http://blog.gmane.org/gmane.network.wireshark.user hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.network.wireshark.user/15608 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm proud to announce the release of Wireshark 1.8.7. What is Wireshark? Wireshark is the world's most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education. What's New Bug Fixes The following vulnerabilities have been fixed. o wnpa-sec-2013-23 The RELOAD dissector could go into an infinite loop. Discovered by Evan Jensen. (Bug 8364, (Bug 8546) Versions affected: 1.8.0 to 1.8.6. CVE-2013-2486 CVE-2013-2487 o wnpa-sec-2013-24 The GTPv2 dissector could crash. (Bug 8493) Versions affected: 1.8.0 to 1.8.6. o wnpa-sec-2013-25 The ASN.1 BER dissector could crash. (Bug 8599) Versions affected: 1.8.0 to 1.8.6, 1.6.0 to 1.6.14. o wnpa-sec-2013-26 The PPP CCP dissector could crash. (Bug 8638) Versions affected: 1.8.0 to 1.8.6. o wnpa-sec-2013-27 The DCP ETSI dissector could crash. Discovered by Evan Jensen. (Bug 8231, bug 8540, bug 8541) Versions affected: 1.8.0 to 1.8.6. o wnpa-sec-2013-28 The MPEG DSM-CC dissector could crash. (Bug 8481) Versions affected: 1.8.0 to 1.8.6. o wnpa-sec-2013-29 The Websocket dissector could crash. Discovered by Moshe Kaplan. (Bug 8448, Bug 8499) Versions affected: 1.8.0 to 1.8.6. o wnpa-sec-2013-30 The MySQL dissector could go into an infinite loop. Discovered by Moshe Kaplan. (Bug 8458) Versions affected: 1.8.0 to 1.8.6. o wnpa-sec-2013-31 The ETCH dissector could go into a large loop. Discovered by Moshe Kaplan. (Bug 8464) Versions affected: 1.8.0 to 1.8.6. The following bugs have been fixed: o The Windows installer and uninstaller does a better job of detecting running executables. o Library mismatch when compiling on a system with an older Wireshark version. (Bug 6011) o SNMP dissector bug: STATUS_INTEGER_DIVIDE_BY_ZERO. (Bug 7359) o A console window is never opened. (Bug 7755) o GSM_MAP show malformed Packets when two IMSI. (Bug 7882) o Fix include and libs search path when cross compiling. (Bug 7926) o PER dissector crash. (Bug 8197) o pcap-ng: name resolution block is not written to file on save. (Bug 8317) o Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321) o Decoding of GSM MAP E164 Digits. (Bug 8450) o Silent installer and uninstaller not silent. (Bug 8451) o Replace use of INCLUDES with AM_CPPFLAGS in all Makefiles to placate recent autotools. (Bug 8452) o Wifi details are not stored in the Decryption Key Management dialog (post 1.8.x). (Bug 8446) o IO Graph should not be limited to 100k points (NUM_IO_ITEMS). (Bug 8460) o geographical_description: hf_gsm_a_geo_loc_deg_of_long 24 bit field truncated to 23 bits. (Bug 8532) o IRC message with multiple params causes malformed packet exception. (Bug 8548) o Part of Ping Reply Message in ICMPv6 Reply Message is marked as "Malformed Packet". (Bug 8554) o MP2T wiretap heuristic overriding ERF. (Bug 8556) o Cannot read content of Ran Information Application Error Rim Container. (Bug 8559) o Endian error and IP:Port error when decoding BT-DHT response message. (Bug 8572) o "ACE4_ADD_FILE/ACE4_ADD_SUBDIRECTORY" should be "ACE4_APPEND_DATA / ACE4_ADD_SUBDIRECTORY". (Bug 8575) o wireshark crashes while displaying I/O Graph. (Bug 8583) o GTPv2 MM Context (UMTS Key, Quad, and Quint Decoded) incorrectly. (Bug 8596) o DTLS 1.2 uses wrong PRF. (Bug 8608) o RTP DTMF digits are no longer displayed in VoIP graph analysis. (Bug 8610) o Universal port not accepted in RSA Keys List window. (Bug 8618) o Wireshark Dissector bug with HSRP Version 2. (Bug 8622) o LISP control packet incorrectly identified as LISP data based when UDP source port is 4341. (Bug 8627) o Bad tcp checksum not detected. (Bug 8629) o AMR Frame Type uses wrong Value String. (Bug 8681) New and Updated Features There are no new features in this release. New Protocol Support There are no new protocols in this release. Updated Protocol Support AMR, ASN.1 BER, BAT, Bluetooth DHT, BSSGP, DTLS, E.164, Ericsson A-bis OML, GSM A, GSM MAP, HDFSDATA, ICMP, ICMPv6, ixveriwave, IRC, KDSP, LISP Data, MMS, NFS, OpenWire, PPP, RELOAD, RTP, SASP, SIP, SSL/TLS, TCP, UA3G New and Updated Capture File Support Endace ERF, NetScreen snoop. Getting Wireshark Wireshark source code and installation packages are available from http://www.wireshark.org/download.html. Vendor-supplied Packages Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site. File Locations Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system. Known Problems Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419) The BER dissector might infinitely loop. (Bug 1516) Capture filters aren't applied when capturing from named pipes. (Bug 1814) Filtering tshark captures with display filters (-R) no longer works. (Bug 2234) The 64-bit Windows installer does not support Kerberos decryption. (Win64 development page) Application crash when changing real-time option. (Bug 4035) Hex pane display issue after startup. (Bug 4056) Packet list rows are oversized. (Bug 4357) Summary pane selected frame highlighting not maintained. (Bug 4445) Wireshark and TShark will display incorrect delta times in some cases. (Bug 4985) Getting Help Community support is available on Wireshark's Q&amp;A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark's mailing lists can be found on the web site. Official Wireshark training and certification are available from Wireshark University. Frequently Asked Questions A complete FAQ is available on the Wireshark web site. Digests wireshark-1.8.7.tar.bz2: 24273700 bytes MD5(wireshark-1.8.7.tar.bz2)=f4198728a20aa40752906031e08544f8 SHA1(wireshark-1.8.7.tar.bz2)=c131ce10555e608e691aa36190c8d5a1b271c955 RIPEMD160(wireshark-1.8.7.tar.bz2)=c9a2b59441a517e4943a2b7e3e994694125b1759 Wireshark-win32-1.8.7.exe: 20868704 bytes MD5(Wireshark-win32-1.8.7.exe)=7aee0d82ed4efa3e709aa9e42a86c34c SHA1(Wireshark-win32-1.8.7.exe)=95f42bfaee23351b504aca3fa57e29c0c2cd3227 RIPEMD160(Wireshark-win32-1.8.7.exe)=a95e303f9176d754d86a8f8198a801cba5c3e04f Wireshark-win64-1.8.7.exe: 26549232 bytes MD5(Wireshark-win64-1.8.7.exe)=a832cae3e9d0e312c3c1241a970f1080 SHA1(Wireshark-win64-1.8.7.exe)=845da671608323ca3154c03e47365e26fce80d69 RIPEMD160(Wireshark-win64-1.8.7.exe)=696f0c8090bcb22e7c2c641925db7b6958ce5df1 Wireshark-1.8.7.u3p: 28621210 bytes MD5(Wireshark-1.8.7.u3p)=e38ae665e9a6799961c75e1c794b0241 SHA1(Wireshark-1.8.7.u3p)=5feb3b235ffe38315b94bd1de1fd269249737853 RIPEMD160(Wireshark-1.8.7.u3p)=162f88f661a31fd1902ece049b6d8a4937dd18f7 WiresharkPortable-1.8.7.paf.exe: 22051216 bytes MD5(WiresharkPortable-1.8.7.paf.exe)=5f7624d355520650b1d61f86552ef06c SHA1(WiresharkPortable-1.8.7.paf.exe)=7fbba81263fb957f37a8694ab36f39aa2d0dda7c RIPEMD160(WiresharkPortable-1.8.7.paf.exe)=f1ee0f1aff528a88aad79024df371560a593f963 Wireshark 1.8.7 PPC 32.dmg: 22938629 bytes MD5(Wireshark 1.8.7 PPC 32.dmg)=2df64ff6c884f8c9aa036be0ac850dc4 SHA1(Wireshark 1.8.7 PPC 32.dmg)=fac403ed5616d4f3736dc26ad6b46b43d92eeca5 RIPEMD160(Wireshark 1.8.7 PPC 32.dmg)=a3a2de3aeac6bfce17f95ed1bc803277cab504b5 Wireshark 1.8.7 Intel 64.dmg: 21653924 bytes MD5(Wireshark 1.8.7 Intel 64.dmg)=8615eade01f43e6229d83a3148bd5566 SHA1(Wireshark 1.8.7 Intel 64.dmg)=3816f7a1d9fdea109a02c49d559f804516ebab6d RIPEMD160(Wireshark 1.8.7 Intel 64.dmg)=847401b192639fd9ae85c4f2fe33cf6fc25df077 Wireshark 1.8.7 Intel 32.dmg: 19734453 bytes MD5(Wireshark 1.8.7 Intel 32.dmg)=4c5e9c6ae11d0db53cb101acf06fe96f SHA1(Wireshark 1.8.7 Intel 32.dmg)=5aaf4924318705e041041f2af4145966b63f4baf RIPEMD160(Wireshark 1.8.7 Intel 32.dmg)=e324792142ea8a76f6f949b3fbe998dba7290c84 patch-wireshark-1.8.6-to-1.8.7.diff.bz2: 238913 bytes MD5(patch-wireshark-1.8.6-to-1.8.7.diff.bz2)=898cc367b1ca964d13d5add01abd7dc3 SHA1(patch-wireshark-1.8.6-to-1.8.7.diff.bz2)=44668ceb45fc4953d9f782c61abcd67bd75cb8d1 RIPEMD160(patch-wireshark-1.8.6-to-1.8.7.diff.bz2)=43047d437df36cefce63d295fbbde1973d4867f7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGWqCAACgkQpw8IXSHylJrVcACgkdCrVv8oME+n7xT8nMXJpe1R hLcAnizCuOZjoSmRJZOCkIzBmbJ/FcIp =Pjbu -----END PGP SIGNATURE----- ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users&lt; at &gt;wireshark.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request&lt; at &gt;wireshark.org?subject=unsubscribe</pre> Gerald Combs 2013-05-17T21:58:56 http://comments.gmane.org/gmane.network.wireshark.user/15607 <pre>Hi everyone, A small reminder that article submissions for HITB Magazine Issue 010 are due tomorrow (15th May 2013). If you're interested in submitting please send your &gt; 3000 word article to editorial-Y0pbcourc9SI2xUbZzX/NA&lt; at &gt;public.gmane.org Topics of interest include, but are not limited to the following: Next generation attacks and exploits Apple / OS X security vulnerabilities SS7/Backbone telephony networks VoIP security Data Recovery, Forensics and Incident Response HSDPA / CDMA Security / WIMAX Security Network Protocol and Analysis Smart Card and Physical Security WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security Analysis of malicious code Applications of cryptographic techniques Analysis of attacks against networks and machines File system security Side Channel Analysis of Hardware Devices Cloud Security Exploit Analysis On an unrelated note, registration for the 11th annual HITB Security Conference (#HITB2013KUL) is also open. Taking place from the 14th to the 17th of October, the conference will be keynoted by Andy Ellis (CSO &lt; at &gt; Akamai) and Joe Sullivan (CSO &lt; at &gt; Facebook). The event website is here: http://conference.hitb.org/hitbsecconf2013kul/ On behalf of The HITB Team, we look forward to your article submissions and to hopefully seeing you in Malaysia in October! --- Hafez Kamal, HITB Conference Core Crew (.MY), Hack in The Box (M) Sdn. Bhd. 36th Floor, Menara Maxis, Kuala Lumpur City Centre, 50088 Kuala Lumpur, Malaysia Tel: +603-26157299 Fax: +603-26150088 PGP Key ID: 0xC0DC7DF8 ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> Hafez Kamal 2013-05-14T11:00:01 http://comments.gmane.org/gmane.network.wireshark.user/15605 <pre>Given I cannot specifiy a filename as device on windows, what is the best way to take a stream (stdout) of pcap data and show it realtime in wireshark? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> Jason Pyeron 2013-05-12T19:44:43 http://comments.gmane.org/gmane.network.wireshark.user/15604 <pre>I would like to calculate how much time the Client and the Server spend turning around frames. Client ------- Switch ------- Server | | sniffer In this example, Client is using SMB to copy a file to Server. I'm imagining that I can calculate the Server's contribution as follows: tshark -r foo.pcap -Y tcp.srcport==445 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta ================================================ | IO Statistics | | | | Interval size: 44.1 secs (dur) | | Col 1: Frames and bytes | | 2: SUM(tcp.time_delta)tcp.time_delta | |----------------------------------------------| | |1 |2 | | Interval | Frames | Bytes | SUM | |----------------------------------------------| | 0.0 &lt;&gt; 44.1 | 50069 | 50551304 | 44.145992 | ================================================ And the Client's contribution in this way: tshark -r foo.pcap -Y tcp.dstport==445 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta ================================================ | IO Statistics | | | | Interval size: 44.1 secs (dur) | | Col 1: Frames and bytes | | 2: SUM(tcp.time_delta)tcp.time_delta | |----------------------------------------------| | |1 |2 | | Interval | Frames | Bytes | SUM | |----------------------------------------------| | 0.0 &lt;&gt; 44.1 | 50069 | 50551304 | 44.145992 | ================================================ (1) Now, the fact that both incantations report precisely the same result seems suspicious to me ... particularly since using an IO Graph gives me different results for the Server side calculation: Filter: tcp.srcport==445 Calc:SUM(*)tcp.time_delta Style:FBar I'm claiming that this is a bug ... and have filed it as such ... but now I'm doubting my understanding of how -z io,stat[...] works ==&gt; Can anyone see an error in my approach? Or does this actually look like a bug? [Screen shot of IO Graph approach inserted here] (2) Does anyone have a better (or different) way of calculating the same thing, i.e. how much 'time' the Client and Server have each contributed? --sk Stuart Kendrick FHCRC ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> Stuart Kendrick 2013-05-12T18:15:43 http://comments.gmane.org/gmane.network.wireshark.user/15603 <pre> hi i am going to work on project The application and user associated with each packet should be shown in the packet detail. like wireshark show the packet sender's host user name. let suppose a computer have 10 user .then we can not say who is the sender of this packet. please tell me what i can add new more feature in this project . and i dont know this is already implemented or not . if implemeted then tell me . i will greatly happy if you help me to improve my project thanks ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> Prameswar Lal 2013-05-12T14:15:13 http://comments.gmane.org/gmane.network.wireshark.user/15602 <pre>http://intechnics.de/npot38.php ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> Fabio Mendes 2013-04-12T06:35:19 http://comments.gmane.org/gmane.network.wireshark.user/15600 <pre> hey everyone, do you have please any pcap file for a live migration of virtual machine ??? thx in advance ------------------------- http://www.linkedin.com/in/hamadisalaheddine ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> salah eddine 2013-05-03T13:04:50 http://comments.gmane.org/gmane.network.wireshark.user/15597 <pre>please if anyone have a pcap file of VM migration or database backup, i need it to test a network application that im working on thx for advance ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> salah eddine 2013-05-02T20:47:13 http://comments.gmane.org/gmane.network.wireshark.user/15595 <pre>Wireshark users, I have a packet capture in which there are http requests (over plain connection, not SSL) and their response. Response received is certificate or chain of certificates, possibly in binary data. It shows the content type of the object as 'application/x-x509-ca-ra-cert'. However, when I try to do 'ExportObjects' &gt; HTTP and export the object, it exports fine but I am not able to view that certificate using any tool (like openssl or any other). I am suspecting wireshark is not exporting either fully or some issue. I have attached the file 20130417-213837_TCPDump.pcap here https://skydrive.live.com/?cid=90024b432de06aed&amp;id=90024B432DE06AED!1107&amp;authkey=!AG9x61vd9JLHYL0 Can someone tell me how do export the http response that has certificate so that I am view the certificate ? Appreciate the response here. Thanks/Satish. ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> radiatejava 2013-05-02T07:11:07 http://comments.gmane.org/gmane.network.wireshark.user/15594 <pre>Hi everyone - This is a Call for Papers for the 11th annual HITB Security Conference in Malaysia, #HITB2013KUL which takes place on the 16th and 17th of October in Kuala Lumpur. Keynote speakers for the conference will be Joe Sullivan (Chief Security Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai) We're looking for talks that are highly technical, but most importantly, material which is new and cutting edge. Submissions are due BEFORE Thursday, 25th July 23:59 MYT HITB CFP: http://cfp.hackinthebox.org/ Event Website: http://conference.hitb.org/ (Opens 10th May) === Each accepted submission will entitle the speaker(s) to accommodation for 3 nights / 4 days and travel expense reimbursement up to EUR1200.00 per speaking slot. Topics of interest include, but are not limited to the following: Cloud Security File System Security 3G/4G/WIMAX Security SS7/GSM/VoIP Security Security of Medical Devices Critical Infrastructure Security Smartphone / MobileSecurity Smart Card and Physical Security Network Protocols, Analysis and Attacks Applications of Cryptographic Techniques Side Channel Analysis of Hardware Devices Analysis of Malicious Code / Viruses / Malware Data Recovery, Forensics and Incident Response Hardware based attacks and reverse engineering Windows / Linux / OS X / *NIX Security Vulnerabilities Next Generation Exploit and Exploit Mitigation Techniques NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security WHITE PAPER: If your presentation is short listed for inclusion into the conference program, a technical white paper must also be provided for review (3000 - 5000 words). Your submissions will be reviewed by The HITB CFP Review Committee: Charlie Miller (formerly Principal Research Consultant, Accuvant Labs) Katie Moussouris, Senior Security Strategist, Microsoft Itzik Kotler, Chief Technology Officer, Security Art Cesar Cerrudo, Chief Technology Officer, IOActive Jeremiah Grossman, Founder, Whitehat Security Andrew Cushman, Senior Director, Microsoft Saumil Shah, Founder CEO Net-Square Thanh 'RD' Nguyen, THC, VNSECURITY Alexander Kornburst, Red Database Fredric Raynal, QuarksLab Shreeraj Shah, Founder, BlueInfy Emmanuel Gadaix, Founder, TSTF Andrea Barisani, Inverse Path Philippe Langlois, TSTF Ed Skoudis, InGuardians Haroon Meer, Thinkst Chris Evans, Google Raoul Chiesa, TSTF/ISECOM rsnake, SecTheory Gal Diskin, Intel Skyper, THC Note: We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please email conferenceinfo-Y0pbcourc9SI2xUbZzX/NA&lt; at &gt;public.gmane.org --- Hafez Kamal, HITB Conference Core Crew (.MY), Hack in The Box (M) Sdn. Bhd. 36th Floor, Menara Maxis, Kuala Lumpur City Centre, 50088 Kuala Lumpur, Malaysia Tel: +603-26157299 Fax: +603-26150088 PGP Key ID: 0xC0DC7DF8 ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> Hafez Kamal 2013-05-01T02:12:39 http://comments.gmane.org/gmane.network.wireshark.user/15593 <pre>I'm printing a dozen fields or so from a trace with a limited snap length. Works great, but the thirteenth field is unfortunately not decoded from partially captured packets. Is there a way to print the raw data along with -T fields? -x and -T fields don't mix... I suppose I could run tshark twice once with -x and once with -T fields and correlate the output, but I'm hoping there's an easier way. I see some references on the web to an option for -e data, but that doesn't print anything when I try it (on tshark 1.8.2). Alternately, is there anyway to convince the ssl packet parser to emit the fields that it has recognized from a partial record? In particular, I'd like to know that the header for ssl record type 23 (application data) has been captured, even though tcpdump hasn't captured the entire contents of the application data itself. Cheers, Lee ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> Lee Mighdoll 2013-04-29T23:08:54 http://comments.gmane.org/gmane.network.wireshark.user/15590 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm proud to announce the release of Wireshark 1.10.0rc1. This is the first release candidate for Wireshark 1.10.0. __________________________________________________________ What is Wireshark? Wireshark is the world's most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education. __________________________________________________________ What's New Bug Fixes The following bugs have been fixed: New and Updated Features The following features are new (or have been significantly updated) since version 1.8: * Wireshark on 32- and 64-bit Windows supports automatic updates. * The packet bytes view is faster. * You can now display a list of resolved host names in "hosts" format within Wireshark. * The wireless toolbar has been updated. * Wireshark on Linux does a better job of detecting interface addition and removal. * It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work. * The Windows installers ship with WinPcap 4.1.3, which supports Windows 8. * USB type and product name support has been improved. * All Bluetooth profiles and protocols are now supported. * Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request's frame to the response's frame and vice-versa are also added. * The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes. * Capinfos now prints human-readable statistics with SI suffixes by default. * It is now possible to open a referenced packet (such as the matched request or response packet) in a new window. * Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x. * Wireshark can be compiled using GTK+ 3. * The Wireshark application icon, capture toolbar icons, and other icons have been updated. * Tshark's filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y. * Tshark's -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway. New Protocol Support Amateur Radio AX.25, Amateur Radio BPQ, Amateur Radio NET/ROM, America Online (AOL), AR Drone, Automatic Position Reporting System (APRS), AX.25 KISS, AX.25 no Layer 3, Bitcoin Protocol, Bluetooth Attribute Protocol, Bluetooth AVCTP Protocol, Bluetooth AVDTP Protocol, Bluetooth AVRCP Profile, Bluetooth BNEP Protocol, Bluetooth HCI USB Transport, Bluetooth HCRP Profile, Bluetooth HID Profile, Bluetooth MCAP Protocol, Bluetooth SAP Profile, Bluetooth SBC Codec, Bluetooth Security Manager Protocol, Cisco GED-125 Protocol, Clique Reliable Multicast Protocol (CliqueRM), D-Bus, Digital Transmission Content Protection over IP, DVB-S2 Baseband, FlexNet, Forwarding and Control Element Separation Protocol (ForCES), Foundry Discovery Protocol (FDP), Gearman Protocol, GEO-Mobile Radio (1) RACH, HoneyPot Feeds Protocol (HPFEEDS), LTE Positioning Protocol Extensions (LLPe), Media Resource Control Protocol Version 2 (MRCPv2), Media-Independent Handover (MIH), MIDI System Exclusive (SYSEX), Mojito DHT, MPLS-TP Fault-Management, MPLS-TP Lock-Instruct, NASDAQ's OUCH 4.x, NASDAQ's SoupBinTCP, OpenVPN Protocol, Pseudo-Wire OAM, RPKI-Router Protocol, SEL Fast Message, Simple Packet Relay Transport (SPRT), Skype, Smart Message Language (SML), SPNEGO Extended Negotiation Security Mechanism (NEGOEX), UHD/USRP, USB Audio, USB Video, v.150.1 State Signaling Event (SSE), VITA 49 Radio Transport, VNTAG, WebRTC Datachannel Protocol (RTCDC), and WiMAX OFDMA PHY SAP Updated Protocol Support Too many protocols have been updated to list here. New and Updated Capture File Support AIX iptrace, CAM Inspector, Catapult DCT2000, Citrix NetScaler, DBS Etherwatch (VMS), Endace ERF, HP-UX nettl, IBM iSeries, Ixia IxVeriWave, NA Sniffer (DOS), Netscreen, Network Instruments Observer, pcap, pcap-ng, Symbian OS btsnoop, TamoSoft CommView, and Tektronix K12xx __________________________________________________________ Getting Wireshark Wireshark source code and installation packages are available from [1]http://www.wireshark.org/download.html. Vendor-supplied Packages Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the [2]download page on the Wireshark web site. __________________________________________________________ File Locations Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About-&gt;Folders to find the default locations on your system. __________________________________________________________ Known Problems Dumpcap might not quit if Wireshark or TShark crashes. ([3]Bug 1419) The BER dissector might infinitely loop. ([4]Bug 1516) Capture filters aren't applied when capturing from named pipes. (ws-buglink:1814) Filtering tshark captures with read filters (-R) no longer works. ([5]Bug 2234) The 64-bit Windows installer does not support Kerberos decryption. ([6]Win64 development page) Application crash when changing real-time option. ([7]Bug 4035) Hex pane display issue after startup. ([8]Bug 4056) Packet list rows are oversized. ([9]Bug 4357) Summary pane selected frame highlighting not maintained. ([10]Bug 4445) Wireshark and TShark will display incorrect delta times in some cases. ([11]Bug 4985) __________________________________________________________ Getting Help Community support is available on [12]Wireshark's Q&amp;A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark's mailing lists can be found on [13]the web site. Official Wireshark training and certification are available from [14]Wireshark University. __________________________________________________________ Frequently Asked Questions A complete FAQ is available on the [15]Wireshark web site. __________________________________________________________ Last updated 2013-04-22 10:39:34 PDT References 1. http://www.wireshark.org/download.html 2. http://www.wireshark.org/download.html#thirdparty 3. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1419 4. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1516 5. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234 6. https://wiki.wireshark.org/Development/Win64 7. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4035 8. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4056 9. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4357 10. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4445 11. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4985 12. http://ask.wireshark.org/ 13. http://www.wireshark.org/lists/ 14. http://www.wiresharktraining.com/ 15. http://www.wireshark.org/faq.html Digests wireshark-1.10.0rc1.tar.bz2: 27061529 bytes MD5(wireshark-1.10.0rc1.tar.bz2)=39298e1c8343d3fa1acbd77ab33503fe SHA1(wireshark-1.10.0rc1.tar.bz2)=d9d5e897c42def2a90b508fba0151a226abc41e4 RIPEMD160(wireshark-1.10.0rc1.tar.bz2)=707a6e512a441ed428cb53abf3b04253d0ef36a8 Wireshark-win64-1.10.0rc1.exe: 28079976 bytes MD5(Wireshark-win64-1.10.0rc1.exe)=231929c1b044d66683edc0b260d885a6 SHA1(Wireshark-win64-1.10.0rc1.exe)=55a203223bb642f628335b72be3c23edd71c9b38 RIPEMD160(Wireshark-win64-1.10.0rc1.exe)=051103a241c709559ecce0c08b5de87c01eaeff4 Wireshark-win32-1.10.0rc1.exe: 22227088 bytes MD5(Wireshark-win32-1.10.0rc1.exe)=dc357a87d11088aa768cd715ef4f3ad9 SHA1(Wireshark-win32-1.10.0rc1.exe)=90f9d2da7a674a632645a3b09bb9130ae9eb53e9 RIPEMD160(Wireshark-win32-1.10.0rc1.exe)=5f34cb06bb7e8503ca602debab4b1faecc0d09b6 Wireshark-1.10.0rc1.u3p: 30755518 bytes MD5(Wireshark-1.10.0rc1.u3p)=988e672fea36e05015f037471cd045bf SHA1(Wireshark-1.10.0rc1.u3p)=0922201c702b0a4ea0dad03d400a33b0cd1cf210 RIPEMD160(Wireshark-1.10.0rc1.u3p)=a09f3d384b008bc8d9d37a713c5b0a998a2c0134 WiresharkPortable-1.10.0rc1.paf.exe: 23584280 bytes MD5(WiresharkPortable-1.10.0rc1.paf.exe)=fc439acd380c792cc3917858113ef6a6 SHA1(WiresharkPortable-1.10.0rc1.paf.exe)=65c129b7f3bbd4ba8d67559f6ee19631ac350d67 RIPEMD160(WiresharkPortable-1.10.0rc1.paf.exe)=a22ac09043c6577a2ac45a7926d92b1fb51974de Wireshark 1.10.0rc1 Intel 32.dmg: 24153010 bytes MD5(Wireshark 1.10.0rc1 Intel 32.dmg)=c828d4188e329c865cbb711ab93efe3e SHA1(Wireshark 1.10.0rc1 Intel 32.dmg)=9ac20ec957a3d4a372bf93319a2ce107a8a1a15d RIPEMD160(Wireshark 1.10.0rc1 Intel 32.dmg)=cb3ef75ddf48ac39eafe866876f54ed193a57e11 Wireshark 1.10.0rc1 Intel 64.dmg: 24024741 bytes MD5(Wireshark 1.10.0rc1 Intel 64.dmg)=7628f6ef0d85960443a6cac147dd0455 SHA1(Wireshark 1.10.0rc1 Intel 64.dmg)=d0b49d77671800d2a52cec6e478e826bb8ac5a02 RIPEMD160(Wireshark 1.10.0rc1 Intel 64.dmg)=81ff48a31c067166b9ec65acf3c66824333e7019 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF7D98ACgkQpw8IXSHylJpy0QCgz2LQnk7nQ4hDluLv5WGby+9b wU8AoMTP6BFHVDPSemIomzrpcjPcgME9 =kA9M -----END PGP SIGNATURE----- ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> Gerald Combs 2013-04-26T23:38:07 http://comments.gmane.org/gmane.network.wireshark.user/15587 <pre>Hi, I am trying to ping between two machines with large ICMP packets which are compressed using DEFLATE. I would prefer to view the decompressed packets in the expanded packet details, but seems like wireshark is not decompressing them. It identifies the packet having IPComp CPI equal to DEFLATE , but is not actually deflating the data that follows. I am using only IPComp, no encryption or authentication in the packet. I am using version 1.2.7 of wireshark Please let me know if anybody knows how to see them decompressed. -rupapv ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> Rupa P V 2013-04-22T16:12:43 http://comments.gmane.org/gmane.network.wireshark.user/15586 <pre>Hi, I've been writing dissectors for some in house protocols with Lua and exporting captures to pdml for further analysis (using xslt). This is very circumlocutious. I'd rather write all my dissector output to a database. I could build my own Wireshark binary with SQLite included, but I'd rather not. I'd also like to make my Lua tools easily accessible to users who aren't in a position to do that. What would really rock my world would be if Lua bindings for SQLite were merged with trunk. Any chance of that? Cheers Jono </pre> Jonathan Poff 2013-04-21T23:18:50 http://comments.gmane.org/gmane.network.wireshark.user/15583 <pre>Hello, I am using Wireshark 1.6.7 on Ubuntu 12.04 Whenever I go to Show Capture options to mention the interface, the interface textbox doesn't accept more than one character as input and after that the software hangs and closes itself. Has anyone faced this sort of problem What is the solution to this? ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe </pre> Akshay Jindal 2013-04-19T23:18:25 http://comments.gmane.org/gmane.network.wireshark.user/15582 <pre>Hi, all I wrote a program based on tcp and put it on a PlanetLab node A. The program initiates a tcp connection with another host B(tcp listening port 30000). I used tcpdump on planetlab node to capture packets without any filter tcpdump - i eth0 I notice all the packets I captured are only incoming packets, the outgoing packets like TCP SYN packet and TCP ACK packet are missing. On Host B I also use tcpdump and I can see the TCP SYN and ACK from A I tried wget and udp sending on the Planetlab node and I can capture outgoing packets. So this means tcpdump on Planetlab node can be infuenced by specific program? what are potential reasons for this? thanks! ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> wen lui 2013-04-18T00:17:00 http://comments.gmane.org/gmane.network.wireshark.user/15581 <pre>I want to know how can I decode MTP3 messages encapsulated in TCP using TALI header (rfc 3094) in WireShark?? TALI is enabled in "Enabled Protocol" list on WireShark. But there is no option "Decode as -&gt; TALI" on WireShark. I am using WireShark version 1.8.3 on Windows.___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> friends you 2013-04-16T15:42:50 http://comments.gmane.org/gmane.network.wireshark.user/15575 <pre>Hello everybody, I'm a new user of Wireshark and I'm capturing UDP traffic. Startly I used the "udp" filter but appears some undesirable ICMP packets, so then googling I've found the "udp &amp;&amp; !icmp" filter to avoid capture ICMP packets. It's all right till here, but when I export the capture as plain text, the ICMP packets appear again. Seems like the filter just works in the main screenl of Wireshark. What can I do to capture just UDP traffic? Thanks in advance. Regards. ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> delarge 2013-04-16T22:28:15 http://comments.gmane.org/gmane.network.wireshark.user/15573 <pre>Hi! I have a capture taken with an Ethernet tap/splitter/monitor where several packets have a negative time difference to the previous packet, i.e. frame.time_delta is below zero. Actually, 13.4 % of all packets in the file have this characteristic, which can easily be seen by applying the filter frame.time_delta &lt; 0 It is only packets that go in one direction, e.g. from server to client, that appear to get negative time delta and this leads me to think that whatever causes this is not only due to some fault or feature in Wireshark itself. What can this be caused by? Best Regards, Jaroslav Kazejev ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> Jaroslav Kazejev 2013-04-15T15:01:46 http://comments.gmane.org/gmane.network.wireshark.user/15572 <pre>Hi! I have a capture taken with an Ethernet tap/splitter/monitor where several packets have a negative time difference to the previous packet, i.e. frame.time_delta is below zero. Actually, 13.4 % of all packets in the file have this characteristic, which can easily be seen by applying the filter frame.time_delta &lt; 0 It is only packets that go in one direction, e.g. from server to client, that appear to get negative time delta and this leads me to think that whatever causes this is not only due to some fault or feature in Wireshark itself. What can this be caused by? Best Regards, Jaroslav Kazejev ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> Jaroslav Kazejev 2013-04-16T06:41:55 http://comments.gmane.org/gmane.network.wireshark.user/15569 <pre>Hello, Please help to comment about ACK calculation in below scenario. Frame100: Client ACKs the data received till now.. ACK= 10000 Frame 101: Server sends client TCP Data ( 924 bytes) with FIN,PSH and ACK flags set. Frame 102: Client sends ACK= 10925 à QUESTION ..Why is client sending 10925 and not 10924 .. Is it adding 1 for FIN received in Frame 101 ..? Is it normal ? Frame 103: Client sends FIN,ACK == ACK = 10925 Best Regards Amit ___________________________________________________________________________ Sent via: Wireshark-users mailing list &lt;wireshark-users-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org&gt; Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A&lt; at &gt;public.gmane.org?subject=unsubscribe</pre> Amit Aggarwal 2013-04-15T07:10:46 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.network.wireshark.user