in Wireshark - User feedback wanted Hi There is a patch currently waiting for inclusion. It would allow for dissectors to easily make credentials (username/password) available and present them in a tool window in Wireshark. The main concern here is,

Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

Hi, so if I get this right you expect to end up with a frame where length of the original content is less than what ends up in the pcap because meta data is added? This usually happens by adding a trailer to the Ethernet frame, e.g. some TAPs do that to add high precision timestamps and other

Re: [Wireshark-dev] Visual studio 2019 from choco

Title: Re: [Wireshark-dev] Visual studio 2019 from choco Oh.  A very old and unsupported (by MS) version of Win 10. See here for lifecycle info: https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet Indeed. It was a fresh install with no updates (due to network

Re: [Wireshark-dev] Brotli decompression

age- > From: Wireshark-dev On Behalf Of Jasper > Bongertz > Sent: den 19 december 2019 13:30 > To: wireshark-dev@wireshark.org > Subject: [Wireshark-dev] Brotli decompression > Hello all, > I found this in the release notes of Wireshark 3.2: "Brotli decompr

[Wireshark-dev] Brotli decompression

Hello all, I found this in the release notes of Wireshark 3.2: "Brotli decompression support in HTTP/HTTP2 (requires the brotli library)" Sounds great, but I can't seem to find any instructions how to add the "brotli library" to my Wireshark installation. I guess I need some DLL, but

Re: [Wireshark-dev] Brotli decompression

ng or haven't really understood what it's supposed to be doing :-) Cheers, Jasper Friday, January 3, 2020, 10:31:30 PM, you wrote: > Hi Jasper, > Do you still have an issue? If so, can you check whether TCP reassembly > is enabled? > Kind regards, > Peter > On Thu, Dec 19, 2019 at 0

Re: [Wireshark-dev] Proposed changes to make tcp.ack and tcp.seq relative

Hello Peter, > A request was filed earlier to add a new "tcp.ack_rel" field to ensure > that color filters can be created that always work on the relative > sequence numbers independent of the "Relative sequence numbers" option. > Instead of adding a new field, I propose to change the existing

Re: [Wireshark-dev] Proposed changes to make tcp.ack and tcp.seq relative

Hello Peter, Tuesday, May 5, 2020, 1:46:13 AM, you wrote: >> To avoid cluttering the TCP tree with redundant fields: can we only show the >> absolutes if the relatives are also displayed? I don't think it's useful to >> show the absolutes twice. > Sure! The fields will be hidden in the view,

Re: [Wireshark-dev] Capturing 10GbE on a Linux laptop?

Hi Richard, I know there are some USB-C 10G network adapters (and the ProfiShark 10G, of course), but I haven't tested any of them. Writing that much data to disk is something I do with small portable servers (about the size of a small shoe box) with a FPGA based capture card. Cheers, Jasper