Re: [Wireshark-users] Display filter
Hank, Thanks! On 5/3/07, Hank Leininger [EMAIL PROTECTED] wrote: On Fri, May 04, 2007 at 01:33:22AM +0200, Luis Ontanon wrote: On 5/4/07, Irakli Natshvlishvili [EMAIL PROTECTED] wrote: Also, could you clarify what type of regex wireshark supports? pcre Here is the example - if there is a one line string: sip:@10.10.10.20 sip matches sip:[ [EMAIL PROTECTED] What would be regex which will find all packets matching sip: followed by @ when there are zero or more whitespace chars between sip: and @? Actually, for zero or more, you want *, not + (which is one or more): sip matches sip:[ [EMAIL PROTECTED] I want to find out if a regex when a string1 is followed by 0 or more (1 or more, exactly nn times, more then n, but less then m) whilespace (or alphanumerical or CLRF) characters before string2 can be written for wireshark. Above example is one of such case, my previous question, about CLRF was another. string1[\r\n\sa-zA-Z0-9]{0,30}string2 Adjust what's in the [ ]'s for whatever characters you want to accept in the intervening space. Curly braces say how many such tokens: {n,m} At least n times, at most m times. {n,}At least n times, no upper limit. {n} Exactly n times {,m}Nonsense (invalid) Some suggested readings: - man perlre, or Google, and search for The following standard quantifiers are recognized - Mastering Regular Expressions, by Jeffrey Friedl. Will hurt your head and teach you more than you ever wanted to know about RE's. Thanks, Hank ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- I.N. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Need help with display filtering for all packets on a subnet
This is probably obvious, but my Google-fu seems to be weak today. I have a trace file that I was to see any packet of a conversation between an IP on my network with one outside the network (aka filter inter-network traffic). However, I cannot seem to get a display filter that does this. I'm using the Windows build btw. I tried: ip.addr !matches 192.168.* ip.addr !matches 192.168.+ ip.addr != 192.168.* ip.addr:192.168.+ ip.addr:192.168.* So, I'm not sure what I am doing wrong.. anyone mind politely lending me a clue? :) ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Need help with display filtering for all packets on a subnet
On Fri, May 04, 2007 at 11:38:13AM +0200, Roman Daszczyszak wrote: This is probably obvious, but my Google-fu seems to be weak today. I have a trace file that I was to see any packet of a conversation between an IP on my network with one outside the network (aka filter inter-network traffic). However, I cannot seem to get a display filter that does this. I'm using the Windows build btw. I tried: ip.addr !matches 192.168.* ip.addr !matches 192.168.+ ip.addr != 192.168.* ip.addr:192.168.+ ip.addr:192.168.* So, I'm not sure what I am doing wrong.. anyone mind politely lending me a clue? :) ip.addr!=192.168.0.0/16 or ip.addr==192.168.0.0/16 and ip.addr!=192.168.0.0/16 :) Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Wireshark and 2GB capture files
Hi - I was just wondering if there was support for trace files larger than 2GB on x86 machines (CentOS 5) by any chance? And if so, how do you go about getting this to work? 2.6.18-8.1.3.el5 libpcap-devel-0.9.4-8.1 libpcap-0.9.4-8.1 wireshark-0.99.5 sorry, I'm new, so I apologize if I didn't provide sufficient information. Alex ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] capture filter
Im weak at filters... can someone point me in a good direction.. Im trying to find a LAYER 2 multicast issue on the network. that ask luck would have it.. pops up at different times every day.. The only reason i know of this issue some of the switches log the error.. C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET and Cisco's fix.. find the sender and fix it.. so im trying to track it down.. but .. i get a few different multicast souce addresses How can i set my capture to allow me to put in just part of the ethernet address ? i read the wiki and since i have HIGH volumes of data (gig links running at 15-50 meg) id like to do more than just the filter mulitcast i will if i have too.. i know the source mac always ends in 0007 Thanks for any help / direction.. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark and 2GB capture files
Hi Alex, I never used CentOS, however independently of the OS it is recommended not to grow up to much the files to keep them manageable. Otherwise it takes too much to process them. Using multiple files when doing the capture and limiting them to lets say 100MB (or less) you can handle that more easily. In case you need to see all together wireshark can reassemble the files automatically opening subsequent files together. Br Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ext Alex Lee Sent: Viernes, 04 de Mayo de 2007 05:18 a.m. To: wireshark-users@wireshark.org Subject: [Wireshark-users] Wireshark and 2GB capture files Hi - I was just wondering if there was support for trace files larger than 2GB on x86 machines (CentOS 5) by any chance? And if so, how do you go about getting this to work? 2.6.18-8.1.3.el5 libpcap-devel-0.9.4-8.1 libpcap-0.9.4-8.1 wireshark-0.99.5 sorry, I'm new, so I apologize if I didn't provide sufficient information. Alex ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Comparing RTP stream Jitter and Max Delta
Hello, I have been troubled with understanding the connection between the Max Delta (ms) and the Max Jitter (ms) column in the RTP stream analysis. If I use a G.711 codec (PCM) for the VoIP-call, there should be one packet sent every 20 milliseconds and therefore the Max Delta (ms) value should be pretty close to that. (In an ideal conditions). In this case the Jitter value also should be close to nothing. I made some tests with a lot of heavy traffic over the same network where I made the VoIP-call, and I got some wild Max Delta values up to 360 milliseconds. I expected that the Jitter value would also follow the Max Delta value and go really high but that is not the case. The highest Jitter that Wireshark shows for me in that same test is 42 milliseconds. I made several other tests as well and for example if I got the Max Delta value up to 160 ms, the Max Jitter was 16 ms. Jitter is supposed to be the variation of the time between packets arriving to the receiver, right? Then why, if there is such a huge cap between packets (as that 360 ms is), the Jitter value is only 42 ms? How is it really calculated then? I searched the web for this and I found out that Interarrival Jitter is supposed to be: The interarrival jitter J is defined to be the mean deviation (smoothed absolute value) of the difference D in packet spacing at the receiver compared to the sender for a pair of packets. @ RFC 3550. Though that Jitter means the RTCP-packet field Interarrival Jitter, not the Jitter measured from the RTP-packets. Help me understand the connection between the Max Delay and the Max Jitter, because I don't really get it. Thanks. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Comparing RTP stream Jitter and Max Delta
Hi, see http://wiki.wireshark.org/RTP_statistics - How jitter is calculated (bottom of page). Basically, jitter is a smoothed derivative of the interarrival delta. So it will not get nearly as high as the deltas itself, unless fluctuations of deltas are very frequent and of high amplitude over a longer period of time. Lars Jaakko Hakalahti wrote: Hello, I have been troubled with understanding the connection between the Max Delta (ms) and the Max Jitter (ms) column in the RTP stream analysis. If I use a G.711 codec (PCM) for the VoIP-call, there should be one packet sent every 20 milliseconds and therefore the Max Delta (ms) value should be pretty close to that. (In an ideal conditions). In this case the Jitter value also should be close to nothing. I made some tests with a lot of heavy traffic over the same network where I made the VoIP-call, and I got some wild Max Delta values up to 360 milliseconds. I expected that the Jitter value would also follow the Max Delta value and go really high but that is not the case. The highest Jitter that Wireshark shows for me in that same test is 42 milliseconds. I made several other tests as well and for example if I got the Max Delta value up to 160 ms, the Max Jitter was 16 ms. Jitter is supposed to be the variation of the time between packets arriving to the receiver, right? Then why, if there is such a huge cap between packets (as that 360 ms is), the Jitter value is only 42 ms? How is it really calculated then? I searched the web for this and I found out that Interarrival Jitter is supposed to be: The interarrival jitter J is defined to be the mean deviation (smoothed absolute value) of the difference D in packet spacing at the receiver compared to the sender for a pair of packets. @ RFC 3550. Though that Jitter means the RTCP-packet field Interarrival Jitter, not the Jitter measured from the RTP-packets. Help me understand the connection between the Max Delay and the Max Jitter, because I don't really get it. Thanks. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter
Tom Greaser wrote: Thanks Guy.. JUST want i was asking for i will remember to man tcpdump next time .. Well, the man page is a start, but the expr relop expr section is a bit of Full Frontal Capture Filter[*] - you have to know that the capability is there, and you then have to go from that to the particular type of filter you need, so it's a bit more than just RTFM. [*]Rob Gingell at Sun once contrasted the dbxtool GUI app in SunOS with using what he called full frontal dbx as the debugger. I've used variants of the phrase since then as a term for using various things without the help the friendly front ends ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark and 2GB capture files
Hi Juan - I work in support and most of the times when SE's or customers take traces, they usually don't know how to really use tcpdump and what not, so the traces (or collector) doesn't really care and therefore I get stuck with huge traces. I was hoping to use tethereal with the -R option and -w option to filter a file w/out launching the GUI and just peg (someone else's server) to chop the sucker down before I do open it up and take a look at it. I noticed that editcap and capinfos cannot open the file either, but I figured, if any of the programs that ship with WS wouldn't care for file sizes would've been capinfos but it does care :-) Would a 64bit edition of WS (or built on that platform) help any? Thanks, Alex Lee Riverbed Technology From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 04, 2007 8:02 AM To: wireshark-users@wireshark.org Subject: Re: [Wireshark-users] Wireshark and 2GB capture files Hi Alex, I never used CentOS, however independently of the OS it is recommended not to grow up to much the files to keep them manageable. Otherwise it takes too much to process them. Using multiple files when doing the capture and limiting them to lets say 100MB (or less) you can handle that more easily. In case you need to see all together wireshark can reassemble the files automatically opening subsequent files together. Br Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ext Alex Lee Sent: Viernes, 04 de Mayo de 2007 05:18 a.m. To: wireshark-users@wireshark.org Subject: [Wireshark-users] Wireshark and 2GB capture files Hi - I was just wondering if there was support for trace files larger than 2GB on x86 machines (CentOS 5) by any chance? And if so, how do you go about getting this to work? 2.6.18-8.1.3.el5 libpcap-devel-0.9.4-8.1 libpcap-0.9.4-8.1 wireshark-0.99.5 sorry, I'm new, so I apologize if I didn't provide sufficient information. Alex ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wpa decryption and : in passphrase
Matthieu CASTET [EMAIL PROTECTED] writes: Hi, I want to use Decrypt 802.11 of wireshark, but my passphrase contains :. So wireshark fails to parse correctly my passphrase. After looking at http://wiki.wireshark.org/HowToDecrypt802.11?highlight=%28CategoryHowTo%29, I wonder if there is an escape sequence for :. If not, is there some tools to generate pre-share key form passphrase and ssid, or other informations are needed. Ok, I manage to get the preshare key from wpa_supplicant debug data. I hope next versions, will handle the : in the passphrase. Matthieu ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] WISH : WPA Decrypt
Hi, I use wireshark to debug a wpa driver that I develop. Unfortunately it doesn't check mic. I will be great if wireshark could check if the mic data is valid, and if it isn't display a warning. Thanks Matthieu ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wpa decryption and : in passphrase
On Fri, May 04, 2007 at 05:59:18PM +, Matthieu CASTET wrote: I want to use Decrypt 802.11 of wireshark, but my passphrase contains :. So wireshark fails to parse correctly my passphrase. After looking at http://wiki.wireshark.org/HowToDecrypt802.11?highlight=%28CategoryHowTo%29, I wonder if there is an escape sequence for :. What should be possible is to enter the passphrase hex encoded: e.g. P:D 0x503a44 ciao Joerg -- Joerg Mayer [EMAIL PROTECTED] We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Tshark and using display filters
I have a capture file, want to use tshark to filter packets and write a new file. When I use tshark -r all.cap -w filtered.cap -R udp contains 100 'I'm getting tshark Read filters were specified both with -R and with additional command-line arguments Platform is XP with SP2. What I'm doing wrong? -- I.N. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark and 2GB capture files
I think you would be better off realtime parsing this and shoving it into a db. That would eliminate the 2GB limit and allow you to run filtering and more advanced options (in Wireshark) from your favorite desktop after a more selective query on the db. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Lee Sent: Friday, May 04, 2007 3:18 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] Wireshark and 2GB capture files Hi - I was just wondering if there was support for trace files larger than 2GB on x86 machines (CentOS 5) by any chance? And if so, how do you go about getting this to work? 2.6.18-8.1.3.el5 libpcap-devel-0.9.4-8.1 libpcap-0.9.4-8.1 wireshark-0.99.5 sorry, I'm new, so I apologize if I didn't provide sufficient information. Alex ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark and 2GB capture files
Realtime - meaning `tcpdump -r xxx.cap | mysql-insert.pl` once... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Connolly XX (PL/EUS) Sent: Friday, May 04, 2007 4:35 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Wireshark and 2GB capture files I think you would be better off realtime parsing this and shoving it into a db. That would eliminate the 2GB limit and allow you to run filtering and more advanced options (in Wireshark) from your favorite desktop after a more selective query on the db. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Lee Sent: Friday, May 04, 2007 3:18 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] Wireshark and 2GB capture files Hi - I was just wondering if there was support for trace files larger than 2GB on x86 machines (CentOS 5) by any chance? And if so, how do you go about getting this to work? 2.6.18-8.1.3.el5 libpcap-devel-0.9.4-8.1 libpcap-0.9.4-8.1 wireshark-0.99.5 sorry, I'm new, so I apologize if I didn't provide sufficient information. Alex ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users