Re: [Wireshark-users] GUI problem with Mac OS X
Hi Robert, You should ask the guys who produce that version on why its not working. I'm not one of them. My MacOS X version of wireshark is based on compiling the sources of all libraries and installing them as per default under /usr/local and is a standalone installer ( a .PKG) and has nothing to do with the "Fink" project on sourceforge. The installer I did is on http://www.finkconsulting.com/page7.php and not anywhere else. On 25.03.2008, at 01:18, R S wrote: Andreas, I downloaded Wireshark from SourceForge.net (no Ports of Fink) and I launch it in X11. Here are the outputs I got: $ wireshark --version wireshark 0.99.8 Copyright 1998-2008 Gerald Combs <[EMAIL PROTECTED]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GTK+ 2.13.1, with GLib 2.17.0, with libpcap 0.9.4, with libz 1.2.3, without libpcre, without SMI, without ADNS, without Lua, without GnuTLS, without Gcrypt, with MIT Kerberos, without PortAudio, without AirPcap. NOTE: this build doesn't support the "matches" operator for Wireshark filter syntax. Running on Darwin 8.11.1 (MacOS 10.4.11), with libpcap version 0.9.4. Built using gcc 4.0.1 (Apple Computer, Inc. build 5367). $ otool -L /usr/local/bin/wireshark /usr/local/bin/wireshark: /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/ApplicationServices (compatibility version 1.0.0, current version 22.0.0) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/ CoreFoundation (compatibility version 150.0.0, current version 368.32.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/ CoreServices (compatibility version 1.0.0, current version 18.0.0) /usr/local/lib/libwiretap.0.dylib (compatibility version 1.0.0, current version 1.1.0) /usr/local/lib/libwireshark.0.dylib (compatibility version 1.0.0, current version 1.1.0) /usr/lib/libpcap.A.dylib (compatibility version 1.0.0, current version 1.0.0) /opt/gtk/lib/libgtk-quartz-2.0.0.dylib (compatibility version 1302.0.0, current version 1302.0.0) /opt/gtk/lib/libgdk-quartz-2.0.0.dylib (compatibility version 1302.0.0, current version 1302.0.0) /opt/gtk/lib/libatk-1.0.0.dylib (compatibility version 2210.0.0, current version 2210.1.0) /opt/gtk/lib/libgdk_pixbuf-2.0.0.dylib (compatibility version 1302.0.0, current version 1302.0.0) /opt/gtk/lib/libgio-2.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /opt/gtk/lib/libpangocairo-1.0.0.dylib (compatibility version 2001.0.0, current version 2001.0.0) /opt/gtk/lib/libpango-1.0.0.dylib (compatibility version 2001.0.0, current version 2001.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 88.3.9) /opt/gtk/lib/libcairo.2.dylib (compatibility version 14.0.0, current version 14.6.0) /opt/gtk/lib/libpng12.0.dylib (compatibility version 23.0.0, current version 23.0.0) /opt/gtk/lib/libgobject-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libgmodule-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libgthread-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libglib-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libintl.8.dylib (compatibility version 9.0.0, current version 9.1.0) /System/Library/Frameworks/Kerberos.framework/Versions/A/ Kerberos (compatibility version 5.0.0, current version 5.0.0) /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 369.6.0) /usr/lib/libiconv.2.dylib (compatibility version 5.0.0, current version 5.0.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.3) I deleted the preferences file but nothing changed. Thanks. Robert Windows Live Hotmail is giving away Zunes. Enter for your chance to win.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 http://a-fink.blogspot.com/ A developers view about iPhone SDK ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wire
Re: [Wireshark-users] GUI problem with Mac OS X
Well its obvious that it will use libraries from /opt/gtk/lib. Those libraries where not compiled by me. I think /opt is used by Ports. The version from http://www.finkconsulting.com/page7.php doesnt use / opt directory. If MacOS X thinks it should use libraries from there, you end up in version conflicts. You might want to rename /opt to something else temporarely and see if it runs then. On 25.03.2008, at 01:18, R S wrote: Andreas, I downloaded Wireshark from SourceForge.net (no Ports of Fink) and I launch it in X11. Here are the outputs I got: $ wireshark --version wireshark 0.99.8 Copyright 1998-2008 Gerald Combs <[EMAIL PROTECTED]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GTK+ 2.13.1, with GLib 2.17.0, with libpcap 0.9.4, with libz 1.2.3, without libpcre, without SMI, without ADNS, without Lua, without GnuTLS, without Gcrypt, with MIT Kerberos, without PortAudio, without AirPcap. NOTE: this build doesn't support the "matches" operator for Wireshark filter syntax. Running on Darwin 8.11.1 (MacOS 10.4.11), with libpcap version 0.9.4. Built using gcc 4.0.1 (Apple Computer, Inc. build 5367). $ otool -L /usr/local/bin/wireshark /usr/local/bin/wireshark: /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/ApplicationServices (compatibility version 1.0.0, current version 22.0.0) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/ CoreFoundation (compatibility version 150.0.0, current version 368.32.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/ CoreServices (compatibility version 1.0.0, current version 18.0.0) /usr/local/lib/libwiretap.0.dylib (compatibility version 1.0.0, current version 1.1.0) /usr/local/lib/libwireshark.0.dylib (compatibility version 1.0.0, current version 1.1.0) /usr/lib/libpcap.A.dylib (compatibility version 1.0.0, current version 1.0.0) /opt/gtk/lib/libgtk-quartz-2.0.0.dylib (compatibility version 1302.0.0, current version 1302.0.0) /opt/gtk/lib/libgdk-quartz-2.0.0.dylib (compatibility version 1302.0.0, current version 1302.0.0) /opt/gtk/lib/libatk-1.0.0.dylib (compatibility version 2210.0.0, current version 2210.1.0) /opt/gtk/lib/libgdk_pixbuf-2.0.0.dylib (compatibility version 1302.0.0, current version 1302.0.0) /opt/gtk/lib/libgio-2.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /opt/gtk/lib/libpangocairo-1.0.0.dylib (compatibility version 2001.0.0, current version 2001.0.0) /opt/gtk/lib/libpango-1.0.0.dylib (compatibility version 2001.0.0, current version 2001.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 88.3.9) /opt/gtk/lib/libcairo.2.dylib (compatibility version 14.0.0, current version 14.6.0) /opt/gtk/lib/libpng12.0.dylib (compatibility version 23.0.0, current version 23.0.0) /opt/gtk/lib/libgobject-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libgmodule-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libgthread-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libglib-2.0.0.dylib (compatibility version 1701.0.0, current version 1701.0.0) /opt/gtk/lib/libintl.8.dylib (compatibility version 9.0.0, current version 9.1.0) /System/Library/Frameworks/Kerberos.framework/Versions/A/ Kerberos (compatibility version 5.0.0, current version 5.0.0) /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 369.6.0) /usr/lib/libiconv.2.dylib (compatibility version 5.0.0, current version 5.0.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.3) I deleted the preferences file but nothing changed. Thanks. Robert Windows Live Hotmail is giving away Zunes. Enter for your chance to win. Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 http://a-fink.blogspot.com/ A developers view about iPhone SDK ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] vlan & dhcp packets
I think dhcp always is untagged on ethernet by the standard as it might tell you what vlan to use maybe. At least i had such issues when trying to run a dhcp server on a cisco connected on vlan virtual interfaces Von meinem iPhone gesendet Am 18.03.2008 um 21:08 schrieb wb <[EMAIL PROTECTED]>: > > hey folks, > > [sorry for the double post, looks like i posted incorrectly the > first time.] > > > if i'm sniffing between a linksys router and a cisco swtich, and the > linksys is on a vlan, shouldn't i be able to see DHCP OFFERS & > REQUESTS that clients are getting from this linksys router? or does > vlan tagging hid them or something? > > tia > > Fingerprint: E737 C427 FB48 6E51 6C8D ED40 7C8D 1D4E 6F9F B528 > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] GUI problem with Mac OS X
On 18.03.2008, at 19:08, Andreas Fink wrote: what version of wireshark you have installed and where you got it from? how you launch it? The versions I've built install into /usr/local/bin/wireshark and require X11 and a bunch of libraries it dpeends on. If you installed similar libraries using "Ports", or "Fink" package manager you might get into dynamic linking issues. check this with the otool. This is the output I got on my MacOS X 10.5 system: $ otool -L /usr/local/bin/wireshark /usr/local/bin/wireshark: /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ ApplicationServices (compatibility version 1.0.0, current version 34.0.0) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/ CoreFoundation (compatibility version 150.0.0, current version 476.0.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/ CoreServices (compatibility version 1.0.0, current version 32.0.0) /usr/local/lib/libwiretap.0.dylib (compatibility version 1.0.0, current version 1.1.0) /usr/local/lib/libwireshark.0.dylib (compatibility version 1.0.0, current version 1.1.0) /usr/lib/libcrypto.0.9.7.dylib (compatibility version 0.9.7, current version 0.9.7) /usr/local/lib/libpcre.0.dylib (compatibility version 1.0.0, current version 1.1.0) /usr/lib/libpcap.A.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/local/lib/libgtk-x11-2.0.0.dylib (compatibility version 1201.0.0, current version 1201.3.0) /usr/local/lib/libgdk-x11-2.0.0.dylib (compatibility version 1201.0.0, current version 1201.3.0) /usr/local/lib/libatk-1.0.0.dylib (compatibility version 2010.0.0, current version 2010.1.0) /usr/local/lib/libgdk_pixbuf-2.0.0.dylib (compatibility version 1201.0.0, current version 1201.3.0) /usr/local/lib/libpangocairo-1.0.0.dylib (compatibility version 1901.0.0, current version 1901.0.0) /usr/local/lib/libpangoft2-1.0.0.dylib (compatibility version 1901.0.0, current version 1901.0.0) /usr/local/lib/libpango-1.0.0.dylib (compatibility version 1901.0.0, current version 1901.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0) /usr/local/lib/libcairo.2.dylib (compatibility version 14.0.0, current version 14.6.0) /usr/X11/lib/libfontconfig.1.dylib (compatibility version 3.0.0, current version 3.0.0) /usr/X11/lib/libfreetype.6.dylib (compatibility version 10.0.0, current version 10.16.0) /usr/lib/libexpat.1.dylib (compatibility version 7.0.0, current version 7.0.0) /usr/X11/lib/libpng12.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/X11/lib/libXrender.1.dylib (compatibility version 5.0.0, current version 5.0.0) /usr/X11/lib/libX11.6.dylib (compatibility version 9.0.0, current version 9.0.0) /usr/X11/lib/libXau.6.dylib (compatibility version 7.0.0, current version 7.0.0) /usr/X11/lib/libXdmcp.6.dylib (compatibility version 7.0.0, current version 7.0.0) /usr/local/lib/libgobject-2.0.0.dylib (compatibility version 1501.0.0, current version 1501.0.0) /usr/local/lib/libgmodule-2.0.0.dylib (compatibility version 1501.0.0, current version 1501.0.0) /usr/local/lib/libgthread-2.0.0.dylib (compatibility version 1501.0.0, current version 1501.0.0) /usr/local/lib/libglib-2.0.0.dylib (compatibility version 1501.0.0, current version 1501.0.0) /usr/local/lib/libintl.8.dylib (compatibility version 9.0.0, current version 9.2.0) /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos (compatibility version 5.0.0, current version 5.0.0) /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 19.0.0) /usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0) /usr/local/lib/libportaudio.2.dylib (compatibility version 3.0.0, current version 3.0.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.3) /usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0) You might also trash the preferences in ~/.wireshark/ to see if some old settings move your window off screen or the like. On 18.03.2008, at 03:15, R S wrote: Andreas, When I launch it in X11, things don't get better. I still have the wireshark tab appearing in the menu bar with nothing next to it. Any suggestions? Robert From: Andreas Fink <[EMAIL PROTECTED]> Date: Sat, 15 Mar 2008 18:58:27 +0100 You need to launch it in X11, not Terminal. This is true for 10.4 but not for 10.5 where X11 is launched automatically. From: [EMAIL PROTECTED] To: wireshark-users@wireshark.org Subject: GUI problem with Mac OS X Date: Sat, 15 Mar 2008 01:12:22 + Hi, I installed Wireshark on my Mac OS X 10.4.11 and it worked fine for a couple of times. Now, when I launch it in the terminal, the GUI simply doesn't appear. Is anyone familiar with this problem? Cheers, Robert Helping your favorite cause is as easy as instant messaging. You IM, we give. L
Re: [Wireshark-users] GUI problem with Mac OS X
You need to launch it in X11, not Terminal. This is true for 10.4 but not for 10.5 where X11 is launched automatically. On 15.03.2008, at 02:12, R S wrote: Hi, I installed Wireshark on my Mac OS X 10.4.11 and it worked fine for a couple of times. Now, when I launch it in the terminal, the GUI simply doesn't appear. Is anyone familiar with this problem? Cheers, Robert Helping your favorite cause is as easy as instant messaging. You IM, we give. Learn more.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Router broken or is my Linux crazy? *Smallest* log included
On 10.03.2008, at 18:26, Monkey D. Luffy wrote: >> Your computer should gather that 192.168.2.1 is your router's >> ethernet >> from the broadcasts it listens to. Thats also a way of learning ARP >> tables. > So that means that I have (at least) a problem in my computer? Since > it doesn't learn who the router is from the IGMPs packets: > > > 86 1403.785840 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 87 1404.785886 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 88 1407.786026 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 89 1408.332413 192.168.2.1 224.0.0.1 IGMP > V2 Membership Query > 90 1408.586063 192.168.2.100 224.0.0.251 IGMP > V2 Membership Report > 91 1408.786070 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 92 1409.786118 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 93 1412.493245 192.168.2.1 224.0.0.9 IGMP > V2 Membership Report > 94 1412.786256 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 95 1413.786301 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 96 1414.786348 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > 97 1416.138415 192.168.2.100 239.255.67.250IGMP > V2 Membership Report > 98 1417.786490 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > > > > Can there something be wrong with the mask used? Could be. What is the mask used? >> However its odd that the router doesnt answer a specific ARP request >> targeted to him. > So that means my router is indeed brain dead. > >> Now to the tricky questions. Where did you capture this? > I captured it on my computer, 192.168.10.100 192.168.10.100? thats not on the same subnet usually >> Maybe the router answered but your computer didnt get the answer >> because the switch in the middle is messed up or so? > The cable modem connects to my router. From my router 2 RJ45 cables > connect to 2 computers. Both (Linux) computers fail network connection > at the same time. > I don't use any switch hardware device. > > I have to say that when my NIC connects directly to the cable modem > (no router in the middle) I don't have any problems with my network > connection. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Router broken or is my Linux crazy? *Smallest* log included
On 10.03.2008, at 16:57, Monkey D. Luffy wrote: > I left wireshark running during the night, since there was no network > traffic during that time, the log is as clean as it can get. > The weird thing is that my computer starts ARPing the router and never > stops The router only does some IGMP queries and replies, but > never answers the request. Your computer should gather that 192.168.2.1 is your router's ethernet from the broadcasts it listens to. Thats also a way of learning ARP tables. However its odd that the router doesnt answer a specific ARP request targeted to him. Now to the tricky questions. Where did you capture this? Maybe the router answered but your computer didnt get the answer because the switch in the middle is messed up or so? > > > No. TimeSourceDestination > Protocol Info > 11 192.144853 AsustekC_ba:f5:a8 Broadcast ARP > Who has 192.168.2.1? Tell 192.168.2.100 > Frame 11 (42 bytes on wire, 42 bytes captured) > Ethernet II, Src: AsustekC_ba:f5:a8 (__:__:__:ba:f5:a8), Dst: > Broadcast (ff:ff:ff:ff:ff:ff) > Address Resolution Protocol (request) > > > I checked some logs during normal execution and the router sometimes > answers the ARP requests, but even when it doesn't my computer stops > making ARP requests probably due to the IGMP replies and queries. > > I have attach the summed up log in this email. > > Thank you for any help. > short>___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Filtering tcp payload
On 14.02.2008, at 05:22, Greg Helps wrote: Hi, My question's probably quite simple, but I'd like to frame it by explaining my situation first. I come from an environment that uses Citrix metaframe. A citrix session establishes itself on tcp port 1494 or 2598 by default. All activities utilise this single conversation, meaning screen drawing, mouse movements, clipboard copies, client-side drive mapping etc all occur within the same conversation. Screen redraws, mouse movements and keystrokes are all high priority activities compared to something like printing. Therefore, the first two bytes of the tcp data are not encrypted and contain information about the payload of the particular packet. From Cisco's description : The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag number. Byte 1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags. The other six bits contain the high-order byte count. I'd like to filter by the first two bits of the second byte of the tcp payload data. I am currently trying variations of the following display filter : (tcp[21] & 0xc0) == 0 This filter is rejected as invalid. Can anyone see what I'm doing wrong? can't see it right now neither but try tcp[21] < 193 which should be logically the same. Andreas Fink Global Networks Schweiz AG --- Tel: +41-61-333 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] Homepage: http://www.global-networks.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Bad Checksum Packet
On 11.02.2008, at 06:35, Becky Vict wrote: Hi, The protocol that I'm interested in is TCP (ftp transfer). I've done as per recommended but the following is what I get. Transmission Control Protocol, Src Port: 5001 (5001), Dst Port: ftp- data (20), Seq: 1, Ack: 15169, Len: 0 Flags: 0x0010 (ACK) 0... = Congestion Window Reduced (CWR): Not set .0.. = ECN-Echo: Not set ..0. = Urgent: Not set ...1 = Acknowledgment: Set 0... = Push: Not set .0.. = Reset: Not set ..0. = Syn: Not set ...0 = Fin: Not set Window size: 15984 Checksum: 0x6eab [correct] I tried applying tcp.checksum_bad == 1 display filter but comes up with nothing. Either there is no bad checksum packet in the capture at all or it gets discarded and doesn't show in Wireshark. Is there a way to confirm this? (by looking at both client and server captures for example). in todays wired networks its rather rare to see invalid checksums because it would mean that a packet get transmitted and received but incorrectly received due to a bad wire o the like. Todays network much more likely have packets removed completely due to congestion or other reasons. A packet error on TCP is unlikely if there's already a checksum at a lower level which would discard the packet. So its very unlikely to see tcp.checksum_bad == 1 unless you have a broken TCP stack creating wrong checksums or the like. Thanks. Stephen Fisher <[EMAIL PROTECTED]> wrote: On Sun, Feb 10, 2008 at 06:35:08AM -0800, Becky Vict wrote: > I would like to know if a packet is discarded due to bad checksum, > will it show in the capture? How to distinguish this quickly? What > display filter should I use for this? If the frame is discarded by the network card for a bad CRC, you will probably not see it in Wireshark at all. If the checksum is bad at higher layers, then you will see bad checksum checks at various protocols/layers (IP, TCP, UDP and some other protocols such as CDP and EDP). Go into the protocol layer of a packet that you want to check the checksum of and there will be a tree such as the following: User Datagram Prptocol, Src Port: domain (53), Dst Port: 58475 (58475) Source Port: domain (53) Destination port: 58475 (58475) Length: 108 Checksum 0x2b97 [correct] [Good Checksum: True] [Bad Checksum: False] Right click on the good or bad checksum and go to Apply as Filter - Selected to apply a display filter for good or bad checksums. The filters in this case will be udp.checksum_good == 1 or udp.checksum_bad == 1 if it is good or bad respectively. There are also coloring rules in place by default for Checksum Errors that turn the packet list line red on black for cdp, edp, ip, tcp, udp checksums that are bad. Note that other a few other protocols have checksum checks too, but they are not in the default coloring rules. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Looking for last minute shopping deals? Find them fast with Yahoo! Search.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] MacOS X Leopard package of Wireshark 0.99.7 available
Please note that a new wireshark package installer has been made available on http://www.finkconsulting.com/page7.php http://www.finkconsulting.com/opensource/WiresharkLeopard/Wireshark-Leopard.dmg (direct download) The package contains Wireshark 0.99.7 (from www.wireshark.org) built from the open source code The package is built for MacOS X 10.5 (Leopard) only and installs into /usr/local. It has been compiled for architectures i386 and ppc (Universal Binary) The package includes the following items: adns-1.3 atk-1.20.0 cairo-1.4.12 gettext-0.17 gtk+-2.12.3 jpeg-6b libpng-1.2.24 lua-5.1.2 pango-1.19.0 pcre-7.4 pkg-config-0.22 portaudio_stable_v19.20071207 tiff-3.8.2 wireshark-0.99.7 A pseudo application starting wireshark from an icon in /Applications. A startup item making /dev/bpf* readable for everyone at startup. X11.app update Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 Say NO to Power Line Communications: http://www.youtube.com/watch?v=pdcY0Eetvsw ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] SCCP XUDT (Segmentation)
>> >> "Message Transport Failure" implies a message ordering problem or >> timeout. Looking at your MTP routing label the 2 messages are on >> different SLS despite the fact that Class-1 is selected. That >> might be >> the problem. (I didn't check a lot for other possible problems.) > > > Ah... different SLS.. that could very well be it. I would never have > thought of that one. Changed the code to use same SLS and everything works. That was the missing link. Thanks a lot! ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] SCCP XUDT (Segmentation)
On 11.01.2008, at 17:21, Jeff Morriss wrote: Andreas Fink wrote: Does anyone here have a proper sample of a trace of a SCCP XUDT message including segments? My self made packet decodes correctly in wireshark but the global title node doesn't like it and rejects it with 0x08 (Message Transport Failure) and I don't have anything to compare against what could be wrong. Here's what I sent There's some segmented XUDT (and XUDTS) in http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2059 "Message Transport Failure" implies a message ordering problem or timeout. Looking at your MTP routing label the 2 messages are on different SLS despite the fact that Class-1 is selected. That might be the problem. (I didn't check a lot for other possible problems.) Ah... different SLS.. that could very well be it. I would never have thought of that one. Alain wrote: Looking to your capture file, if you set in "/Edit/Preference" the SCCP Protocol with the flag "Reassemble XUDT messages", then you can see correct exchange. I have done it on record 14 & 15 : it's a FORWARDSM map message. The reassembly works fine. The outgoing message looks perferctly fine otherwise but the XUDTS error I got in response was the thing that puzzled me... The ForwardSM part is well prooven as its being used several million times per day using UDTS. Only in the rare case of long sender/receiver numbers and GSM-MAP phase 2+ and long SMS the message gets too long. In my test case it was 1 byte too big :-(. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] SCCP XUDT (Segmentation)
Does anyone here have a proper sample of a trace of a SCCP XUDT message including segments?My self made packet decodes correctly in wireshark but the global title node doesn't like it and rejects it with 0x08 (Message Transport Failure) and I don't have anything to compare against what could be wrong.Here's what I sent dump.cap Description: Binary data Andreas FinkFink Consulting GmbHGlobal Networks Schweiz AGBebbiCell AG---Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333Address: Clarastrasse 3, 4058 Basel, SwitzerlandE-Mail: [EMAIL PROTECTED]www.finkconsulting.com www.global-networks.ch www.bebbicell.ch---ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfinkYahoo: finkconsulting SMS: +41792457333Say NO to Power Line Communications: http://www.youtube.com/watch?v=pdcY0Eetvsw ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] RE : Re: Showing TCAP packets : Ethereal vs. Wireshark
TCAP is a user of SCCP or SUA. As such a TCAP packet includes a SUA or SCCP packet. If Wireshark doesnt show it as TCAP it might be the fact that the packet is invalid and thus the SUA payload is not considered as TCAP packet. The reasons for this can be many. One obvious one would be that the TCAP preferences are looking for ITU-TCAP not the US proprietary ANSI version of TCAP. I believe this is somewhere hidden in the settings. The second reason would be simply the packet being screwed up.. On 13.12.2007, at 11:58, Marc Grün wrote: Ethereal (Version 0.10.13) was already installed in the computer I'm using, and I know well it is obsolete. I'm using Wireshark Version 0.99.6 (SVN Rev 22249). I added the out files for Ethereal and Wireshark concerning that packet. Ethereal is the only one to label it malformed, it goes fine with Wireshark. I would not bother anyway, but what bugs me in fact is that TCAP is a Layer-7 (Application) protocol, whereas (I might be wrong, but well) SUA seems to belong to an inferior layer : how can they qualify both the very same packet ? Which layers does in fact this SUA implement ? Guy Harris <[EMAIL PROTECTED]> a écrit : Marc Grün wrote: > I'm doing communication between two machines using the SCCP User > Adaptation (SUA) protocol. Using both Ethereal and Wireshark to capture > the corresponding packets, I realized that Ethereal shows the > connectionless datagram ones as "TCAP CLDT" (and they are said to be > malformed...) whereas Wireshark shows the same as "SUA (RFC 3868) CLDT". > > Where does this divergence come from ? Probably from a change in one of the dissectors between the two versions of the software; the difference between "Ethereal" and "Wireshark" is that "Ethereal" is the name the software had up to version 0.99.0 and "Wireshark" is the name it had starting with version 0.99.2 (I don't remember what happend to 0.99.1). See http://www.wireshark.org/faq.html#q1.2 for why the name changed. What are the version numbers of the two releases you're using? And do you have a small capture file that demonstrates this (if you can just extract one packet from the capture and read that into the two versions and see the behavior, that would be ideal)? Also, are the packets said to be malformed in the newer version? If so, it might be that the older version wasn't correctly dissecting them. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail < wireshark .out>___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to see HTTP hosts visited
the two switches are not forwarding packets to your PC as the destination of the packets are not meant to receive it You need to do the tracing on the WRTG54G itself (if it runs some linux for example) or it should forward packets. I dont think even without the two switches you will see the packets as they come/go from DSL and WLAN. So the WRT will not forward it to you because it knows (or thinks) you are not looking for those packets. On 12.11.2007, at 22:34, Gary Fritz wrote: > From: Stephen Fisher <[EMAIL PROTECTED]> >> What does your network setup look like? Do you have separate >> wireless >> AP, router, cable/dsl modem? Or which parts are combined into one? > > Our home network looks something like this (sorry for the ASCII > graphics): > > Linksys > WRT54G switch switch my PC > (wifi hub) > | > | > other PCs > > The Linksys is acting as a "DSL" modem (although my broadband > connection is actually wireless), router, and wireless AP. > > So I have 2 switches between the router and my PC. Could that be > part of > the problem? > >> You could monitor the wifi through another wifi connection only if >> your >> operating system & wireless driver support promiscuous mode, which >> is not >> common (especially on Windows). > > Hm. And I am running on Windows -- XP Home & Pro. The promiscuous- > mode option is checked in the "Capture Options" dialog. > >> Ideally you would monitor his machine by installing Wireshark on his >> machine, but that may give away what you're trying to do :). > > Yeah, that's not ideal for me. :-) > >> Since the initial sites visited are typically the only time HTML is >> loaded (the accesses to other sites are usually graphics), this >> display >> filter should help narrow it down: >> >> ip.addr == 192.168.1.106 && http && http.content_type contains >> "text/html" > > Hm, no, I'm still seeing requests for googleadservices.com, > pagead.l.google.com, rcm.amazon,com, some gifs and jpgs, etc. A lot > of the > sites I'm seeing are requesting p3p.xml files or similar. > > And it doesn't seem to be capturing all the actual browse requests. > E.g. if I > browse to www.dogpile.com (my son's favorite search engine), nothing > gets > through the filter. > > It's definitely better than I had come up with before. The > statistics report I > was using before doesn't work with that filter, but the filtered > output is better > than the stat report was anyway. If it just included all the hosts > I browsed to, > it would be "good enough" for now. > > Except... I've just discovered that display filters and capture > filters don't use > the same syntax, sigh. These packets pile up quickly without a > filter. I tried > "port 80 and src <>" and that helps, but I'm sure it's not > optimal. > Can you capture basically the same set of packets that the display > filter > shows? > > Thanks for the start! > Gary > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Any Macintosh users out there?
Why you dont simply use it under MacOS X? http://www.finkconsulting.com/page7.php you need X11 being installed. and from there you do /usr/local/bin/wireshark and youre in... On 06.05.2007, at 19:00, Robert Ameeti wrote: I run Wireshark via Parallels on a Mac and am looking for any gotcha's that other Mac users may have found. -- <><><><><><><><><><><><><><><><><><> Robert Ameeti You cannot kill time without injuring eternity. <><><><><><><><><><><><><><><><><><> ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireless recommendation
On 21.03.2007, at 06:03, David Schweinsberg wrote: On 20/03/2007, at 9:34 PM, Andreas Fink wrote: the traffic showing is opening the device in promiscious mode which still has the same problem as it can not count on wlt1 while en1 is connected. Sorry Andreas, are you saying that the Airport Extreme still has the problem that it can't enter promiscuous mode? Certainly that would explain the problem I'm seeing. Regards, David The airport card in the Intel MacBooks and Intel iMacs is being driven by the Apple closed source driver. This driver is done in a way that when you go into promiscuous mode (you open the wlt1 device to be precise), your en1 device which is connecting your computer with this interface is being disconnected. in other words, you can listen PASSIVELY but not be active on the wireless lan at the same time. If you listen ACTIVELY (your own traffic going to the wireless lan) you can listen on the en1 device instead of the wlt1 device. In that case you see ethernet frames, not 802.11a/b/g/n frames. The problem in wireshark was that it was always scanning through the device list to show traffic on the various devices. So once it hit wlt1, en1 got disconnected. So that interface had to be skipped. This has been incorporated in libpcap's cvs version which I bundled with that installer. Its a limit introduced by Apple or by the hardware itself (Apple has not said anything officially about the problem yet). Capturing your own traffic in active mode or listening passively should however be sufficient in 99% of the cases. Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireless recommendation
On 20.03.2007, at 08:36, David Schweinsberg wrote: Thanks Andreas I've installed your build on my MacBook Pro and I'm seeing local traffic on 'en1', and broadcasts on 'wlt1', but no other network else. The config for en1 is set to promiscuous, and checking 'ifconfig en1' reveals that the PROMISC flag is set -- it just doesn't seem to make any difference. the traffic showing is opening the device in promiscious mode which still has the same problem as it can not count on wlt1 while en1 is connected. Use Capture -> options to capture en1 is the wlan interface. you can now capture on it while being connected (capture your own traffic and the traffic targeted to your node) wlt1 is the wlan interface in passive mode. when you use it, you can see radio frames but your host will be disconnected from the wlan while doing this. en0 would then be the built in ethernet etc. Regards, David On 20/03/2007, at 3:34 PM, Andreas Fink wrote: the wireless issue on the MacBook Pro have been solved You need an updated libpcap version. the installer I put at http://www.finkconsulting.com/page7 has this fix. On 20.03.2007, at 05:30, David Schweinsberg wrote: Hi I was hoping for a recommendation for the best wireless card to use with Wireshark on Linux. I've looked through the various cards and chipsets on the wireless wiki section, but there seems to be so clear consensus as to which is the best option. Alternatively, I have a MacBookPro which I was originally intending to use, but I read that there are existing issues in regards to wireless use. I imagine this is still the case. Thanks in advance. Regards, David ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireless recommendation
the wireless issue on the MacBook Pro have been solved You need an updated libpcap version. the installer I put at http://www.finkconsulting.com/page7 has this fix. On 20.03.2007, at 05:30, David Schweinsberg wrote: Hi I was hoping for a recommendation for the best wireless card to use with Wireshark on Linux. I've looked through the various cards and chipsets on the wireless wiki section, but there seems to be so clear consensus as to which is the best option. Alternatively, I have a MacBookPro which I was originally intending to use, but I read that there are existing issues in regards to wireless use. I imagine this is still the case. Thanks in advance. Regards, David ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Calculating SIP Calls Per Second (CPS) trafic in a wireshark/ethereal trace
how about applying a display filter and count how many messages you have and then divide by the number of elapsed seconds? Its "hand made" but should give you a rough figure pretty quickly. On 06.03.2007, at 14:42, Andreas Byström wrote: Hi all, I'm currently evaluating wireshark ethereal traces of a load testcase for a SIP proxy/softswitch. Im looking for if there is a tool/built-in-function to calculate/draw CPS (Calls Per Second) or CAPS (Call Attempts Per Second) for a SIP ethereal trace? I know there is really no thing as a CPS in SIP, what I want to calculate is how many sip INVITE requests (and if possible only "new" invites, not re-invites) there are per second in a ethereal trace. If I cant get the value for each second, it is also ok with the same value each 10th seconds Have googled on the net for such tool but failed to find one. Anyone here that that knows if it is possible to do what I want? Regards, // Andreas ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark on OSX **NEWBIE**
On 06.03.2007, at 07:54, Chris Cottingham wrote: Ok, here goes nothing.. I have been using Ethereal on OS X. It has a nice gui and everyhting. I cannot for the life of me find where Wireshark has been installed. Where is the nice program in the applications list like Ethereal? Be kind... :> Start X11 (usually Applications/Utilities/X11.app). in the xterm type "wireshark" or maybe "/usr/local/bin/wirehsark" if the path is not set up. depending on the distribution you used, it might be at some other place. you can do "find / -print | grep wireshark$" to search for it. Andreas Fink Fink Consulting GmbH --- Tel: +41-61-332 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] Homepage: http://www.finkconsulting.com --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Gtk-WARNING **: cannot open display:
here's the "About Wireshark" dialogue: Version 0.99.6 (SVN Rev 20668) Copyright 1998-2007 Gerald Combs <[EMAIL PROTECTED]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GTK+ 2.10.6, with GLib 2.12.9, with libpcap current-cvs.tcpdump.org.2007.01.04, with libz 1.2.3, with libpcre 6.7, with Net-SNMP 5.2.1, with ADNS, with Lua 5.1, without GnuTLS, with Gcrypt 1.2.3, with MIT Kerberos, without PortAudio, without AirPcap. Running on Darwin 8.8.1, with libpcap version current-cvs.tcpdump.org.2007.01.04. Built using gcc 4.0.1 (Apple Computer, Inc. build 5367). - the line: current-cvs.tcpdump.org.2007.01.04. is important to have a wlan bug fixed. Note: the easiest way to start wireshark is to type /usr/local/bin/ wireshark in the X11 window after starting X11 or to make a menubar entry the same way. As far as the capturing goes, dont use Capture->interfaces. Use Capture->Options and select the interface there then. Then it will always work. Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 Meet us in Barcelona 3GSM World Congress 2007: Hall 2-1 Stand 2.1F83 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help. I do not know much about anything.... Iamtrying to see if a wireless connection between 2
On 10.02.2007, at 17:44, Frank Bulk wrote: Andreas: On what basis do you say that most modern IP phones use G.729? Is there a certain class of IP phones (PacketCable, Vonage, 8x8, enterprise (Cisco, Avaya, etc), VoFi) that you had in mind? Frank G.729 is one of the best codecs when it comes to efficiency and providing excellent quality. For software implementations its a bit problematic because of patent issues. The hardware versions don't have this because you simply buy chips which do G.729 and youre done because the chips vendor has a license for G.729 and they usually do much bigger volumes than a small software company developing a soft phone. If you compare the different codecs out there: G.726 ADPCM is also good but doesnt compress so much so uses quite a bit of bandwith. Perfect choice for "a little bit of compression but not too much". G.711 dont compress and waste a lot of bandwith (80kbps) GSM codec is popular on soft phones and open source because its free to use (even there are patents about it). G.728 is not so good in quality and not so efficient than G.729 but less CPU intensive. G.723 is the one which compresses most (as low as 5.3kbps without IP headers) but its clearly audible and quality is not considered very good. But useful for applications where minimizing the bandwidth is more important than quality. From the experience with IP phones, especially WiFi IP phones, we learned that those people who care about quality and provide phones which actually work (there's unfortunately a lot of crap out there too), they usually implement G.726, G.729, GSM and of course G.711 a- law and G.711 µ-law for the guys with tons of bandwidth available. The Cisco IP phones (Desk phones) as far as I know do G.711 and G. 726. UTS Starcom does G.711, G726 and G.729. The Hitachi WiFi Phones WIP3000 and WIP5000A do G.711, G.729 and GSM. Asterisk, the open source PABX does G.711, G.729 (not for free), GSM and I think also G. 726 and a few other codecs. The Grandstream phone adapters also do G.729 I wont mention any "fake" wireless IP phones like the wireless Skype phones. Those are nothing else than a microphone and a loudspeaker connected to the computer and all the processing is done on the computer. So you get whatever codec the soft phone has and the phone is just dumb. I prefer real WiFi phones like the Hitachi Cable WIP 5000A which you can use on any accesspoint and just work. And I prefer G.729 because its excellent quality. Just my personal opinion... Andreas Fink Global Networks Schweiz AG --- Tel: +41-61-333 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] Homepage: http://www.global-networks.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 Meet us in Barcelona 3GSM World Congress 2007: Hall 2-1 Stand 2.1F83 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help. I do not know much about anything.... I amtrying to see if a wireless connection between 2
I think his problem is more on the radio link level than on the codec level. Using G.711 would be 80kbps worth of data and very timing sensitive usually. Most modern IP phones use G.729. Now if the other side recodes the voice in something like G.728 then you have a serious quality issue due to double compression. On 09.02.2007, at 21:48, Chet Seligman wrote: Hopefully your folks use the G.711 codec. If so you can do a capture and save forward and reverse streams as a .au file. This will play with Windows Media and you will hear what they are hearing. Else the following still applies: WS will make delay and jitter graphics Filter the capture for RTP and save the filtered version. Export to CSV and read with Excel Determine the standard deviation of the delta time between packets column Make a frequency table of the delta t 4 x stdev = 99.97% of a normal distribution. If 4x stdev is less than 20ms then you are loosing very few packets and have micro- jitter. Else, the reverse. If you meet the standard deviation test then the network is doing a good job and the ip-phones are not. Often phone firmware or lousy wires are responsible. More than 50% of ip-phone problems are speed/ duplex mismatches at the network jack. From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of Chuck Botwin Sent: Friday, February 09, 2007 11:29 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] Help. I do not know much about anything I amtrying to see if a wireless connection between 2 Help. I do not know much about anything I am trying to see if a wireless connection between 2 buildings is adequate. I have played wire Wireshark and see that if I use my IP address as the interface, and a computer's IP address somewhere else locally, I can see packets sent and received, with no dropped packets. I plan to go to a friends site to do this exercise between 2 buildings. This in itself is not a big deal, but I want to get an idea of the available bandwidth between the buildings. Their problem is that their IP phones have very poor quality. The people who installed their antennas say it is the IP phone system. The antenna people report 8 megabit thru-put. The IP phone vendors say it is the wireless connection. I want to get to the bottom of this. Any suggestions? How can I measure bandwidth? If there are no dropped packets between the buildings should I assume the problem lies with the IP phones?? Thanks in advance. Chuck Chuck Botwin President Botwin Communications Office: (770) 218-0008 xt 222 Fax: (770) 218-9291 Cell: (770) 856-6690 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] U3 Package
What is all this hype about U3? Its a USB stick after all and it holds a binary which should be able to be doubleclicked from it. So what's all THAT hot of having a menubar gui to launch it from there? I could never ever use U3 so far (I use a Mac in 99% of the cases) and usually have a hard time deleting the U3 installation to recover the memory space I'm supposed to have (as there is no U3 tools for the Mac, there is no uninstaller for it neither and formatting the stick doesnt get rid of the virtual CD which shows up to annoy you) What am I missing here? On 06.02.2007, at 18:24, Scott Vermillion wrote: > Well there is this: http://web.archive.org/web/20060427203232/http://www.packetstuff.com/ http://www.download.com/PacketStuff-Network-Toolkit/ 3000-2085_4-10428838.html > So it can definitely be done. Very interesting Hans. Actually, I have no doubt that it can be done. I'm just not sure if there has been a big demand for it within the Ethereal/Wireshark community? I would use such a capability almost daily; especially if I could capture from a USB drive without full administrator privilidges. Some of the networks/machines that I work on a very tightly controled and thus installing software for test purposes can become an ordeal. In any case, I'm a die-hard Wireshark groupie and that new AirPcap 802.11 capture device has already paid for itself. I now have the U3 package installed on my USB drive and that's one less thing I'll have to install next time around. Progress, progress... BTW, thanks much all for your hard work on a great set of tools... ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Cross compilation problem again
seems simply like you dont have glib-2.0 library compiled for your mips environment. wireshark depends on glib and gtk+. tshark probably only on glib, given it doesnt have a X11 gui. On 06.02.2007, at 14:01, Daniele Brevi wrote: Hi to all, I'm still trying to cross-compile tshark :-( Running make I obtain the following error: mipsel-linux-uclibc/bin/ld: cannot find -lgmodule-2.0 I'm not a linux expert but probably my mips gcc does not know glib 2.0 So I try run .configure with the --disable-gtk2 option, but it says to me checking whether %llx can be used to format 64-bit integers... configure: error: cannot run test program while cross compiling See `config.log' for more details. configure: error: /bin/sh './configure' failed for wiretap I try to read configure file but it seems that (see line 22952) if I'm cross compiling I can't pass this point sigh :-( Some ideas about this? Thank you very much and good work Daniele ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tcp packets too big !?
could it be that your linux is supporting and using jumbo frames? In this case the MTU is much bigger On 02.02.2007, at 14:26, Christophe Lohr wrote: Hi, Wireshark shows (outgoing) tcp packet with a surprising size, larger than mss... Let's consider following "Client" and "Server": * Server [192.168.100.17] * # tshark -n "host 192.168.100.11 && host 192.168.100.17 && port 7575" > server.dump # netcat -l -p 7575 > /dev/null * Client [192.168.100.11] * # tshark -n "host 192.168.100.11 && host 192.168.100.17 && port 7575" > client.dump # netcat 192.168.100.17 7575 192.168.100.17 TCP 74 38587 > 7575 [SYN] Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6 0.000835 192.168.100.17 -> 192.168.100.11 TCP 74 7575 > 38587 [SYN, ACK] Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904 TSER=237521906 WS=6 0.000853 192.168.100.11 -> 192.168.100.17 TCP 66 38587 > 7575 [ACK] Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904 0.001001 192.168.100.11 -> 192.168.100.17 TCP 1090 38587 > 7575 [PSH, ACK] Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907 TSER=1201904 0.001134 192.168.100.11 -> 192.168.100.17 TCP 1514 38587 > 7575 [ACK] Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201904 0.001336 192.168.100.17 -> 192.168.100.11 TCP 66 7575 > 38587 [ACK] Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907 0.001348 192.168.100.11 -> 192.168.100.17 TCP 2962 38587 > 7575 [ACK] Seq=2874589889 Ack=2859359247 Win=92 Len=2896 TSV=237521907 TSER=1201905 (..) Last TCP packet have Len=2896 !!!??? And now, packets received: * server.dump * 0.00 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [SYN] Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6 0.000525 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [SYN, ACK] Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904 TSER=237521906 WS=6 0.000764 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK] Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904 0.001016 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [PSH, ACK] Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907 TSER=1201904 0.001035 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK] Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907 0.001266 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK] Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201904 0.001285 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK] Seq=2859359247 Ack=2874589889 Win=168 Len=0 TSV=1201905 TSER=237521907 0.001516 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK] Seq=2874589889 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201905 0.001531 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK] Seq=2859359247 Ack=2874591337 Win=213 Len=0 TSV=1201905 TSER=237521907 0.001535 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK] Seq=2874591337 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201905 (..) No trace of large TCP packets... I can't understand how "Client" do to send TCP packets larger than MTU. Does Wireshark dump real (outgoing) packets? Note that "Client" and "Server" are Linux 2.6.18/Fedora4. Many thanks. Regards ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark Error
you need to define the DISPLAY variable to point to your X11 display. the easiest is to start wireshark in a xterm window. if you "su" to root in this xterm, the DISPLAY has to be set again maybe. export DISPLAY=127.0.0.1:0.0 (in bash, sh and the like) should do. If you get a permission error, then try typing "xhost +" in your X11 application first. On 01.02.2007, at 05:03, Timothy Barnett wrote: You are running wireshark with root privileges, aren't you? I get that message if I attempt to run wireshark as a user. Regards, On 1/30/07, Kray Mitchell <[EMAIL PROTECTED]> wrote: I am fully new to all this, but I instlaled Wireshark today (full install) and I already have X11 installed. I am trying to run ANYTHING in wireshark and I get this error (wireshark:550): Gtk-WARNING **: cannot open display: Though the number changes depending on what I try and run. I can get wireshark -h to work, but that is it, and it is not very helpful to me. I am just trying to find something so I can find out what is happening on the network, so I can start learning to find out where bottlenecks are happening so I can figure out a solution. Thanks kray ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Any information contained in this email and any attachments is strictly private and confidental. The intended recipient of this email may use, reproduce, disclose or distribute the information contained in this email and any attachments with the sender's permission. If you are not the intended recipient, you are strictly prohibited from using, reproducing, adapting, disclosing or distributing the information contained in this email and any attachments, or taking any action in reliance upon it. Please notify the sender if you have received this email in error, and delete it from your mailbox. It is the responsibility of the receiver to scan this email and any attachments for viruses and other such threats, and if such threat is discovered, notify the sender. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Problem with 0.99.3a-1011 on MacBook
the tcpdump which comes with the system from apple does work if you specify the interface. (-i eth1) if you dont, you hit a problem. The wireshark installation I did (http://www.finkconsulting.com/ page7.php) was compiled with a newer version of libpcap and tcpdump which dont have this problem anymore unless you monitor the wtl interface. Wireshark works with this fine if you do "Capture- >Options" but not if you do "Capture->interfaces". The reason for this is that wireshark opens all interfaces to show the current "traffic". This includes the monitoring pseudo interface wtl which puts the WLAN offline to do monitoring. On 20.01.2007, at 18:37, Todd Wease wrote: Andreas Fink <[EMAIL PROTECTED]> writes: This is a known bug. Shout at Apple about it. I opened a bug report about it long ago but Apple doesnt seem to care to fix it so far. And of course they leave you in the dark. You can reproduce the same problem with tcpdump which comes with MacOS X. So its not wireshark being at fault. tcpdump works fine for me on Intel MacBook. DarwinPorts Wireshark not so fine. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help with MacOS X Wireshark binary
open X11 type /usr/local/bin/wireshark in the terminal window there. (or add a shortcut in the menu for it) On 19.01.2007, at 14:33, todd Okolowicz wrote: > Hi- > > I downloaded and installed > "Wireshark_0.99.4_Tiger.dmg" onto my MacBook Pro C2D > running 10.4.8. I have X11 installed. However, I have > no idea how to launch Wireshark now. Could any one > help me with this? It doesn't appear that anyone has > addressed this in the documentation or wiki for > newbies. > > Thanks, > /Todd > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Help on tcpdump or dumpcap
I would do tcpdump -w capture_file -s0 -i interface the -s0 makes sure the packets are not cut in size... On 18.01.2007, at 02:38, Sebastien Tandel wrote: > basically, > > tcpdump -w capture_file -i interface_name > > tshark -r capture_file > > > but the man pages should be of great help for further information. > > Regards, > > Sebastien Tandel > > ARAMBULO, Norman R. wrote: >> Hi, has anyone tried using tcpdump or dumpcap to capture packets on a >> GigE interface, we are not sure how tcpdump works could somebody help >> me with this. >> >> Pls expain how can we use the tcpdump to capture file and later read >> it using Tshark or Tethereal. Thanks >> >> >> >> >> >> >> >> "Reality is merely an illusion, albeit a very persistent one." >> >> >> -- Albert Einstein >> >> Norman R. Arambulo >> National Fraud Management Division >> Internal Audit & Fraud Risk Management Group >> >> Tel. No : 632-8889119/22 >> >> Fax No.: 632-8444889 >> >> >> >> >> >> - >> --- >> >> ___ >> Wireshark-users mailing list >> Wireshark-users@wireshark.org >> http://www.wireshark.org/mailman/listinfo/wireshark-users >> > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capturing with no free ips
You can capture without the computer having its own IP. I'm doing this myself on a Linux machine using the tcpdump utility (just to grab the packets for later analysis) but you can do it directly from wireshark too of course. On 11.01.2007, at 18:38, Computer Answer wrote: I'd like to use Ethereal/Wireshark at one of my customer sites and need some help. Specifically I need to setup a packet capture on a public segment with no free IPs. Basically, whether the capturing computer has to have an IP address on the same segment as the device connected to the Internet, the server (Novell) in this case, or whether it can capture all traffic (possibly as long as at least some aspects of the IP setup are similar) ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG --- Tel: +41-61-330 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] MacOS X Package 0.99.4 done
All, The MacOS X Package I built today for Wireshark 0.99.4 under Tiger 10.4.8 on i386 and ppc are now downloadable on http://www.finkconsulting.com/page7.php Either as full install: http://www.finkconsulting.com/opensource/ Wireshark_0.99.4_Tiger.dmg or as individual packages: http://www.finkconsulting.com/opensource/pkg-config-0.21.zip http://www.finkconsulting.com/opensource/gettext-0.16.1.zip http://www.finkconsulting.com/opensource/glib-2.12.4.zip http://www.finkconsulting.com/opensource/libtiff-3.8.2.zip http://www.finkconsulting.com/opensource/libpng-1.2.14.zip http://www.finkconsulting.com/opensource/libjpeg-6b.zip http://www.finkconsulting.com/opensource/atk-1.12.1.zip http://www.finkconsulting.com/opensource/cairo-1.2.4.zip http://www.finkconsulting.com/opensource/pango-1.14.3.zip http://www.finkconsulting.com/opensource/lua-5.1.1.zip http://www.finkconsulting.com/opensource/pcre-6.7.zip http://www.finkconsulting.com/opensource/adns-1.3.zip http://www.finkconsulting.com/opensource/gtk+2.10.6.zip http://www.finkconsulting.com/opensource/libpcap-2007.01.04.zip http://www.finkconsulting.com/opensource/tcpdump-2007.01.04.zip http://www.finkconsulting.com/opensource/wireshark-0.99.4.zip The Wireshark package has been configured with the following options. Build wireshark : yes Build tshark : yes Build capinfos : yes Build editcap : yes Build dumpcap : yes Build mergecap : yes Build text2pcap : yes Build idl2wrs : yes Build randpkt : yes Build dftest : yes Install setuid : no Use plugins : yes Build lua plugin : yes Build rtp_player : no Use GTK+ v2 library : yes Use threads : yes Build profile binaries : no Use pcap library : yes Use zlib library : yes Use pcre library : yes Use kerberos library : yes (MIT) Use GNU ADNS library : yes Use GNU crypto library : yes Use SSL crypto library : yes Use IPv6 name resolution : yes Use UCD SNMP/Net-SNMP library : yes (net-snmp) Use gnutls library : no The full install disk image contains full-wireshark 0.99.4, a metapackage containing Wireshark itself plus all the dependencies to run it on a plain MacOS X 10.4.8 Tiger system without anything else installed except Apple's X11 (which you can find on your MacOS X Install CD as optional install) Those package are supposed to run on intel and powerpc CPU's (can someone with a PowerPC mac who has never seen wireshark before test this if there are no dependencies missing or anything else bogous). Some libraries have been built with 64bit support when it was possible. The wireshark package also has a startup item which modifies the privileges of the /dev/bpf* devices so a normal MacOS X user can read / capture. Note: Wireshark was linked to a static libpcap to overcome an issue of the WLAN going offline on MacBook Pro's when you want to capture IP packets on the WLAN you are connected to. The static cvs version of the library doesnt have this effect except when you capture on the wtl interface (you will see the WLAN frames in this case too) where its normal to loose connectivity. If yo choose "Interface" from the menu however your WLAN will still disconnect. Choose "Options" instead and choose the interface there. So MacBook Pro users (like me) will be happier than before (thanks Guy for finding the workaround...) As gtk+ 2 and all the dependent libraries are finally been built properly (with gtk+1 we had only 2 dependencies, now we have more than a dozen), I will try to keep up with the cvs version and build updated packages more often. Andreas Fink Fink Consulting GmbH --- Tel: +41-61-332 Fax: +41-61-331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: [EMAIL PROTECTED] Homepage: http://www.finkconsulting.com --- ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OSX new MacBook Pro
On 29.10.2006, at 02:35, Mike Savory wrote:I just received my new MBP today, and the first thing I did was install Wireshark (via Macports, which works perfectly for me on my current Powerbook G4)http://www.macports.org/Specifically...http://svn.macports.org/repository/macports/trunk/dports/net/ wireshark/PortfileThe interesting issue is that as soon as I do a "> sudo tshark -i en1" it kills my wireless association, and I have to reconnect after the capture to get back into my Apple Extreme wireless connection, all other devices on the network are unaffected.If I run Wireshark under X it has the same effect.Running " > sudo tcpdump -i en1 works fine as you would expect.This is a known problem on MacBook Pro.If you have access to Apples Bugreporting system, open a bug about that.Maybe one day apple will fix that *sight*.It also happens when you simply type "tcpdump". Andreas FinkFink Consulting GmbH---Tel: +41-61-332 Fax: +41-61-331 Mobile: +41-79-2457333Address: Clarastrasse 3, 4058 Basel, SwitzerlandE-Mail: [EMAIL PROTECTED]Homepage: http://www.finkconsulting.com---ICQ: 8239353MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfinkYahoo: finkconsulting SMS: +41792457333 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Running Wireshark on OS X
Hi Jeremy, I have built wireshark/ethereal package version 0.99.0 for MacOS X. It is on http://www.finkconsulting.com/page7.php#ethereal Except X11 there's nothing required. I'm working on a newer version which uses gtk2 instead of gtk1 but the chain reaction there is pretty serious and requires some tweaking (pango currently crashes when launched with wireshark). Also making it universal often is a lot of handwork in the libraries part (lipo is my best friend...) On 13.10.2006, at 19:15, Guy Harris wrote: > Jeremy Chaney wrote: >> The Wireshark page on WikiPedia (http://en.wikipedia.org/wiki/ >> Wireshark) >> shows a nice pretty screen shot of Wireshark running on OS X. >> Where can >> I get the binaries (or even the source) for the OS X version of >> the GUI? > > There is currently no native OS X version of the GUI; it's an X11 > GUI on > OS X, as it is on other UN*Xes, so you have to install the X11 > server to > run it on OS X. > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] VoIP analysis and assessment
did you verify if the calls work fine from the ISDN to a phone connected to the PBX too?This is to verify that you dont have a clocking issue on the 2Mbps ISDN trunk..On 28.09.2006, at 01:18, Chris Swinney wrote: Hi all, We have the following scenario: - Scenario. There are three remote sites in UK. Each has their own Alcatel PBX and is connected to the Internet via an RADSL (ADSL Max) line (8MB down, 832kbps up). Each ADSL line is connected via a ZyXEL 660 to a ZyXEL ZyWALL 35. The Alcatel PBX’s are connected directly to a LAN port on the ZyWALL. The ZyWALL’s also connect to a data network that shares the same subnet range as the Alcatel PBX’s. Each site is connected to each other via an IPSEC VPN. Bandwidth Management rules on the ZyWALL’s prioritize traffic to and from the PBX’s, through the VPN’s. There is one site that is the head office and the other two are branches. All calls are received via PSTN (ISDN 30) at the head office and are then transferred using a SIP trunk to the remote branch offices (Alcatel PBX to Alcatel PBX) via the VPN. Known limitations. The system has been specified so that no more than 8 simultaneous calls from the head office to the branch office would be allowed. The Alcatel PBX’s only support a limited number of Codecs – namely G711, G723.1, G729a. Call quality is an issue with anything other than G711. This codec gives 64kbps per call, but with TCP overheads we are looking at around 80-90kbps. 8 calls then equates to around 720kbps – which is close to the upper limit of our bandwidth. IPSEC VPN translation will also add a bandwidth consideration and could push this to 115 kpbs. This would flood the network. In addition, although the Bandwidth is managed by the edge of network routers and VoIP traffic is prioritised across the VPN, the actual VPN packet is not marked for QoS as it travels across the Internet. Caveats. It is unlikely that 8 calls will be placed at any one time. In fact the issues that are being seen with just one call in place. Bandwidth limitation are know and potentially being addressed. A second DSL line maybe installed at the main office so that one circuit will carry voice and the other will carry data. The ZyWALL 35 will handle this segregation through its dual WAN ports. However, we may still find bandwidth issues if the pipe is not sufficiently large considering the amount of concurrent calls required. This may require a limitation of the number of concurrent calls. SNMP logs have been taken to look various router parameters (such as bandwidth usage, CPU utilisation etc) on the ZyWALL’s, particularly looking at the managed bandwidth OUT of the router on the egress to the WAN. These show that maximum bandwidth usage can spike to the managed level occasionally, although VoIP issues also appear to not necessarily coincide with these spikes, Internet connectivity at all sites is handled through one ISP (Griffin). They have lower contention ratios and an uncongested network. This also keeps hops and latency minimal between sites (2-4 hops, 50 ms). Areas of Concern. The users are experiencing what they describe as a “buzzing” on the line. This appears to be only in one directly (i.e. callers cannot hear a noise but the workers in the office can). It also appears to be intermittent and of differing magnitude – sometimes it is bearable, other times it makes the call inaudible. Users have also reported a number of dropped calls. Plan of action. First and foremost, we need to identify the area/s that is causing call quality issues and to do that we need to identify what is the exact nature of the problem (i.e. what is this “buzzing”). Is this purely a bandwidth issue, or is there some other issue and where does this issue lay? Once the problem is identified we need to put forward a resolution then retest once this has been implemented. Really what I need to do now is a packet trace. Ideally I would like to get a packet dump from the ZyWALL itself but I have not managed to do this. Failing that I will insert a hub before the ZyWALL and plug the network and PBX into that, then hook the hub up to the ZyWALL. I should then be able to plug into the hub with a sniffer and monitor all traffic going to the ZyWALL. I can’t monitor upstream of the ZyWALL as this packets will be encrypted within IPSEC packets. Ideally I need a piece of software that can reconstruct VoIP call activity and give my quality scores (MOS), potential issues (jitter, packet loss) and suggested resolutions. We’ve looked at Observer Suite from NI but this is a hefty £4000. I am looking at Wireshark/Ethereal but I’m not sure if it will do all that is needed – or at least my skills set may not be able to get the required info. Can Wireshark be used to get the necessary information required? If not, are there any developer add-ons that could help in my quest? Thanks, Chris-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: 27 Septemb
Re: [Wireshark-users] trouble getting packaged installs to work on OSX
MacOS X 10.4 comes with X11 on the install CD as optional install. It is not installed by default but only a doubleclick away.On 07.09.2006, at 14:52, Chris Cocuzzo wrote:Does X11 come standard with OSX 10.4+? For the hell of it, I tried installing X11 last night, but the install wouldn't complete because I have "more recent software on this computer" -- I was under the impression that X11 WASN'T included? On 9/6/06, Stephen Fisher <[EMAIL PROTECTED]> wrote: On Wed, Sep 06, 2006 at 05:05:33PM -0400, Chris Cocuzzo wrote:> I've encountered this problem using both Fink and DarwinPorts. While> the error messages might have been slightly different, they both> amounted to something like this in the OSX command line: "GTK unable > to open"Is this the error: Gtk-WARNING **: cannot open display: ? If so, makesure you have Apple's X11 insalled and either start wireshark from anX11 xterm screen or set the display variable manually. For the sh/bash/ksh shells do "export DISPLAY=:0.0" or for the tcsh shell do"setenv DISPLAY :0.0"> Also, I have ethereal running correctly in Parallels on OSX; however,> it seems like I can't see any other network interface aside from > Parallels itself. Any ideas why it doesn't find the other interfaces> out there?Sorry, never used parallels myself.Steve___Wireshark-users mailing list Wireshark-users@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-users ___Wireshark-users mailing listWireshark-users@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Problem with 0.99.3a-1011 on MacBook
This is a known bug. Shout at Apple about it. I opened a bug report about it long ago but Apple doesnt seem to care to fix it so far. And of course they leave you in the dark. You can reproduce the same problem with tcpdump which comes with MacOS X. So its not wireshark being at fault. On 03.09.2006, at 07:46, Jim Forster wrote: > Maybe I missed something as I'm not that up on installations, > packages, etc, these day, but my Wireshark 0.99.3a-1011 on a MacBook > w/ 10.4.7 causes my Airport interface to lose association as soon as > I start a capture. It did capture some outgoing SNPMP packets and > decoded them OK, so a lot of is working, but I can't capture wireless > packets. > > Anyone else have this or have any ideas? > > Thanks, > >-- Jim > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users