Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 15, Issue 11
From: "Natividad, Joel" <JNatividad@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 7 Aug 2007 17:26:04 -0400
unsubscribe -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx Sent: Tuesday, August 07, 2007 2:56 PM To: wireshark-users@xxxxxxxxxxxxx Subject: Wireshark-users Digest, Vol 15, Issue 11 Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://www.wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Replaying IP only capture (David) 2. Query regarding error comes during making build (vaibhav.agarwal@xxxxxxxxxxx) 3. Re: Fw: I am not decode the Nbap andsscopmessages. (Martin Mathieson) 4. Re: Fw: I am not able to decode FP messages. (vaibhav.agarwal@xxxxxxxxxxx) 5. Re: Fw: I am not able to decode FP messages. (Martin Mathieson) 6. Re: HTTP not captured (Jeff Morriss) 7. Re: capturing 802.11 management frames (Loris Degioanni) 8. Re: Query regarding error comes during making build (Bill Meier) ---------------------------------------------------------------------- Message: 1 Date: Tue, 07 Aug 2007 12:58:14 +0100 From: David <lists@xxxxxxxxx> Subject: [Wireshark-users] Replaying IP only capture To: wireshark-users@xxxxxxxxxxxxx Message-ID: <20070807125814.pjx8oyog04o8gko4@xxxxxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Hi, I have a capture which is IP only and does not have the ethernet layers present. Is anybody aware of a tool that can replay this, or edit it and insert fake ethernet headers so that I can simply use tcpreplay? Usually I only replay over a dummy interface in Linux, so there should be no problems with fake ethernet frames. David ------------------------------ Message: 2 Date: 07-Aug-2007 17:55:08 ZE5B From: vaibhav.agarwal@xxxxxxxxxxx Subject: [Wireshark-users] Query regarding error comes during making build To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <200708071219.l77CJheE016858@xxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=US-ASCII Hi, At the time of making a build, it gives error link: too many arguments:- link /NODEFAULTLIB /INCREMENTAL:NO /PDB:NONE /RELEASE /NOLOGO -entry:_DllMainCRTStartup@12 -dll msvcrt.lib oldnames.lib kernel32.lib ws2_32.lib mswsock.lib advapi32.lib /DEBUG /DEF:wtap.def /OUT:wiretap-0.3.1.dll /IMPLIB:wiretap-0.3.1.lib ..\image\wiretap.res 5views.obj airopeek9.obj ascend.obj atm.obj ber.obj buffer.obj catapult_dct2000.obj cosine.obj csids.obj dbs-etherwatch.obj erf.obj etherpeek.obj eyesdn.obj file_access.obj file_wrappers.obj hcidump.obj i4btrace.obj iptrace.obj iseries.obj k12.obj lanalyzer.obj libpcap.obj mpeg.obj mpeg-audio.obj netmon.obj nettl.obj network_instruments.obj netxray.obj ngsniffer.obj pppdump.obj radcom.obj snoop.obj toshiba.obj visual.obj vms.obj wtap.obj file_util.obj C:\wireshark-win32-libs\glib\lib\glib-2.0.lib C:\wireshark-win32-libs\glib\lib\gmodule-2.0.lib C:\wireshark-win32-libs\glib\lib\gobject-2.0.lib C:\wireshark-win32-libs\zlib123-dll\lib\zdll.lib link: too many arguments Thanks & Regards, Vaibhav *********************** Aricent-Unclassified *********************** "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." ------------------------------ Message: 3 Date: Tue, 7 Aug 2007 13:27:01 +0100 From: "Martin Mathieson" <martin.r.mathieson@xxxxxxxxxxxxxx> Subject: Re: [Wireshark-users] Fw: I am not decode the Nbap andsscopmessages. To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <7b8c30e40708070527s4721786pcad8b4671a5e1f30@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1 > Not RRC not directely on UDP, > But stack is like this :- UDP-> FP-> MAC-> RLC-> RRC (But only difference > is this FP over UDP not on ATM). > Hi, There is support for FP (not MAC or RLC yet), but only currently for DCT2000 or K12 format files (there is support for UDP over FP for DCT2000, I don't think there is for K12...). Those formats both contain the extra information needed to know how to interpret the FP frame. The alternative to having this information would be to infer the configuration of the FP, MAC and RLC layers and simulate them based upon RRC configuration. This would be quite involved. And impossible if you need this info in order to decode the RRC messages in the first place :( Martin ------------------------------ Message: 4 Date: 07-Aug-2007 18:07:32 ZE5B From: vaibhav.agarwal@xxxxxxxxxxx Subject: Re: [Wireshark-users] Fw: I am not able to decode FP messages. To: "Martin Mathieson" <martin.r.mathieson@xxxxxxxxxxxxxx> Cc: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <200708071232.l77CWNmg019457@xxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=US-ASCII Hi, I only want to decode RRC or FP message , I do not want to decode RLC and MAC layer messages. But in over case FP over UDP not on ATM. Please tell how to configure FP over UDP then RRC. Thanks & Regards, Vaibhav "Martin Mathieson" <martin.r.mathies To on@xxxxxxxxxxxxxx "Community support list for > Wireshark" Sent by: <wireshark-users@xxxxxxxxxxxxx> wireshark-users-b cc ounces@wireshark. org Subject Re: [Wireshark-users] Fw: I am not decode the Nbap 08/07/2007 05:57 andsscopmessages. PM Please respond to Community support list for Wireshark <wireshark-users@ wireshark.org> > Not RRC not directely on UDP, > But stack is like this :- UDP-> FP-> MAC-> RLC-> RRC (But only difference > is this FP over UDP not on ATM). > Hi, There is support for FP (not MAC or RLC yet), but only currently for DCT2000 or K12 format files (there is support for UDP over FP for DCT2000, I don't think there is for K12...). Those formats both contain the extra information needed to know how to interpret the FP frame. The alternative to having this information would be to infer the configuration of the FP, MAC and RLC layers and simulate them based upon RRC configuration. This would be quite involved. And impossible if you need this info in order to decode the RRC messages in the first place :( Martin _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users *********************** Aricent-Unclassified *********************** "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." ------------------------------ Message: 5 Date: Tue, 7 Aug 2007 14:01:41 +0100 From: "Martin Mathieson" <martin.r.mathieson@xxxxxxxxxxxxxx> Subject: Re: [Wireshark-users] Fw: I am not able to decode FP messages. To: vaibhav.agarwal@xxxxxxxxxxx Cc: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <7b8c30e40708070601u50f1dfcdn76f045c02e8b98fd@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1 > Hi, > > I only want to decode RRC or FP message , I do not want to decode RLC and > MAC layer messages. > But in over case FP over UDP not on ATM. > > Please tell how to configure FP over UDP then RRC. > You won't be able to decode the FP messages without supplying the dissector with at least some of the extra information stored in this structure (see packet-umts_fp.h) and attaching it to the packet, as the DCT2000 and K12 dissectors do. We could maybe add preferences to the FP dissector to set default values for some of these in the absence of complete configuration... enum fp_interface_type { IuB_Interface, IuR_Interface }; typedef struct fp_info { enum fp_interface_type iface_type; guint8 release; /* e.g. 99, 4, 5, 6 */ guint16 release_year; /* e.g. 2001 */ guint8 release_month; /* e.g. 12 for December */ gboolean is_uplink; gint channel; /* see definitions above */ guint8 dch_crc_present; /* 0=No, 1=Yes, 2=Unknown */ gint paging_indications; gint num_chans; #define MAX_FP_CHANS 64 gint chan_tf_size[MAX_FP_CHANS]; gint chan_num_tbs[MAX_FP_CHANS]; #define MAX_EDCH_DDIS 16 gint no_ddi_entries; guint8 edch_ddi[MAX_EDCH_DDIS]; guint edch_macd_pdu_size[MAX_EDCH_DDIS]; } fp_info; ... but I don't think you'll have RRC directly over FP, you'll have MAC and RLC. If you don't care about displaying their details, you still need to understand them to skip their headers properly and reassemble their data. Martin ------------------------------ Message: 6 Date: Tue, 07 Aug 2007 09:30:44 -0400 From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> Subject: Re: [Wireshark-users] HTTP not captured To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <46B87404.5030509@xxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Antti K. wrote: > Hello, > > I've downloaded the latest SVN-release of Wireshark (0.99.7-SVN-22460) > and compiled it. > My problem is this: after capturing packets from my dsl-line I don't see any > HTTP-protocol captures on the capture file, only TCP, DNS, UDP and ICMP. > > IF I load that same capture file in Ubuntu's "own" Wireshark-package > (0.99.4) I can see the HTTP > protocol -captures and everything is as they should be. > > So what am I doing wrong or what is wrong that I can't see the HTTP > protocol in > my own compilation of Wireshark? There was an email on the -dev list recently that said that HTTP is not dissected any more in recent versions of SVN--I don't think anyone has looked at it yet. In other words, it's probably a "bleeding edge" problem. ------------------------------ Message: 7 Date: Tue, 07 Aug 2007 09:05:14 -0700 From: Loris Degioanni <loris.degioanni@xxxxxxxxxxxx> Subject: Re: [Wireshark-users] capturing 802.11 management frames To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <46B8983A.7090402@xxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Xu Yao wrote: > Hello, > > I have met several problems when trying to capture 802.11 management > frames. Could anyone who has such experience help me? > > 1. A card in monitor mode is said to capture frames on a given channel, > however, I have also noticed frames from other channels. 802.11a/b/g channels are 20Mhz in width, but their distance is only 5Mhz. This means that two transmitters on contiguous channels (like 3 and 4) share good part of their spectrum. Therefore, it's pretty common for traffic on channel 4 to be recognized by a receiver on channel 3, especially if the transmitter is powerful and/or close. > 2. I have also noticed frame losses, but I don't know whether it's due > to the driver of the card or the processing capacity of the machine. Wireless capture is not an exact science like wired capture. There are much more factors that cause frame loss, among which: - position of the capture adapter and distance from the transmitter and the receiver. It's very common to capture only one sides of the conversation because the other one is too far. - gain of the antenna of the capture adapter. - orientation of the antenna of the capture adapter. Even omnidirectional antennas normally don't work on their vertical axis. - external conditions that decrease the reception: walls, cordless phones, microwave ovens, and so on. - and of course, software problems too, like drivers that don't configure the card properly. Note that, with wireless, processing capacity is normally not an issue, because even at full rate the traffic is so low that a modern machine handles it easily even without optimized capture pipes. And in real life you're always very far from full rate. > 3. Is there a way to capture all "probe request" packets sent on > different channels when a station tries to attach itself to an AP? You need a capture system that supports multi-channel capture. My company, CACE Technologies, sells a product called AirPcap 3-Pack (http://www.cacetech.com/products/airpcap.htm), that allows capturing on 3 channels at the same time with Wireshark. Loris > Thanks. > Yao > > > ------------------------------------------------------------------------ > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users ------------------------------ Message: 8 Date: Tue, 7 Aug 2007 14:56:13 -0400 (EDT) From: Bill Meier <wmeier@xxxxxxxxxxx> Subject: Re: [Wireshark-users] Query regarding error comes during making build To: wireshark-users@xxxxxxxxxxxxx Message-ID: <200708071856.l77IuDrf071833@xxxxxxxxxxxxxxxxxx> At Sun, 7 Jan 2007 12:55:08 -0500 (EST) , you wrote > > > > >Hi, > >At the time of making a build, it gives error link: too many arguments:- > My (strong) suspicion is that you've got cygwin specified before Microsoft C in your PATH such that the link command being invoked is the cygwin gnu link. See http://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html "Unfortunately, the link command is defined both from cygwin and from MSVC with completely different purpose, you'll need the MSVC link. If your link command looks something like: /usr/bin/link, the link command of cygwin takes precedence over the MSVC one. To fix this, you can change your PATH environment setting or simply renaming the link.exe in cygwin. If you rename it, make sure to remember that a cygwin update may provide a new version of it." Bill Meier ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 15, Issue 11 ***********************************************
- Follow-Ups:
- Re: [Wireshark-users] Wireshark-users Digest, Vol 15, Issue 11
- From: Luis EG Ontanon
- Re: [Wireshark-users] Wireshark-users Digest, Vol 15, Issue 11
- Prev by Date: Re: [Wireshark-users] Annoying Windows of Wireshark
- Next by Date: Re: [Wireshark-users] Wireshark-users Digest, Vol 15, Issue 11
- Previous by thread: Re: [Wireshark-users] Query regarding error comes during makingbuild
- Next by thread: Re: [Wireshark-users] Wireshark-users Digest, Vol 15, Issue 11
- Index(es):
- Get Wireshark
- Download
- Code of Conduct