gmane.network.wireshark.user

TCP checksum is regarded as incorrect by wireshark, but still accepted by TCP stack

wen lui — 2013-06-16T23:10:26

I captured a TCP connection packets on a virtual NIC(openvpn)
I notice for some TCP packets, the TCP checksum is wrong(hilighted as red)
but still these packets are accepted by TCP stack (they got ACKed)
why?

maybe the wireshark TCP checksum detection is wrong?
or TCP stack doesn't care TCP checksum?
thanks!
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

SNMP OID resolution not working

Crowe, Graham GP — 2013-06-12T07:30:16

I am trying to inspect SNMP packets but wireshark doesn't resolve the OID names at all.

I am running Wireshark 1.10.0 (the current download on wireshark.org for 64bit Windows). The "about" screen says "with SMI 0.4.8".

An example of how an OID appears is "1.3.6.1.2.1.43.5.1.1.2.1"
All the help pages I have found when searching have as a starting point the OID in the form of "SNMPv2-SMI::enterprise....." but mine are only showing up as numbers without any text prefix.

Nothing changes, and no errors are given when I right click on the OID and select "Resolve Name".

Also, there appears to be a bug when specifying the MIB paths. If I try to specify "C:\Program Files\Wireshark\snmp\mibs" then it changes it to "C:\users\username". I have copied all my MIBs to c:\mibs as Wireshark will accept "C:\mibs" without changing it.

I have also been through the MIBs I am interested in and added their dependencies (as well as the dependencies of the dependecies, and so on). It is possible that I have missed one, I guess

FW: Help needed

Parthasarathy — 2013-06-11T08:57:12

Hi Team,

 

I am getting more then 60 % of this trafic in my network. 

 

Source Ethernet Address (6 bytes)                 00:00:00:00:00:00 (XEROX
CORPORATION)

Destination Ethernet Address (6 bytes)            00:00:00:00:00:00 (XEROX
CORPORATION)

 

Data (43 bytes)

 

Please find the screen shot attached. Please help me to reslove this issue.

 

 



 

Partha

cid:625192210< at >23052009-3015
Software Paradigms Infotech
www.spi.com
Senior Systems Engineer
Industrial area,Hebbal
Mysore.
Phone:0821-6617777
Cell:-8147010378

 

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

decode erldp on erlang R15b

Matt Bellizzi — 2013-06-10T20:00:18

Hello list

 I'm trying to decode the erlang erldp protocol  between two nodes  that is SSL encrypted.   I can't seem to get this to work.   I'm using wireshark Version 1.10.0 (SVN Rev 49790 from /trunk-1.10).   I can seem the epmd packets and I've entered the certs into the SSL section   and then change the port numbers based on what I see in the capture.   Does anyone have any experience with this?


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

from Condor Kim enjoy!

Condor Kim — 2013-06-09T10:34:51

http://www.coreministriesonline.org/eqinlyfhb.php 
 
 
http://www.coreministriesonline.org/eqinlyfhb.php 
 
 
_______________________________________________
Gnupg-users mailing list
Gnupg-users< at >gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Pyreshark

Eshed Shaham — 2013-06-07T00:42:14

Hey,
I've just released version 0.1.0 of Pyreshark (
https://code.google.com/p/pyreshark/)
With 2 major improvements:
- *Support for Wireshark 1.10.** (I'll take this chance to say congrats and
thank you to all contributors!)
- *Support for new data sources* - allows you to implement ridiculous
amount of stuff from rudimentary fragmentation/reassembly to decoding and
if you're in a creative mood, even dissecting files.

As always, feedback, questions and requests are most welcome.

Cheers,
Eshed
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

DHCPv6 capture

Rupa P V — 2013-06-06T16:12:07

Hi All,

Can somebody please help me with DHCPv6 packet capture. Thanks.

Regards,
Rupa P V.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

(no subject)

mateyas legesse — 2013-06-06T06:51:27

Dir sir/madam
I thank You for accepting me. ___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Wireshark 1.10.0 is now available

Gerald Combs — 2013-06-05T19:51:59

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm proud to announce the release of Wireshark 1.10.0.

     __________________________________________________________

What is Wireshark?

   Wireshark is the world's most popular network protocol
   analyzer. It is used for troubleshooting, analysis, development
   and education.
     __________________________________________________________

What's New

  Bug Fixes

   The following bugs have been fixed:
     * Redirecting the standard output didn't redirect the output
       the of -D or -L flags. This fix means that the output of
       those flags now goes to the standard output, not the
       standard error, as it did in previous releases. [1]Bug 8609

  New and Updated Features

   The following features are new (or have been significantly
   updated) since version 1.8:
     * Wireshark on 32- and 64-bit Windows supports automatic
       updates.
     * The packet bytes view is faster.
     * You can now display a list of resolved host names in

hostapd wpa_supplicant wireshark capture

Manishekar Chandrasekaran — 2013-06-03T13:34:23

Hi,

I am trying to capture the communication between hostapd and wpa supplicant using wireshark. I have hostapd and wpa supplicant interacting with my own additional library. This library will be used to implement a new key exchange mechanism.

hostapd is configured to use wlan0 and wpa_supplicant is configured to use wlan1.

The hostapd and wpa_supplicant are able to communicate with each other and I am able to view the probe/authentication/association messages in Wireshark by monitoring the interfaces wlan0 and mon.wlan0.

I am also able to view the new key exchange data of my new library from hostapd to wpa supplcaint. But, the problem is that I am not able to view the messages sent from wpa supplicant to the hostapd. I tried to monitor messages in 'hwsim0' as well. The observation is still the same.

Can someone provide inputs on this problem?

Regards
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged

Extracting specific fields from a PCAP

Joseph Cooper — 2013-05-29T16:42:59

I'm trying to get some sort of script made so I can input a PCAP and have it
pull out specific fields. The intent is to make identifying the user and
hostname of an infected machine much faster.

I usually do a String Search for Packet Details in Wireshark for the
following, and it works great, but I'd like to make it automated, if
possible, and have it all output in a single txt file.

===============================
To find the host name:
Workstation 
Host Name:
Host=
NetBIOSName
NetBIOS Host
HostAddress

To find the username:
Client Name (Principal)
User name:
COOKIE_last_login=
CN=
Filename:

===============================

Unfortunately most of the fields are listed as "Text" and do not have a
specific name like dns.resp.name or dns.qry.name.

I've tried using tshark, but the output gives the empty fields, as well as
the ones I want. If I output it to a txt file it is usually about 25KB
because of all the new lines.

For tshark I tried to extract dns.srv.name. In Wireshark it shows the field
name with

use of -z io,stat

Stuart Kendrick — 2013-05-26T15:42:34

I'm trying to teach myself how to use the '-z io,stat' options in tshark

I was imagining that the following would tell me how many seconds the trace covers

tshark -r sample-http.pcapng -o tcp.calculate_timestamps:TRUE -qz "io,stat,0,SUM(tcp.time_delta)tcp.time_delta"

=============================================
| IO Statistics                             |
|                                           |
| Interval size: 11.1 secs (dur)            |
| Col 1: Frames and bytes                   |
|     2: SUM(tcp.time_delta)tcp.time_delta  |
|-------------------------------------------|
|              |1               |2          |
| Interval     | Frames | Bytes |    SUM    |
|-------------------------------------------|
|  0.0 <> 11.1 |    216 | 45453 | 23.817352 |
=============================================

capinfos sample-http.pcapng
File name:           sample-http.pcapng
[...]
File size:           53 kB
Data size:           45 kB
Capture duration:    11 seconds
[...]

But apparently not:  '23.817352'

BOSH connections

Matt Bellizzi — 2013-05-24T16:57:18

Hello


I'm wondering if anyone has a good way to view XMPP  traffic through a BOSH connection?   Wireshark does this as BOSH is just HTTP however the SSL decodes seem to be all over in different tabs and also the conversation  is in  two HTTP connections.   Thanks for any help.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Wireshark (1.8.2) decrypting (SIP)TLS Traffic

Max Mühlbronner — 2013-05-23T11:19:10

Hi list,

I just tried to decrypt SIP TLS traffic in wireshark (preferences --> 
SSL , imported priv key for server ip/port) and was at least able to see 
decrypted packets in the ssl-logfile when enabling SSL debugging in 
wireshark. I also made sure to capture the initial handshake, but the 
decrypted SIP traffic does never shows up in wireshark/packet list?

One thing i noticed is: i have to choose a protocol like "sip","ssl" but 
there is no "sip-tls" ? But i am not sure if this makes any difference...

...
association_find: TCP port 1051 found (nil)
association_find: TCP port 5061 found 0xb9eb6268
dissect_ssl3_record decrypted len 651
decrypted app data fragment: SIP/2.0 200 OK
Via: SIP/2.0/TLS 109.22.22.22:5061;branch=z9hG4bK1b7a.e58532f.0
...


I also avoided diffie-hellman ciphers (to keep things simple) and tried 
a few other things but i am never able to see the packets in the packet 
list? (Only in the ssl logfile...)


Any ideas how to debug this?

tshark http -e options

Chris Datfung — 2013-05-21T20:39:02

Hi,

I want to use tshark to capture http requests and responses. I have having
difficulty getting POST bodies and the HTML response body to appear. I'm
using the following command:

tshark -R "http.response or http.request" -T fields -E separator="|" -e
frame.time_epoch -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e
http.request.version -e http.request.method -e http.request -e http.host -e
http.request.uri -e http.user_agent -e http.response.code -e
http.content_type -e http.content_length -e http.location -e http.referer
-e http.response.body

Is there a URL that shows all possible -e flags? Can someone suggest how I
can print a pipe deliminated output of the entire http request and response
pair?

Thanks,
Chris
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wires

Wireshark 1.8.7 is now available

Gerald Combs — 2013-05-17T21:58:56

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm proud to announce the release of Wireshark 1.8.7.

What is Wireshark?

   Wireshark is the world's most popular network protocol analyzer.
   It is used for troubleshooting, analysis, development and
   education.

What's New

  Bug Fixes

   The following vulnerabilities have been fixed.

     o wnpa-sec-2013-23

       The RELOAD dissector could go into an infinite loop.
       Discovered by Evan Jensen. (Bug 8364, (Bug 8546)

       Versions affected: 1.8.0 to 1.8.6.

       CVE-2013-2486

       CVE-2013-2487

     o wnpa-sec-2013-24

       The GTPv2 dissector could crash. (Bug 8493)

       Versions affected: 1.8.0 to 1.8.6.

     o wnpa-sec-2013-25

       The ASN.1 BER dissector could crash. (Bug 8599)

       Versions affected: 1.8.0 to 1.8.6, 1.6.0 to 1.6.14.

     o wnpa-sec-2013-26

       The PPP CCP dissector could crash. (Bug 8638)

       Versions affected: 1.8.0 to 1.8.6.

     o wnpa-sec-2013-27

       The DCP ETSI dissector could crash. D

[HITB-Announce] HITB Magazine Issue 010

Hafez Kamal — 2013-05-14T11:00:01

Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial-Y0pbcourc9SI2xUbZzX/NA< at >public.gmane.org

Topics of interest include, but are not limited to the following:

    Next generation attacks and exploits
    Apple / OS X security vulnerabilities
    SS7/Backbone telephony networks
    VoIP security
    Data Recovery, Forensics and Incident Response
    HSDPA / CDMA Security / WIMAX Security
    Network Protocol and Analysis
    Smart Card and Physical Security
    WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
    Analysis of malicious code
    Applications of cryptographic techniques
    Analysis of attacks against networks and machines
    File system security
    Side Channel Analysis of Hardware Devices
    Cloud Security
    Exploit Analysis

On an unrelated note, registration for the 11th annual HITB Security
Conference (#HITB2013KUL) is also

Wireshark piping in of pcap data on windows

Jason Pyeron — 2013-05-12T19:44:43

Given I cannot specifiy a filename as device on windows, what is the best way to
take a stream (stdout) of pcap data and show it realtime in wireshark?

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-user

summing DeltaT in one direction

Stuart Kendrick — 2013-05-12T18:15:43

I would like to calculate how much time the Client and the Server spend turning around frames.

Client ------- Switch ------- Server
                 |
                 |
              sniffer

In this example, Client is using SMB to copy a file to Server.

I'm imagining that I can calculate the Server's contribution as follows:
tshark -r foo.pcap -Y tcp.srcport==445 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta

================================================
| IO Statistics                                |
|                                              |
| Interval size: 44.1 secs (dur)               |
| Col 1: Frames and bytes                      |
|     2: SUM(tcp.time_delta)tcp.time_delta     |
|----------------------------------------------|
|              |1                  |2          |
| Interval     | Frames |   Bytes  |    SUM    |
|----------------------------------------------|
|  0.0 <> 44.1 |  50069 | 50551304 | 44.145992 |
================================================


And the Client

Process Information with packets

Prameswar Lal — 2013-05-12T14:15:13

 hi i am going to work on project
 The application and  user associated with each packet should be shown
in the packet detail. like  wireshark show the packet sender's  host
user name. let suppose

a computer have 10 user .then we can not say who is the sender of this

packet.

please tell me what i can add new more feature in this project . and i
dont know this is already implemented or not . if  implemeted then
tell me .

i will greatly happy if  you help me to improve my project
thanks
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Fwd:

Fabio Mendes — 2013-04-12T06:35:19

http://intechnics.de/npot38.php

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe