Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 15, Issue 11

["Luis EG Ontanon" <luis.ontanon@xxxxxxxxx>]

Use http://www.wireshark.org/mailman/listinfo/wireshark-users to unsubscribe.

On 8/7/07, Natividad, Joel <JNatividad@xxxxxxxxxxxxxxxxxxx> wrote:
> unsubscribe
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx
> Sent: Tuesday, August 07, 2007 2:56 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Wireshark-users Digest, Vol 15, Issue 11
>
> Send Wireshark-users mailing list submissions to
>         wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://www.wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>         wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
>         wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>    1. Replaying IP only capture (David)
>    2. Query regarding error comes during making build
>       (vaibhav.agarwal@xxxxxxxxxxx)
>    3. Re: Fw: I am not decode the Nbap andsscopmessages.
>       (Martin Mathieson)
>    4. Re: Fw: I am not able to decode FP messages.
>       (vaibhav.agarwal@xxxxxxxxxxx)
>    5. Re: Fw: I am not able to decode FP messages. (Martin Mathieson)
>    6. Re: HTTP not captured (Jeff Morriss)
>    7. Re: capturing 802.11 management frames (Loris Degioanni)
>    8. Re: Query regarding error comes during making     build (Bill Meier)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 07 Aug 2007 12:58:14 +0100
> From: David <lists@xxxxxxxxx>
> Subject: [Wireshark-users] Replaying IP only capture
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID: <20070807125814.pjx8oyog04o8gko4@xxxxxxxxxxxxxxx>
> Content-Type: text/plain;       charset=ISO-8859-1;     DelSp="Yes";
>         format="flowed"
>
> Hi,
>
> I have a capture which is IP only and does not have the ethernet
> layers present.  Is anybody aware of a tool that can replay this, or
> edit it and insert fake ethernet headers so that I can simply use
> tcpreplay?
>
> Usually I only replay over a dummy interface in Linux, so there should
> be no problems with fake ethernet frames.
>
> David
>
>
> ------------------------------
>
> Message: 2
> Date: 07-Aug-2007 17:55:08 ZE5B
> From: vaibhav.agarwal@xxxxxxxxxxx
> Subject: [Wireshark-users] Query regarding error comes during making
>         build
> To: "Community support list for Wireshark"
>         <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <200708071219.l77CJheE016858@xxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=US-ASCII
>
>
>
>
>
> Hi,
>
> At the time of making a build, it gives error link: too many arguments:-
>
>         link /NODEFAULTLIB /INCREMENTAL:NO /PDB:NONE /RELEASE /NOLOGO
> -entry:_DllMainCRTStartup@12 -dll msvcrt.lib oldnames.lib kernel32.lib
> ws2_32.lib mswsock.lib advapi32.lib  /DEBUG  /DEF:wtap.def
> /OUT:wiretap-0.3.1.dll  /IMPLIB:wiretap-0.3.1.lib  ..\image\wiretap.res
> 5views.obj             airopeek9.obj          ascend.obj
> atm.obj                         ber.obj                buffer.obj
> catapult_dct2000.obj    cosine.obj              csids.obj
> dbs-etherwatch.obj      erf.obj                        etherpeek.obj
> eyesdn.obj            file_access.obj                file_wrappers.obj
> hcidump.obj             i4btrace.obj           iptrace.obj
> iseries.obj             k12.obj                        lanalyzer.obj
> libpcap.obj             mpeg.obj                       mpeg-audio.obj
> netmon.obj              nettl.obj
> network_instruments.obj  netxray.obj             ngsniffer.obj
> pppdump.obj             radcom.obj              snoop.obj
> toshiba.obj             visual.obj              vms.obj
> wtap.obj  file_util.obj C:\wireshark-win32-libs\glib\lib\glib-2.0.lib
> C:\wireshark-win32-libs\glib\lib\gmodule-2.0.lib
> C:\wireshark-win32-libs\glib\lib\gobject-2.0.lib
> C:\wireshark-win32-libs\zlib123-dll\lib\zdll.lib
> link: too many arguments
>
>
>
> Thanks & Regards,
> Vaibhav
>
> ***********************  Aricent-Unclassified   ***********************
>
> "DISCLAIMER: This message is proprietary to Aricent  and is intended solely
> for the use of
> the individual to whom it is addressed. It may contain privileged or
> confidential information and should not be
> circulated or used for any purpose other than for what it is intended. If
> you have received this message in error,
> please notify the originator immediately. If you are not the intended
> recipient, you are notified that you are strictly
> prohibited from using, copying, altering, or disclosing the contents of
> this message. Aricent accepts no responsibility for
> loss or damage arising from the use of the information transmitted by this
> email including damage from virus."
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 7 Aug 2007 13:27:01 +0100
> From: "Martin Mathieson" <martin.r.mathieson@xxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Fw: I am not decode the Nbap
>         andsscopmessages.
> To: "Community support list for Wireshark"
>         <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
>         <7b8c30e40708070527s4721786pcad8b4671a5e1f30@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> > Not RRC not directely on UDP,
> > But stack is like this :- UDP-> FP-> MAC-> RLC-> RRC (But only difference
> > is this FP over UDP not on ATM).
> >
>
> Hi,
>
> There is support for FP (not MAC or RLC yet), but only currently for
> DCT2000 or K12 format files (there is support for UDP over FP for
> DCT2000, I don't think there is for K12...).  Those formats both
> contain the extra information needed to know how to interpret the FP
> frame.
>
> The alternative to having this information would be to infer the
> configuration of the FP, MAC and RLC layers and simulate them based
> upon RRC configuration.  This would be quite involved.  And impossible
> if you need this info in order to decode the RRC messages in the first
> place :(
>
> Martin
>
>
> ------------------------------
>
> Message: 4
> Date: 07-Aug-2007 18:07:32 ZE5B
> From: vaibhav.agarwal@xxxxxxxxxxx
> Subject: Re: [Wireshark-users] Fw: I am not able to decode FP
>         messages.
> To: "Martin Mathieson" <martin.r.mathieson@xxxxxxxxxxxxxx>
> Cc: Community support list for Wireshark
>         <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <200708071232.l77CWNmg019457@xxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=US-ASCII
>
>
>
>
>
>
> Hi,
>
> I only want to decode RRC or FP message , I do not want to decode RLC and
> MAC layer messages.
> But in over case FP over UDP not on ATM.
>
> Please tell how to configure FP over UDP then RRC.
>
>
> Thanks & Regards,
> Vaibhav
>
>
>
>              "Martin
>              Mathieson"
>              <martin.r.mathies                                          To
>              on@xxxxxxxxxxxxxx         "Community support list for
>              >                         Wireshark"
>              Sent by:                  <wireshark-users@xxxxxxxxxxxxx>
>              wireshark-users-b                                          cc
>              ounces@wireshark.
>              org                                                   Subject
>                                        Re: [Wireshark-users] Fw: I am not
>                                        decode the Nbap
>              08/07/2007 05:57          andsscopmessages.
>              PM
>
>
>              Please respond to
>              Community support
>                  list for
>                  Wireshark
>              <wireshark-users@
>               wireshark.org>
>
>
>
>
>
>
> > Not RRC not directely on UDP,
> > But stack is like this :- UDP-> FP-> MAC-> RLC-> RRC (But only difference
> > is this FP over UDP not on ATM).
> >
>
> Hi,
>
> There is support for FP (not MAC or RLC yet), but only currently for
> DCT2000 or K12 format files (there is support for UDP over FP for
> DCT2000, I don't think there is for K12...).  Those formats both
> contain the extra information needed to know how to interpret the FP
> frame.
>
> The alternative to having this information would be to infer the
> configuration of the FP, MAC and RLC layers and simulate them based
> upon RRC configuration.  This would be quite involved.  And impossible
> if you need this info in order to decode the RRC messages in the first
> place :(
>
> Martin
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ***********************  Aricent-Unclassified   ***********************
>
> "DISCLAIMER: This message is proprietary to Aricent  and is intended solely
> for the use of
> the individual to whom it is addressed. It may contain privileged or
> confidential information and should not be
> circulated or used for any purpose other than for what it is intended. If
> you have received this message in error,
> please notify the originator immediately. If you are not the intended
> recipient, you are notified that you are strictly
> prohibited from using, copying, altering, or disclosing the contents of
> this message. Aricent accepts no responsibility for
> loss or damage arising from the use of the information transmitted by this
> email including damage from virus."
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 7 Aug 2007 14:01:41 +0100
> From: "Martin Mathieson" <martin.r.mathieson@xxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Fw: I am not able to decode FP
>         messages.
> To: vaibhav.agarwal@xxxxxxxxxxx
> Cc: Community support list for Wireshark
>         <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
>         <7b8c30e40708070601u50f1dfcdn76f045c02e8b98fd@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> > Hi,
> >
> > I only want to decode RRC or FP message , I do not want to decode RLC and
> > MAC layer messages.
> > But in over case FP over UDP not on ATM.
> >
> > Please tell how to configure FP over UDP then RRC.
> >
>
> You won't be able to decode the FP messages without supplying the
> dissector with at least some of the extra information stored in this
> structure (see packet-umts_fp.h) and attaching it to the packet, as
> the DCT2000 and K12 dissectors do.
>
> We could maybe add preferences to the FP dissector to set default
> values for some of these in the absence of complete configuration...
>
> enum fp_interface_type
> {
>     IuB_Interface,
>     IuR_Interface
> };
>
> typedef struct fp_info
> {
>     enum fp_interface_type iface_type;
>     guint8  release;                     /* e.g. 99, 4, 5, 6 */
>     guint16 release_year;                /* e.g. 2001 */
>     guint8  release_month;               /* e.g. 12 for December */
>     gboolean is_uplink;
>     gint channel;                       /* see definitions above */
>     guint8  dch_crc_present;            /* 0=No, 1=Yes, 2=Unknown */
>     gint paging_indications;
>     gint num_chans;
> #define MAX_FP_CHANS  64
>     gint chan_tf_size[MAX_FP_CHANS];
>     gint chan_num_tbs[MAX_FP_CHANS];
>
> #define MAX_EDCH_DDIS 16
>     gint   no_ddi_entries;
>     guint8 edch_ddi[MAX_EDCH_DDIS];
>     guint  edch_macd_pdu_size[MAX_EDCH_DDIS];
> } fp_info;
>
>
> ... but I don't think you'll have RRC directly over FP, you'll have
> MAC and RLC.  If you don't care about displaying their details, you
> still need to understand them to skip their headers properly and
> reassemble their data.
>
> Martin
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 07 Aug 2007 09:30:44 -0400
> From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
> Subject: Re: [Wireshark-users] HTTP not captured
> To: Community support list for Wireshark
>         <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <46B87404.5030509@xxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Antti K. wrote:
> > Hello,
> >
> > I've downloaded the latest SVN-release of Wireshark (0.99.7-SVN-22460)
> > and compiled it.
> > My problem is this: after capturing packets from my dsl-line I don't see any
> > HTTP-protocol captures on the capture file, only TCP, DNS, UDP and ICMP.
> >
> > IF I load that same capture file in Ubuntu's "own" Wireshark-package
> > (0.99.4) I can see the HTTP
> > protocol -captures and everything is as they should be.
> >
> > So what am I doing wrong or what is wrong that I can't see the HTTP
> > protocol in
> > my own compilation of Wireshark?
>
> There was an email on the -dev list recently that said that HTTP is not
> dissected any more in recent versions of SVN--I don't think anyone has
> looked at it yet.  In other words, it's probably a "bleeding edge" problem.
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 07 Aug 2007 09:05:14 -0700
> From: Loris Degioanni <loris.degioanni@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] capturing 802.11 management frames
> To: Community support list for Wireshark
>         <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <46B8983A.7090402@xxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Xu Yao wrote:
>
> > Hello,
> >
> > I have met several problems when trying to capture 802.11 management
> > frames. Could anyone who has such experience help me?
> >
> > 1. A card in monitor mode is said to capture frames on a given channel,
> > however, I have also noticed frames from other channels.
>
> 802.11a/b/g channels are 20Mhz in width, but their distance is only
> 5Mhz. This means that two transmitters on contiguous channels (like 3
> and 4) share good part of their spectrum. Therefore, it's pretty common
> for traffic on channel 4 to be recognized by a receiver on channel 3,
> especially if the transmitter is powerful and/or close.
>
> > 2. I have also noticed frame losses, but I don't know whether it's due
> > to the driver of the card or the processing capacity of the machine.
>
> Wireless capture is not an exact science like wired capture. There are
> much more factors that cause frame loss, among which:
>
> - position of the capture adapter and distance from the transmitter and
> the receiver. It's very common to capture only one sides of the
> conversation because the other one is too far.
> - gain of the antenna of the capture adapter.
> - orientation of the antenna of the capture adapter. Even
> omnidirectional antennas normally don't work on their vertical axis.
> - external conditions that decrease the reception: walls, cordless
> phones, microwave ovens, and so on.
> - and of course, software problems too, like drivers that don't
> configure the card properly.
>
> Note that, with wireless, processing capacity is normally not an issue,
> because even at full rate the traffic is so low that a modern machine
> handles it easily even without optimized capture pipes. And in real life
> you're always very far from full rate.
>
> > 3. Is there a way to capture all "probe request" packets sent on
> > different channels when a station tries to attach itself to an AP?
>
> You need a capture system that supports multi-channel capture. My
> company, CACE Technologies, sells a product called AirPcap 3-Pack
> (http://www.cacetech.com/products/airpcap.htm), that allows capturing on
> 3 channels at the same time with Wireshark.
>
> Loris
>
> > Thanks.
> > Yao
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 7 Aug 2007 14:56:13 -0400 (EDT)
> From: Bill Meier <wmeier@xxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Query regarding error comes during
>         making  build
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID: <200708071856.l77IuDrf071833@xxxxxxxxxxxxxxxxxx>
>
> At Sun,  7 Jan 2007 12:55:08 -0500 (EST)
> , you wrote
> >
> >
> >
> >
> >Hi,
> >
> >At the time of making a build, it gives error link: too many arguments:-
> >
>
> My (strong) suspicion is that you've got cygwin specified before Microsoft C
> in your PATH such that the link command being invoked is the cygwin gnu link.
>
> See http://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html
>
> "Unfortunately, the link command is defined both from cygwin and from MSVC
> with completely different purpose, you'll need the MSVC link. If your link
> command looks something like: /usr/bin/link, the link command of cygwin takes
> precedence over the MSVC one. To fix this, you can change your PATH
> environment setting or simply renaming the link.exe in cygwin. If you rename
> it, make sure to remember that a cygwin update may provide a new version of
> it."
>
> Bill Meier
>
>
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 15, Issue 11
> ***********************************************
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan

Propertarianism joined to capitalist vigor destroyed meaningful
commercial competition, but when it came to making good software,
anarchism won.
-- Eben Moglen