gmane.network.wireshark.user

Re: BPDU packets

Hansang Bae — 2008-07-06T03:14:07

You actually have a bigger problem. (nit picking: technically, they are bdpu frames and not packets). The problem with BPDU's is that they don't just go on and on and on. You have to capture it at each and every subnet. Find the root bridge, then starting going down the tree from there.

Re: How to filter out last 1000 frames in a quick way

Hansang Bae — 2008-07-06T03:11:33

The only thing you could try would be to use "editcap -c xxx" to specify how many packets you want per trace file (where xxx = how many packets you want) Or you could try -A option to specify when you want to start seeing the "interesting" packets.

Re: add random packet lost

Hansang Bae — 2008-07-06T02:38:37

You can't just use editcap. If you do, you'll lose the packets and Wireshark will flag the missing packets (prev segment lost). However, you won't see retransmissions, fast retansmissions, triple duplicate acks etc. If you want to see what packet loss looks like, create a duplex mismatch and push/pull some files via ftp

Multiple trace file analysis

Tony Fortunato — 2008-07-04T13:15:34

I have 2 trace files (client.pcap and server.pcap) and they are both sync'ed to the same time server. I can manually open both trace files and see that client-packet 1 left at x and arrived server-packet 1 at y. Assume there are the same number of packets in both trace files. Does anyone have any idea how I could automate this process to simply find the delta between various packets in 2 trace files. Initially, I would be happy with that, but a bonus would be to flag lost or out of order packets. I'm about to manually write a Perl script to do this, but wanted to throw this out to the group to save me some brain cells and time. Thanks in advance

Re: Possible network latency

Visser, Martin — 2008-07-04T07:16:45

Re: how to print time with epoch formation bytshark

Ian jonhson — 2008-07-04T04:18:43

Unluckily, I am not permitted to use GUI. So is it possible to achieve this? On Tue, Jul 1, 2008 at 11:20 PM, Stephen Fisher public.gmane.org> wrote:

Re: Dumpcap crashes all the times

Bill Meier — 2008-07-03T23:49:16

I note that Windows 'dumpcap -L' crashes for me in V1.0.1 but not in v1.0.0 I suspect a wpcap issue; I'm in the process of checking further..... I'll file a bug report with some details (bugzilla.wireshark.org). Thanks

Re: TurboCap card with Wirehshark under Linux ?

Gianluca Varenni — 2008-07-03T19:36:58

Hi! TurboCap runs on Windows, only. There are no drivers available for Linux. Have a nice day GV ----- Original Message ----- From: "Huff, David" public.gmane.org> To: public.gmane.org> Sent: Thursday, July 03, 2008 12:06 PM Subject: [Wireshark-users] TurboCap card with Wirehshark under Linux ?

Re: Protocol analisys

Guy Harris — 2008-07-03T19:32:11

SSH: it doesn't identify SSH on ports other than 22; if a user wants to dissect SSH traffic on other ports, they'll have to manually specify the traffic with "Decode As". HTTP: the HTTP dissector registers, in addition to port 80, ports 3128 and 3132 (for proxies), port 8080, and some other known ports for HTTP. There's a preference that gives a comma-separated list of ports; you can add ports to that list. In addition, some protocols that are implemented atop HTTP can make their port number dissected as HTTP and then hand off the traffic to the dissector (e.g., IPP). "Decode As" can also be used. FTP command: it doesn't identify FTP command traffic on ports other than 21. FTP data: it identifies FTP data traffic on port 20, and also looks at PORT and PASV requests, if they're captured.

Protocol analisys

Sipos Csaba — 2008-07-03T18:53:36

Hi! I want to make TC scripts for traffic control and shaping, so I would like to know how wireshark identifies various protocols (like SSH, HTTP, ftp command and data etc.) either if the server uses non standard ports. Thanks in advance! Dchard

TurboCap card with Wirehshark under Linux ?

Huff, David — 2008-07-03T19:06:11

Anyone using the Cace Tech. TurboCap card with Wireshark under Linux ? http://www.cacetech.com/products/turbocap.htm If so, where'd you find drivers ? Any issues with setup or configuration ? Thanks, and regards, -- _ __| |_ David P. Huff, david-l0cyMroinI0< at >public.gmane.org \_ _} Network Management Services \_( Texas Instruments, Inc.

Re: Capturing Giant Packets Only

Sheahan, John — 2008-07-03T17:11:55

I captured all traffic on my port-channel and filtered for ethernet.len into the 100s of thousands. I opened a case with Cisco and they confirmed that this is a cosmetic bug on the version of IOS that I'm running on the 6500 and will require an upgrade to fix it. thanks for the help on this. john -----Original Message----- From: wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org] On Behalf Of Guy Harris Sent: Wednesday, July 02, 2008 1:01 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Capturing Giant Packets Only Sheahan, John wrote: giants? If giant packets are Ethernet frames > 1514 bytes (if you don't count the FCS)/1518 bytes (if you count the FCS), a capture filter such as "greater 1515" (confusingly, the "greater" operation in the libpcap/WinPcap filter parser is defined to mean "greater than or equal to") or "greater 1519", depending on whether your adapter supplies the FCS when capturing, should work. _______________________________________________ Wireshark-users mailing list Wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org https://wireshark.org/mailman/listinfo/wireshark-users

Re: Dissector for ANSI TCAP NATIONALcode:0notimplemented.

Guy Harris — 2008-07-03T17:07:35

Presumably in that case the dissector would indicate that the command code is unknown because the corresponding request isn't in the trace, not that there's no dissector for the command code. (If not, that needs to be fixed.)

Re: Compiling problems

Jeff Morriss — 2008-07-03T16:00:05

Dani M wrote: [...] [...] According to: http://lists.gnupg.org/pipermail/gnupg-devel/2004-February/020779.html that symbol was new to libgcrypt 1.1.92. I have checked in a change (rev 25666) to our "configure.in" to only try to use that version or later.

Re: Dissector for ANSI TCAP NATIONAL code:0notimplemented.

Anders Broman — 2008-07-03T15:35:08

Hi, If the request isn't in the trace it's not possible to decode the response as the command code is unknown(not present). Regards Anders -----Ursprungligt meddelande----- Från: wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org] För Abhik Sarkar Skickat: den 3 juli 2008 16:02 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Dissector for ANSI TCAP NATIONAL code:0 notimplemented. Hi, I think you should raise a bug request at http://bugs.wireshark.org/bugzilla/ with a sample capture so someone can work on it. Best regards, Abhik. On Thu, Jul 3, 2008 at 12:48 PM, S R I K A S I R A J U public.gmane.org> wrote: _______________________________________________ Wireshark-users mailing list Wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org https://wireshark.org/mailman/listinfo/wireshark-users

Re: Dissector for ANSI TCAP NATIONAL code:0 notimplemented.

Abhik Sarkar — 2008-07-03T14:02:15

Hi, I think you should raise a bug request at http://bugs.wireshark.org/bugzilla/ with a sample capture so someone can work on it. Best regards, Abhik. On Thu, Jul 3, 2008 at 12:48 PM, S R I K A S I R A J U public.gmane.org> wrote:

Re: Possible network latency

Albert Jurado — 2008-07-03T13:54:14

Dissector for ANSI TCAP NATIONAL code:0 notimplemented.

S R I K A S I R A J U — 2008-07-03T08:48:06

Trace file preview handler

Jerry Smith — 2008-07-03T03:12:40

Question on the Header File Concerning the FIXProtocol

Jayakumar Santhanagopal — 2008-07-02T21:39:18

Re: Compiling problems

Dani M — 2008-07-03T13:39:48