Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 12, Issue 46
From: "William Grayson" <wgrayson@xxxxxxxxxx>
Date: Wed, 23 May 2007 14:36:10 -0400
Wireshark- These will be point-to-point voip just carrying carrier class 4 traffic. We will be testing SIP. -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx Sent: Wednesday, May 23, 2007 2:32 PM To: wireshark-users@xxxxxxxxxxxxx Subject: Wireshark-users Digest, Vol 12, Issue 46 Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://www.wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Monitoring VoIP Traffic (William Grayson) 2. Re: Monitoring VoIP Traffic (Irakli Natshvlishvili) 3. Re: Help about 'decode as' (Stephen Fisher) 4. Re: Help.. (Stephen Fisher) 5. Re: Conflict with Cisco VPN? (Mark McWhinney) ---------------------------------------------------------------------- Message: 1 Date: Wed, 23 May 2007 13:52:50 -0400 From: "William Grayson" <wgrayson@xxxxxxxxxx> Subject: [Wireshark-users] Monitoring VoIP Traffic To: <wireshark-users@xxxxxxxxxxxxx> Message-ID: <5B65B838AF47B046A5CFB4963BECC3DA84630A@xxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" Dear Wireshark- I am in the process of deploying a VoIP carrier network where I am installing Juniper M7i routers in 10 cities. What tools can I use out there to monitor voip traffic and do some vulnerability testing? I would like to pretend I am a DoS person out there attacking the network. wg -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx Sent: Wednesday, May 23, 2007 1:17 PM To: wireshark-users@xxxxxxxxxxxxx Subject: Wireshark-users Digest, Vol 12, Issue 45 Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://www.wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Sniffing AIM traffic (Mike W) 2. Help needed on interpretation of dump (Wolfgang Heidrich) ---------------------------------------------------------------------- Message: 1 Date: Wed, 23 May 2007 11:22:52 -0400 From: "Mike W" <mike.wilhide@xxxxxxxxx> Subject: [Wireshark-users] Sniffing AIM traffic To: wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <b3c95b150705230822i4d932122i864eaf17776044f6@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" I've been playing around with Wireshark recently, attempting to get familiar with the app and with traffic analyzing. I wanted to see what would happen if I tried sniffing AIM traffic from one of the PCs on my LAN. When AIM is connecting to the oscar server directly, I'll see no AIM traffic at all. I sign on/off (I see the HTTP traffic generated by this process, but nothing else), send messages, get buddy info, etc. but Wireshark isn't picking up any AIM packets. I have the filter set to only view traffic from the host running AIM. When I route AIM through my Squid proxy, I can see everything as HTTP requests. I've gone through all my settings, which I haven't changed since installation, and can't see anything wrong with them. Is there something that I'm missing here? Am I looking at the wrong traffic? I've tried with no filters, as well as filtering by port and host. At first I thought that my NIC wasn't dropping into promiscuous mode properly or something, but I can still seea lot of traffic from other hosts on my network. I also tried sniffing from my windows machine using Wireshark, but with the same results. Any help would be very appreciated. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20070523/aebb c887/attachment.htm ------------------------------ Message: 2 Date: Wed, 23 May 2007 16:54:31 +0200 From: "Wolfgang Heidrich" <Wolfgang.Heidrich@xxxxxxxxxxx> Subject: [Wireshark-users] Help needed on interpretation of dump To: <wireshark-users@xxxxxxxxxxxxx> Message-ID: <BNEAICJDIBNIHPODBJMGEECDCNAA.Wolfgang.Heidrich@xxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hello, although I have disabled all which look like "windows is phoning home" I found an irritating entry in last nights dump - starting from line 426 onwards. As there is something mentioned like redirect, do I have malware on my PC? Who can help me? The dump-file is attached. If someone finds other irregularites, please inform me as I am a starter with wireshark. rgds akelus -------------- next part -------------- A non-text attachment was scrubbed... Name: dump9.cap Type: application/octet-stream Size: 558539 bytes Desc: not available Url : http://www.wireshark.org/lists/wireshark-users/attachments/20070523/f412 2417/attachment.obj ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 12, Issue 45 *********************************************** ------------------------------ Message: 2 Date: Wed, 23 May 2007 10:03:49 -0800 From: "Irakli Natshvlishvili" <iraklin@xxxxxxxxx> Subject: Re: [Wireshark-users] Monitoring VoIP Traffic To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <7716730f0705231103q7cc6a40ew321466a60b6f6c7d@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Well, you have not mentioned what type of VoIP network are you deploying - SIP/MGCP/H323/Skinny? Secondly, 'vulnerability testing' requires definitiondepending on the network and infrastructure. What exactly are you going to test - how your firewalls pass/block voip traffic? How your application servers and endpoints react on malformed messages? Is it possible to do Man-in-the-middle attack or password sniffing/decrypting? --i.n. On 5/23/07, William Grayson <wgrayson@xxxxxxxxxx> wrote: > > Dear Wireshark- > > I am in the process of deploying a VoIP carrier network where I am > installing Juniper M7i routers in 10 cities. What tools can I use out > there to monitor voip traffic and do some vulnerability testing? > > I would like to pretend I am a DoS person out there attacking the > network. > > wg > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of > wireshark-users-request@xxxxxxxxxxxxx > Sent: Wednesday, May 23, 2007 1:17 PM > To: wireshark-users@xxxxxxxxxxxxx > Subject: Wireshark-users Digest, Vol 12, Issue 45 > > Send Wireshark-users mailing list submissions to > wireshark-users@xxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.wireshark.org/mailman/listinfo/wireshark-users > or, via email, send a message with subject or body 'help' to > wireshark-users-request@xxxxxxxxxxxxx > > You can reach the person managing the list at > wireshark-users-owner@xxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Wireshark-users digest..." > > > Today's Topics: > > 1. Sniffing AIM traffic (Mike W) > 2. Help needed on interpretation of dump (Wolfgang Heidrich) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 23 May 2007 11:22:52 -0400 > From: "Mike W" <mike.wilhide@xxxxxxxxx> > Subject: [Wireshark-users] Sniffing AIM traffic > To: wireshark <wireshark-users@xxxxxxxxxxxxx> > Message-ID: > <b3c95b150705230822i4d932122i864eaf17776044f6@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset="iso-8859-1" > > I've been playing around with Wireshark recently, attempting to get > familiar > with the app and with traffic analyzing. I wanted to see what would > happen > if I tried sniffing AIM traffic from one of the PCs on my LAN. > > When AIM is connecting to the oscar server directly, I'll see no AIM > traffic > at all. I sign on/off (I see the HTTP traffic generated by this > process, > but nothing else), send messages, get buddy info, etc. but Wireshark > isn't > picking up any AIM packets. I have the filter set to only view traffic > from > the host running AIM. When I route AIM through my Squid proxy, I can > see > everything as HTTP requests. I've gone through all my settings, which I > haven't changed since installation, and can't see anything wrong with > them. > > Is there something that I'm missing here? Am I looking at the wrong > traffic? I've tried with no filters, as well as filtering by port and > host. > > At first I thought that my NIC wasn't dropping into promiscuous mode > properly or something, but I can still seea lot of traffic from other > hosts > on my network. I also tried sniffing from my windows machine using > Wireshark, but with the same results. > > Any help would be very appreciated. > > Thank you. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.wireshark.org/lists/wireshark-users/attachments/20070523/aebb > c887/attachment.htm > > ------------------------------ > > Message: 2 > Date: Wed, 23 May 2007 16:54:31 +0200 > From: "Wolfgang Heidrich" <Wolfgang.Heidrich@xxxxxxxxxxx> > Subject: [Wireshark-users] Help needed on interpretation of dump > To: <wireshark-users@xxxxxxxxxxxxx> > Message-ID: > <BNEAICJDIBNIHPODBJMGEECDCNAA.Wolfgang.Heidrich@xxxxxxxxxxx> > Content-Type: text/plain; charset="iso-8859-1" > > Hello, > although I have disabled all which look like "windows is phoning home" I > found an irritating entry in last nights dump - starting from line 426 > onwards. As there is something mentioned like redirect, do I have > malware on > my PC? Who can help me? The dump-file is attached. > If someone finds other irregularites, please inform me as I am a starter > with wireshark. > rgds > akelus > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: dump9.cap > Type: application/octet-stream > Size: 558539 bytes > Desc: not available > Url : > http://www.wireshark.org/lists/wireshark-users/attachments/20070523/f412 > 2417/attachment.obj > > ------------------------------ > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > End of Wireshark-users Digest, Vol 12, Issue 45 > *********************************************** > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users > -- I.N. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20070523/86d8 5d1d/attachment.htm ------------------------------ Message: 3 Date: Wed, 23 May 2007 11:20:59 -0700 From: Stephen Fisher <stephentfisher@xxxxxxxxx> Subject: Re: [Wireshark-users] Help about 'decode as' To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <20070523182059.GA82079@xxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Wed, May 23, 2007 at 04:41:05PM +0800, majun wrote: > I found that we can input protocols type like 'rtp' on a > RedHat(Wireshark 0.99.5 GTK2+) PC when we use 'decode as', but I can't > do this on a Windows XP SP2 laptop, that's quite annoying, and XP > could not remember the 'decode as' window's size after resizing. > Any ideas? > BTW: I have test both 0.99.5 and > wireshark-setup-0.99.6-SVN-21890.exe on my laptop. No one works. Wireshark code is usually identical between the Unix and Windows versions. I'm not quite sure what problem you are reporting - you can't do Decode As->RTP on Windows, but you can on Redhat? Or something else? Steve ------------------------------ Message: 4 Date: Wed, 23 May 2007 11:23:17 -0700 From: Stephen Fisher <stephentfisher@xxxxxxxxx> Subject: Re: [Wireshark-users] Help.. To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <20070523182317.GB82079@xxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Wed, May 23, 2007 at 04:33:43PM +0530, Babu A wrote: > I have recently started using Wireshark and I need to understand and > analyze the error messages better... Can any one point me to a > location where I can get information... the current type errors that I > would like to interpret are: > > 1. Out-of-Order > 2. Previous Segment Lost > 3. Dup ack > 4. TCP Windows Update > 5. TCP Retransmission Check out http://wiki.wireshark.org/TCP and http://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers and let us know what other questions you have. Any good book that covers TCP should also cover these topics in detail. Steve ------------------------------ Message: 5 Date: Wed, 23 May 2007 11:31:49 -0700 From: "Mark McWhinney" <msm@xxxxxxxxxxx> Subject: Re: [Wireshark-users] Conflict with Cisco VPN? To: "'Community support list for Wireshark'" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <20070523183150.239E475808C@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" Oddly, while the VPN was broken, the Ethereal/WinPcap worked fine. I finally fixed the problem today by reinstalling the network card's drivers. For future reference, it was a Realtek TRL8139/810x NIC. -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Ulf Lamping Sent: Wednesday, May 23, 2007 12:53 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Conflict with Cisco VPN? Mark McWhinney wrote: > Hello, > > Recently I installed Ethereal 0.99 / WinPcap 3 then upgraded to the current > Wireshark 0.99.5 / WinPcap 4 on my Windows XP Pro laptop. > > I have been using Cisco VPN for a while without any trouble. Now, the VPN > does not work on my network card but does work with my Wireless connection. > > Is it possible that Ethereal/Wireshark/WinPcap damaged a driver or something > else that would muck up my TCP packets? > From several years of experience: In the world of computers, everything is possible ;-) > I uninstalled Ethereal/Wireshark/WinPcap and re-installed the Cisco VPN > client but am still getting the same results. > > Any tips or pointers? > > See: http://wiki.wireshark.org/CaptureSetup/InterferingSoftware You may better ask the WinPcap team about this. Wireshark is very certainly *not* the cause of your problems, but WinPcap probably is. Regards, ULFL _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 12, Issue 46 ***********************************************
- Prev by Date: Re: [Wireshark-users] Conflict with Cisco VPN?
- Next by Date: Re: [Wireshark-users] Help about 'decode as'
- Previous by thread: Re: [Wireshark-users] Monitoring VoIP Traffic
- Next by thread: [Wireshark-users] Comparing packets
- Index(es):
- Get Wireshark
- Download
- Code of Conduct