[Wireshark-users] How to switch from DIgest Mailing-List mode to Single Mails mode ?
Currently I receive all postings in this mailing list as a daily digest. How can I switch to single eMails mode WITHOUT completely unsubscribing and re-subscribing again ? On web page http://www.wireshark.org/mailman/listinfo/wireshark-users I did not found an option for CHANGING to/from daily digest mode Ben ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to switch from DIgest Mailing-List mode to Single Mails mode ?
On Fri, Jan 25, 2008 at 09:21:10AM +0100, Ben Stover wrote: Currently I receive all postings in this mailing list as a daily digest. How can I switch to single eMails mode WITHOUT completely unsubscribing and re-subscribing again ? On web page http://www.wireshark.org/mailman/listinfo/wireshark-users I did not found an option for CHANGING to/from daily digest mode AFAIK the digest and the single mail version of this users forum are two different mailinglists in the eye of the mailerlist server. OK, the content is related, but they have two seperate subscriber lists. It's not one subscriber list with a choice of format. It would be easiest to subscribe to the single email version of the list and then resign your subscription to the digest version. Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts
On Thu, Jan 24, 2008 at 03:26:37PM -0800, jacob c wrote: I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Well, ik Wireshark you can use the Endpoints option under statistics. This could give you the top10 list of ip-addresses generating to most packets or bytes. If you just want SYN packets to be counted, you can either create a 2nd trace file with only the SYN packets and look at the endpoint statistics in this new file. Or... you could use tshark with some command piping: tshark -r tracefile -T fields -e ip.src tcp.flags.syn==1 tcp.flags.ack==0 | sort | uniq -c | sort -rn | head I hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts
To be honest, If they're creating that many connections then it should be pretty obvious from eyes on the capture itself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jacob c Sent: 25 January 2008 00:27 To: wireshark-users@wireshark.org Subject: [Wireshark-users] top talkers by port usage or SYN attempts I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Thank you, Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62 sR8HDtDypao8Wcj9tAcJ%20 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for MAC addresses
On Jan 25, 2008, at 4:24 PM, Frank Bulk wrote: I've looked at the wiki page (http://wiki.wireshark.org/Ethernet) but it's not entirely clear to me how I would capture the traffic from all those devices that share the same OUI. For example, if the OUI of interest was Cisco (00:1b:0d), I have tried this: ether[0:4]=0x001B0D but it didn't seem to work. I suspect I don't full understand the usage of the square brackets, and perhaps I need to use a mask of some kind. Capture filters can only test 1-byte, 2-byte, or 4-byte fields: $ man tcpdump ... expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: ... expr relop expr True if the relation holds, where relop is one of , , =, =, =, !=, and expr is an arithmetic expression com- posed of integer constants (expressed in standard C syn- tax), the normal binary operators [+, -, *, /, , |, , ], a length operator, and special packet data acces- sors. Note that all comparisons are unsigned, so that, for example, 0x8000 and 0x are 0. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indi- cates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the radio header added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indi- cated by the keyword len, gives the length of the packet. so, yes, you'd have to either 1) do ether[0] == 0x00 and ether[1] == 0x1B and ether[2] == 0x0D or 2) use a mask - (ether[0:4] 0xFF00) == 0x001B0D00 (the latter generates less BPF code, and would run a little faster). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for MAC addresses
Thanks, that helps a lot. Now, to take it one step farther, I need to apply that capture filter to the client field (labeled in the display filter 'bootp.hw.mac_addr'). Is that possible in a capture filter? And if you're going to ask if the offset from the start of the packet is consistent, it's not. Basically what I'm trying to do here is capture the DHCP packets for a certain brand of devices in the field, but they're behind a DHCP relay so I can't use the frame's hardware MAC address because it's always the DHCP relay device. Frank -Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 8:22 PM To: [EMAIL PROTECTED]; Community support list for Wireshark Subject: Re: [Wireshark-users] Capture filter for MAC addresses On Jan 25, 2008, at 4:24 PM, Frank Bulk wrote: I've looked at the wiki page (http://wiki.wireshark.org/Ethernet) but it's not entirely clear to me how I would capture the traffic from all those devices that share the same OUI. For example, if the OUI of interest was Cisco (00:1b:0d), I have tried this: ether[0:4]=0x001B0D but it didn't seem to work. I suspect I don't full understand the usage of the square brackets, and perhaps I need to use a mask of some kind. Capture filters can only test 1-byte, 2-byte, or 4-byte fields: $ man tcpdump ... expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: ... expr relop expr True if the relation holds, where relop is one of , , =, =, =, !=, and expr is an arithmetic expression com- posed of integer constants (expressed in standard C syn- tax), the normal binary operators [+, -, *, /, , |, , ], a length operator, and special packet data acces- sors. Note that all comparisons are unsigned, so that, for example, 0x8000 and 0x are 0. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indi- cates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the radio header added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indi- cated by the keyword len, gives the length of the packet. so, yes, you'd have to either 1) do ether[0] == 0x00 and ether[1] == 0x1B and ether[2] == 0x0D or 2) use a mask - (ether[0:4] 0xFF00) == 0x001B0D00 (the latter generates less BPF code, and would run a little faster). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Capture filter for MAC addresses
I've looked at the wiki page (http://wiki.wireshark.org/Ethernet) but it's not entirely clear to me how I would capture the traffic from all those devices that share the same OUI. For example, if the OUI of interest was Cisco (00:1b:0d), I have tried this: ether[0:4]=0x001B0D but it didn't seem to work. I suspect I don't full understand the usage of the square brackets, and perhaps I need to use a mask of some kind. Any suggestions? Frank ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for MAC addresses
Frank Bulk wrote: Now, to take it one step farther, I need to apply that capture filter to the client field (labeled in the display filter 'bootp.hw.mac_addr'). Is that possible in a capture filter? And if you're going to ask if the offset from the start of the packet is consistent, it's not. Offsets can be computed based on the values in other fields: expr relop expr True if the relation holds, where relop is one of , , =, =, =, !=, and expr is an arithmetic expression com- posed of integer constants (expressed in standard C syn- tax), the normal binary operators [+, -, *, /, , |, , ], a length operator, and special packet data acces- sors. Note that all comparisons are unsigned, so that, for example, 0x8000 and 0x are 0. To access data inside the packet, use the following syntax: proto [ expr : size ] I.e., it says expr in proto[expr:size], which means the offset in proto[expr:size] can be an arbitrary expression. Figuring out the the right expression is left as an exercise for the reader. (If it involves a loop, however, forget it - the offset *eventually* has to be based on values at a fixed offset from, for example, the beginning of the UDP payload. Fortunately, the UDP header is fixed-length) ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tag Mismatch in PDML export
Jeff, Martin - Martin - thanks for your suggestion. I will definitely open a new bug to track this issue if need be. However, in the meantime, following Jeff's suggestion, I installed the latest (nightly?) build ( 0.99.8-SVN-24191) from the download site. With the new import, I do not see the extra /proto element anymore but I noticed several field elements were included directly under packet. See below for a snippet from my capture file... packet proto ... ... field name=tcp.checksum field name=tcp.checksum_good / field name=tcp.checksum_bad / /field /proto field name=data / field name=data.data ... .../ /packet #Second packet, third packet.. packet ... /packet Is this valid? I tried looking up a schema doc for PDML but no luck? Is there one available somewhere? The following comment that I found in the notes for bug 2815 confirms my doubt... --- Comment #4 from [EMAIL PROTECTED] 2008-01-12 00:39 GMT --- Change 24069 avoids closing off Data protocol nodes (even though they are written out as field elements), since field elements are written out as simple tags. I don't know if having field elements immediately inside the packet element (rather than being inside a protocol element) is allowed by the PDML schema.. End Comment - Thanks Prasad On Jan 25, 2008 3:36 PM, Jeff Morriss [EMAIL PROTECTED] wrote: This problem was fixed after 0.99.7 was released. To get the fix you'll need to either wait for the next release (0.99.8, there's no plan for a release date that I'm aware of) or use a development version from: http://www.wireshark.org/download/automated/ As noted in the bug, this problem was fixed in rev 24069 which means you need to choose a development version higher than that number. Prasad Shenoy wrote: Martin - I should have included the details in my initial email. Sorry about that. I am using 0.99.7 on Win XP, the latest download from yesterday. I looked at bug # 2185 and even followed the command line suggestion but with my own capture file instead of the one attached to the report. The problem still persists. What is your advice in this situation? Thanks Prasad On Jan 25, 2008 3:11 PM, Martin Mathieson [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, I fixed a but matching this description around 2 weeks ago (to fix reported bug 2185). Could you please test with a later build? Hope this helps, Martin On Jan 25, 2008 7:57 PM, Prasad Shenoy [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Any help and guidance is highly appreciated Thanks, Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org mailto:Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org mailto:Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tag Mismatch in PDML export
Prasad, Please open a new bug to track this problem and attach an example packet that exhibits the problem. Thanks, Martin On Jan 25, 2008 8:24 PM, Prasad Shenoy [EMAIL PROTECTED] wrote: Martin - I should have included the details in my initial email. Sorry about that. I am using 0.99.7 on Win XP, the latest download from yesterday. I looked at bug # 2185 and even followed the command line suggestion but with my own capture file instead of the one attached to the report. The problem still persists. What is your advice in this situation? Thanks Prasad On Jan 25, 2008 3:11 PM, Martin Mathieson [EMAIL PROTECTED] wrote: Hi, I fixed a but matching this description around 2 weeks ago (to fix reported bug 2185). Could you please test with a later build? Hope this helps, Martin On Jan 25, 2008 7:57 PM, Prasad Shenoy [EMAIL PROTECTED] wrote: Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Any help and guidance is highly appreciated Thanks, Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tag Mismatch in PDML export
Martin - I should have included the details in my initial email. Sorry about that. I am using 0.99.7 on Win XP, the latest download from yesterday. I looked at bug # 2185 and even followed the command line suggestion but with my own capture file instead of the one attached to the report. The problem still persists. What is your advice in this situation? Thanks Prasad On Jan 25, 2008 3:11 PM, Martin Mathieson [EMAIL PROTECTED] wrote: Hi, I fixed a but matching this description around 2 weeks ago (to fix reported bug 2185). Could you please test with a later build? Hope this helps, Martin On Jan 25, 2008 7:57 PM, Prasad Shenoy [EMAIL PROTECTED] wrote: Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Any help and guidance is highly appreciated Thanks, Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tag Mismatch in PDML export
Jeff - Thanks for a quick reply. I checked on that bug and the problem seems to be identical. I even tried the command line option (but the capture file had more than one packets in my case) but the problem seems to be there. Thanks Prasad On Jan 25, 2008 3:10 PM, Jeff Morriss [EMAIL PROTECTED] wrote: Prasad Shenoy wrote: Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Sounds like: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2185 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tag Mismatch in PDML export
Hi, I fixed a but matching this description around 2 weeks ago (to fix reported bug 2185). Could you please test with a later build? Hope this helps, Martin On Jan 25, 2008 7:57 PM, Prasad Shenoy [EMAIL PROTECTED] wrote: Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Any help and guidance is highly appreciated Thanks, Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tag Mismatch in PDML export
Prasad Shenoy wrote: Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Sounds like: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2185 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Tag Mismatch in PDML export
Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Any help and guidance is highly appreciated Thanks, Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts - ericsson error
I appreciate the info. I have actually taken several captures now on individual vlans and have located the top talkers. I also tried the tshark command you mentioned below without success. I get the ericsson error as show below. Here is what happens: C:\Program Files\Wiresharktshark -r c:\captures\0_0-10mins -T fields -e ip.src tcp.flags.syn==1 Could not open file: 'Ericsson.xml', error: No such file or directory tshark: Unexpected end of filter string. C:\Program Files\Wiresharktshark -v Could not open file: 'Ericsson.xml', error: No such file or directory TShark 0.99.7 (SVN Rev 23910) Copyright 1998-2007 Gerald Combs [EMAIL PROTECTED] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GLib 2.14.3, with WinPcap (version unknown), with libz 1.2.3, with libpcre 6.4, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos. Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5. Built using Microsoft Visual C++ 6.0 build 8804 C:\Program Files\Wireshark Do you know what I should modify to resolve this? Thanks, Sake Blok [EMAIL PROTECTED] wrote: On Thu, Jan 24, 2008 at 03:26:37PM -0800, jacob c wrote: I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Well, ik Wireshark you can use the Endpoints option under statistics. This could give you the top10 list of ip-addresses generating to most packets or bytes. If you just want SYN packets to be counted, you can either create a 2nd trace file with only the SYN packets and look at the endpoint statistics in this new file. Or... you could use tshark with some command piping: tshark -r -T fields -e ip.src tcp.flags.syn==1 tcp.flags.ack==0 | sort | uniq -c | sort -rn | head I hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - Looking for last minute shopping deals? Find them fast with Yahoo! Search.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to switch from DIgest Mailing-List mode toSingle Mails mode ?
send a message to [EMAIL PROTECTED] (note the '-request' part of the email; those are commands to the mailserver rather than posts to the list itself) with: help set show in the body of the email. (you can do individual emails; one with 'help' and one with 'set show' if you prefer) The server will send you a message giving the options you have set for the maillist. You should be able to change from digest to individual emails by sending: set digest off in an email to the -request address. - Al - Alan Jay Weiner / Valid8.com, Inc. - Conform, Perform Excel(tm) 500 W Cummings Park, Suite #2700, Woburn, MA 01801, USA [EMAIL PROTECTED] / Tel:+1-781-938-1221 x112, Fax +1-781-207-0550 http://www.VALID8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Stover Sent: Friday, January 25, 2008 3:21 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] How to switch from DIgest Mailing-List mode toSingle Mails mode ? Currently I receive all postings in this mailing list as a daily digest. How can I switch to single eMails mode WITHOUT completely unsubscribing and re-subscribing again ? On web page http://www.wireshark.org/mailman/listinfo/wireshark-users I did not found an option for CHANGING to/from daily digest mode Ben ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Resuming Circular File Buffer after a Computer Reboot
Hi Everyone, I have DUMPCAP running as a service on a Windows XP computer. The service is setup for DUMPCAP to: - rotate the files after 250 MB or 15 mins - keep a maximum number of 1350 files in a circular file buffer. The problem I am experiencing is that when the computer reboots DUMPCAP starts a new circular buffer with a new file name. This results in the old files not being purged during the circular file buffer process. Is there anyway to keep only 1350 of the newest files that start with particular sequence of characters in the capture directory and purge the old ones? Thanx, John ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Tag Mismatch in PDML export
This problem was fixed after 0.99.7 was released. To get the fix you'll need to either wait for the next release (0.99.8, there's no plan for a release date that I'm aware of) or use a development version from: http://www.wireshark.org/download/automated/ As noted in the bug, this problem was fixed in rev 24069 which means you need to choose a development version higher than that number. Prasad Shenoy wrote: Martin - I should have included the details in my initial email. Sorry about that. I am using 0.99.7 on Win XP, the latest download from yesterday. I looked at bug # 2185 and even followed the command line suggestion but with my own capture file instead of the one attached to the report. The problem still persists. What is your advice in this situation? Thanks Prasad On Jan 25, 2008 3:11 PM, Martin Mathieson [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, I fixed a but matching this description around 2 weeks ago (to fix reported bug 2185). Could you please test with a later build? Hope this helps, Martin On Jan 25, 2008 7:57 PM, Prasad Shenoy [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Good people - I am new to this list so I apologize for loose etiquettes, if any. I would like to report a bug related to Wireshark PDML export feature. While looking at a .pdml export of a recent capture, I noticed a tag mismatch for element proto and several occurrences of this mismatch in a single .pdml file. Has anyone noticed or run into this before? Any help and guidance is highly appreciated Thanks, Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org mailto:Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org mailto:Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Prasad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts - ericsson error
jacob c wrote: I appreciate the info. I have actually taken several captures now on individual vlans and have located the top talkers. I also tried the tshark command you mentioned below without success. I get the ericsson error as show below. Here is what happens: C:\Program Files\Wireshark Oops, cmd.exe, not a UN*X shell, so Sake's command won't work exactly. If you have Cygwin installed, you could try it from Cygwin. tshark -r c:\captures\0_0-10mins -T fields -e ip.src tcp.flags.syn==1 Could not open file: 'Ericsson.xml', error: No such file or directory tshark: Unexpected end of filter string. The ericsson error isn't the real problem. The real problem is the Unexpected end of filter string; that command isn't complete. The complete tshark command would be tshark -r c:\captures\0_0-10mins -T fields -e ip.src tcp.flags.syn==1 tcp.flags.ack==0 on *one* command line (I don't know whether cmd.exe supports commands split across multiple command lines the way UN*X shells do. However, the rest of his command, namely the | sort | uniq -c | sort -rn | head part, is a bit trickier; cmd.exe *does* support pipes (and I suspect it supports them using Win32 pipes, rather than the old run the commands one at a time, save the output of command N to a file, and use that file as input to command N+1 hack that the MS-DOS command prompt did, due to DOS being a single-tasking system), but Windows doesn't come with those other commands. As noted, Cygwin would include those commands. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users