gmane.network.wireshark.user

Re: tshark http -e options

Shain Singh — 2013-05-25T11:12:18

you can use "-e text" to grab the returned output.

tshark -G | grep http

will show you the valid http.* related filters

On 22 May 2013 06:39, Chris Datfung <chris.datfung-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

BOSH connections

Matt Bellizzi — 2013-05-24T16:57:18

Hello


I'm wondering if anyone has a good way to view XMPP  traffic through a BOSH connection?   Wireshark does this as BOSH is just HTTP however the SSL decodes seem to be all over in different tabs and also the conversation  is in  two HTTP connections.   Thanks for any help.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Wireshark (1.8.2) decrypting (SIP)TLS Traffic

Max Mühlbronner — 2013-05-23T11:19:10

Hi list,

I just tried to decrypt SIP TLS traffic in wireshark (preferences --> 
SSL , imported priv key for server ip/port) and was at least able to see 
decrypted packets in the ssl-logfile when enabling SSL debugging in 
wireshark. I also made sure to capture the initial handshake, but the 
decrypted SIP traffic does never shows up in wireshark/packet list?

One thing i noticed is: i have to choose a protocol like "sip","ssl" but 
there is no "sip-tls" ? But i am not sure if this makes any difference...

...
association_find: TCP port 1051 found (nil)
association_find: TCP port 5061 found 0xb9eb6268
dissect_ssl3_record decrypted len 651
decrypted app data fragment: SIP/2.0 200 OK
Via: SIP/2.0/TLS 109.22.22.22:5061;branch=z9hG4bK1b7a.e58532f.0
...


I also avoided diffie-hellman ciphers (to keep things simple) and tried 
a few other things but i am never able to see the packets in the packet 
list? (Only in the ssl logfile...)


Any ideas how to debug this?

tshark http -e options

Chris Datfung — 2013-05-21T20:39:02

Hi,

I want to use tshark to capture http requests and responses. I have having
difficulty getting POST bodies and the HTML response body to appear. I'm
using the following command:

tshark -R "http.response or http.request" -T fields -E separator="|" -e
frame.time_epoch -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e
http.request.version -e http.request.method -e http.request -e http.host -e
http.request.uri -e http.user_agent -e http.response.code -e
http.content_type -e http.content_length -e http.location -e http.referer
-e http.response.body

Is there a URL that shows all possible -e flags? Can someone suggest how I
can print a pipe deliminated output of the entire http request and response
pair?

Thanks,
Chris
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wires

Wireshark 1.8.7 is now available

Gerald Combs — 2013-05-17T21:58:56

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm proud to announce the release of Wireshark 1.8.7.

What is Wireshark?

   Wireshark is the world's most popular network protocol analyzer.
   It is used for troubleshooting, analysis, development and
   education.

What's New

  Bug Fixes

   The following vulnerabilities have been fixed.

     o wnpa-sec-2013-23

       The RELOAD dissector could go into an infinite loop.
       Discovered by Evan Jensen. (Bug 8364, (Bug 8546)

       Versions affected: 1.8.0 to 1.8.6.

       CVE-2013-2486

       CVE-2013-2487

     o wnpa-sec-2013-24

       The GTPv2 dissector could crash. (Bug 8493)

       Versions affected: 1.8.0 to 1.8.6.

     o wnpa-sec-2013-25

       The ASN.1 BER dissector could crash. (Bug 8599)

       Versions affected: 1.8.0 to 1.8.6, 1.6.0 to 1.6.14.

     o wnpa-sec-2013-26

       The PPP CCP dissector could crash. (Bug 8638)

       Versions affected: 1.8.0 to 1.8.6.

     o wnpa-sec-2013-27

       The DCP ETSI dissector could crash. D

[HITB-Announce] HITB Magazine Issue 010

Hafez Kamal — 2013-05-14T11:00:01

Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial-Y0pbcourc9SI2xUbZzX/NA< at >public.gmane.org

Topics of interest include, but are not limited to the following:

    Next generation attacks and exploits
    Apple / OS X security vulnerabilities
    SS7/Backbone telephony networks
    VoIP security
    Data Recovery, Forensics and Incident Response
    HSDPA / CDMA Security / WIMAX Security
    Network Protocol and Analysis
    Smart Card and Physical Security
    WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
    Analysis of malicious code
    Applications of cryptographic techniques
    Analysis of attacks against networks and machines
    File system security
    Side Channel Analysis of Hardware Devices
    Cloud Security
    Exploit Analysis

On an unrelated note, registration for the 11th annual HITB Security
Conference (#HITB2013KUL) is also

Re: Process Information with packets

Frank Bulk — 2013-05-13T03:01:54

I think you're looking for Microsoft's Network Monitor:
http://www.microsoft.com/en-us/download/details.aspx?id=4865

Frank

-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org
[mailto:wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org] On Behalf Of Prameswar Lal
Sent: Sunday, May 12, 2013 9:15 AM
To: wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org
Subject: [Wireshark-users] Process Information with packets

 hi i am going to work on project
 The application and  user associated with each packet should be shown
in the packet detail. like  wireshark show the packet sender's  host
user name. let suppose

a computer have 10 user .then we can not say who is the sender of this

packet.

please tell me what i can add new more feature in this project . and i
dont know this is already implemented or not . if  implemeted then
tell me .

i will greatly happy if  you help me to improve my project
thanks
___________________________________________________

Wireshark piping in of pcap data on windows

Jason Pyeron — 2013-05-12T19:44:43

Given I cannot specifiy a filename as device on windows, what is the best way to
take a stream (stdout) of pcap data and show it realtime in wireshark?

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-user

summing DeltaT in one direction

Stuart Kendrick — 2013-05-12T18:15:43

I would like to calculate how much time the Client and the Server spend turning around frames.

Client ------- Switch ------- Server
                 |
                 |
              sniffer

In this example, Client is using SMB to copy a file to Server.

I'm imagining that I can calculate the Server's contribution as follows:
tshark -r foo.pcap -Y tcp.srcport==445 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta

================================================
| IO Statistics                                |
|                                              |
| Interval size: 44.1 secs (dur)               |
| Col 1: Frames and bytes                      |
|     2: SUM(tcp.time_delta)tcp.time_delta     |
|----------------------------------------------|
|              |1                  |2          |
| Interval     | Frames |   Bytes  |    SUM    |
|----------------------------------------------|
|  0.0 <> 44.1 |  50069 | 50551304 | 44.145992 |
================================================


And the Client

Process Information with packets

Prameswar Lal — 2013-05-12T14:15:13

 hi i am going to work on project
 The application and  user associated with each packet should be shown
in the packet detail. like  wireshark show the packet sender's  host
user name. let suppose

a computer have 10 user .then we can not say who is the sender of this

packet.

please tell me what i can add new more feature in this project . and i
dont know this is already implemented or not . if  implemeted then
tell me .

i will greatly happy if  you help me to improve my project
thanks
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Fwd:

Fabio Mendes — 2013-04-12T06:35:19

http://intechnics.de/npot38.php

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Author a "Administration in Wireshark " book forPackt.

Parita Khedekar — 2013-05-08T08:12:05

Hi,

My name is Parita Khedekar and I am an Author Relationship Executive for 
Packt Publishing. We specialize in publishing IT related books, e-books, 
and articles that have been written by experts in the field.

We are currently looking out for prospective authors to write our 30-50 
page micro book _*Administration in Wireshark*_ aimed at the users of 
wireshark or network administrators looking for new software that can 
help with administration with existing networks.

I was wondering if you would be interested in authoring this particular 
Micro title.

I do look forward to hearing from you and do let me know if you have any 
queries or doubts.

Regards,

live migration pcap

salah eddine — 2013-05-03T13:04:50

      hey everyone, do you have please any pcap file for a live migration
of virtual machine ???
thx in advance

-------------------------
http://www.linkedin.com/in/hamadisalaheddine
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: Extracting data from capture

Sake Blok — 2013-05-03T07:53:29

Hello Satish,

You're welcome. More help can be found on http://ask.wireshark.org if you need it in the future, it kind  of took over the role of the users-mailinglist

Cheers,
Sake


On 3 mei 2013, at 03:24, radiatejava wrote:


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: Extracting data from capture

radiatejava — 2013-05-03T01:24:44

Hello Sake,
you saved my day, great and thank you!!. Also glad that the forum works here.

-Satish

On Thu, May 2, 2013 at 5:01 PM, Sake Blok <sake-dNWzXRSXXtjz+pZb47iToQ< at >public.gmane.org> wrote:
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

PCAP file

salah eddine — 2013-05-02T20:47:13

please if anyone have a pcap file of VM migration
or database backup, i need it to test a network application that im working
on
thx for advance
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: Extracting data from capture

Sake Blok — 2013-05-02T11:31:46

Hi,

I had a little trouble too, but google was a friend. As the certificate(s) are sent using SCEP, I looked up how SCEP transfers certificates and found out it is using pkcs7. Then the file is in DER form (as I could see several binary certificates in the exported HTTP object). Then openssl pkcs7 help did the rest. Here is how you can extract the certificates:

openssl pkcs7 -inform DER -in <exported-http-object-filename> -print_certs

Good luck!
Sake


On 2 mei 2013, at 09:11, radiatejava wrote:


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Extracting data from capture

radiatejava — 2013-05-02T07:11:07

Wireshark users,
I have a packet capture in which there are http requests (over plain
connection, not SSL) and their response. Response received is
certificate or chain of certificates, possibly in binary data. It
shows the content type of the object as
'application/x-x509-ca-ra-cert'. However, when I try to do
'ExportObjects' > HTTP and export the object, it exports fine but I am
not able to view that certificate using any tool (like openssl or any
other).

I am suspecting wireshark is not exporting either fully or some issue.
I have attached the file 20130417-213837_TCPDump.pcap here
https://skydrive.live.com/?cid=90024b432de06aed&id=90024B432DE06AED!1107&authkey=!AG9x61vd9JLHYL0

Can someone tell me how do export the http response that has
certificate so that I am view the certificate ? Appreciate the
response here.

Thanks/Satish.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>

[HITB-Announce] #HITB2013KUL Call for Papers

Hafez Kamal — 2013-05-01T02:12:39

Hi everyone - This is a Call for Papers for the 11th annual HITB
Security Conference in Malaysia, #HITB2013KUL which takes place on the
16th and 17th of October in Kuala Lumpur.

Keynote speakers for the conference will be Joe Sullivan (Chief Security
Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai)

We're looking for talks that are highly technical, but most importantly,
material which is new and cutting edge. Submissions are due BEFORE
Thursday, 25th July 23:59 MYT

HITB CFP: http://cfp.hackinthebox.org/
Event Website: http://conference.hitb.org/ (Opens 10th May)

===

Each accepted submission will entitle the speaker(s) to
accommodation for 3 nights / 4 days and travel expense reimbursement
up to EUR1200.00 per speaking slot.

Topics of interest include, but are not limited to the following:

   Cloud Security
   File System Security
   3G/4G/WIMAX Security
   SS7/GSM/VoIP Security
   Security of Medical Devices
   Critical Infrastructure Security
   Smartphone / MobileSecurity
   Smart

tshark print raw data with -T fields (for partialssl records)

Lee Mighdoll — 2013-04-29T23:08:54

I'm printing a dozen fields or so from a trace with a limited snap length.
 Works great, but the thirteenth field is unfortunately not decoded from
partially captured packets.

Is there a way to print the raw data along with -T fields?  -x and -T
fields don't mix...  I suppose I could run tshark twice once with -x and
once with -T fields and correlate the output, but I'm hoping there's an
easier way.  I see some references on the web to an option for -e data, but
that doesn't print anything when I try it (on tshark 1.8.2).

Alternately, is there anyway to convince the ssl packet parser to emit the
fields that it has recognized from a partial record?  In particular, I'd
like to know that the header for ssl record type 23 (application data) has
been captured, even though tcpdump hasn't captured the entire contents of
the application data itself.

Cheers,
Lee
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da

Re: [Wireshark-announce] Wireshark 1.10.0rc1 isnow available

Joachim Gann — 2013-04-27T00:14:43


Wireshark announcements <wireshark-announce-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org> schrieb:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe