Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 53, Issue 21
From: "Wojkovich, Richard" <[email protected]>
Date: Wed, 27 Oct 2010 16:38:43 -0500
Thanks, my apology.

Rick Wojkovich

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Wednesday, October 27, 2010 2:00 PM
To: [email protected]
Subject: Wireshark-users Digest, Vol 53, Issue 21

Send Wireshark-users mailing list submissions to
	[email protected]

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	[email protected]

You can reach the person managing the list at
	[email protected]

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Re: Finding out Stats about users machine (Jaap Keuter)
   2. Re: Windows 7 and Wireshark any release (Jaap Keuter)
   3. Re: Analyzing many pcap files with tshark (Stephen Fisher)
   4. Re: Analyzing many pcap files with tshark (Maverick)
   5. Re: Analyzing many pcap files with tshark (Guy Harris)
   6. SNMP Mibs for Cisco? how to use them on WUG 11.0.1
      (Wojkovich, Richard)
   7. Re: SNMP Mibs for Cisco? how to use them on WUG 11.0.1
      (Jaap Keuter)
   8. Re: Analyzing many pcap files with tshark (Maverick)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Oct 2010 21:20:12 +0200
From: Jaap Keuter <[email protected]>
Subject: Re: [Wireshark-users] Finding out Stats about users machine
To: Community support list for Wireshark
	<[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 10/26/2010 04:43 PM, Maverick wrote:
> Is there anyway in wireshark to figure out from the network traces if 
> the machine has firewall installed? Aand if it is installed can I 
> determine if it is being updated ?
> Thanks
> MAK
>

Hi,

Well, if you know that certain attack vectors come into that machine,
you can see if and how it responds. That behavior is influenced by a
firewall, hence could be deduced from it.
An update, if done through the captured interface, may be visible when
an update site is accessed.

In short; possible? somewhat, easy? not really.

Thanks,
Jaap



------------------------------

Message: 2
Date: Tue, 26 Oct 2010 21:22:56 +0200
From: Jaap Keuter <[email protected]>
Subject: Re: [Wireshark-users] Windows 7 and Wireshark any release
To: Community support list for Wireshark
	<[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252; format=flowed

On 10/26/2010 07:17 PM, Guy Harris wrote:
>
> On Oct 26, 2010, at 6:45 AM, Giel Oberholster (ZA) wrote:
>
>> I am having problems when using Wireshark with Windows 7.  Whenever I
sniff a VOIP G.711A call with Wireshark, the packets are not seen by
Wireshark as G.711A but as UDP. Even if I decode the UDP to RTP things
are not working properly.
>> The data side of things ( I can see the packet loss /Jitter etc.)
are working as expected I can however not listen to the call.
>> I have tried several releases of Wireshark ( last one I used was 1.40

>> on Windows 7) When I do the exact same sniff with XP and Wireshark
1.40 ? no problem.
>> Something in Windows 7 is treating the sniffed packets differently.
>
> Something on the machine running Windows 7 is causing the sniffed
packets to be treated differently from the way they're being treated on
the Windows XP machine.  That could be the operating system, but it
could also be, for example, the configuration of Wireshark, or the
version of Wireshark installed.
>
> Are you running Wireshark 1.4.0 (which is presumably what you meant by
"1.40" - there's no version 1.40 of Wireshark) on both machines, or are
you running a different version (for example, a recent build from the
trunk) on the Windows 7 machine?
>
> Are the protocol preferences settings for RTP the same on both
machines?  In particular, is the "Try to decode RTP outside of
conversations" checked on both machines?

Hi,

That last tip usually does it. Also, upgrade to Wireshark 1.4.1, it has
some important VoIP related fixes for you.

Thanks,
Jaap



------------------------------

Message: 3
Date: Tue, 26 Oct 2010 15:53:01 -0600
From: Stephen Fisher <[email protected]>
Subject: Re: [Wireshark-users] Analyzing many pcap files with tshark
To: Community support list for Wireshark
	<[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii

On Tue, Oct 26, 2010 at 07:40:33AM -0700, Maverick wrote:

> Is it possible to give many pcap files to tshark to be processed at 
> the same time.

No, but you can use the mergecap program that comes with Wireshark to
combine multiple capture files into one.



------------------------------

Message: 4
Date: Tue, 26 Oct 2010 22:31:58 -0400
From: Maverick <[email protected]>
Subject: Re: [Wireshark-users] Analyzing many pcap files with tshark
To: Community support list for Wireshark
	<[email protected]>
Message-ID:
	<[email protected]>
Content-Type: text/plain; charset="iso-8859-1"

Yeah but I have huge file sizes in tens of gbs and merging them first
doesn't seem like a good idea so I thought there must be some way to do
this
analysis on all files.

So how this analysis is usually done? People work on individual files
and
than use some other tool to collect the results of individual tool may
be I
can take that approach.

Thanks
MAK


On Tue, Oct 26, 2010 at 5:53 PM, Stephen Fisher
<[email protected]>wrote:

> On Tue, Oct 26, 2010 at 07:40:33AM -0700, Maverick wrote:
>
> > Is it possible to give many pcap files to tshark to be processed at
> > the same time.
>
> No, but you can use the mergecap program that comes with Wireshark to
> combine multiple capture files into one.
>
>
________________________________________________________________________
___
> Sent via:    Wireshark-users mailing list
<[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:[email protected]
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20101026/e9b6
cb1c/attachment.html 

------------------------------

Message: 5
Date: Tue, 26 Oct 2010 19:42:58 -0700
From: Guy Harris <[email protected]>
Subject: Re: [Wireshark-users] Analyzing many pcap files with tshark
To: Community support list for Wireshark
	<[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii


On Oct 26, 2010, at 7:31 PM, Maverick wrote:

> So how this analysis is usually done? People work on individual files
and than use some other tool to collect the results of individual tool

Probably.  See, for example, Boonie's reply to you, which has a
DOS/Windows command-line loop to process all the .pcap files in a
directory by running each of them through TShark individually; similar
loops can be constructed for UN*X shells.

------------------------------

Message: 6
Date: Wed, 27 Oct 2010 08:40:48 -0500
From: "Wojkovich, Richard" <[email protected]>
Subject: [Wireshark-users] SNMP Mibs for Cisco? how to use them on WUG
	11.0.1
To: <[email protected]>
Message-ID:
	<[email protected]>
Content-Type: text/plain; charset="us-ascii"

Dear Wireshark enthusiasts,

Can you direct me to instructions on how to employ MIBS for Cisco
devices in WUG v11.0.1?  The reason I ask is that CPU Utilization and
Memory Utilization, even though checked and selected under
Properties/Performance Monitors,  have no values when queried with
Device Status Report/Memory Utilization or CPU Utilization (using
Internet Explorer 7.0.5730.13), but instead reports "The counter is
enabled for this device.  Sometimes it takes a while to get the first
data points."

Thanks in advance for your time and reply,

Rick Wojkovich
Network Analyst
MWRDGC-SWRP
6001 Pershing Rd. 
Cicero, IL   60804


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20101027/6ec0
676a/attachment.htm 

------------------------------

Message: 7
Date: Wed, 27 Oct 2010 17:07:01 +0200
From: Jaap Keuter <[email protected]>
Subject: Re: [Wireshark-users] SNMP Mibs for Cisco? how to use them on
	WUG 11.0.1
To: Community support list for Wireshark
	<[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"



Hi, 

I think you posted on the wrong list. Isn't WUG v11.0.1
referring to WhatsUp Gold ?
Then you should head over to one of their
forums. 

Thanks,
Jaap 

On Wed, 27 Oct 2010 08:40:48 -0500, "Wojkovich,
Richard"  wrote:  

Dear Wireshark enthusiasts,  

Can you direct me to
instructions on how to employ MIBS for Cisco devices in WUG v11.0.1? The
reason I ask is that CPU Utilization and Memory Utilization, even though
checked and selected  under Properties/Performance Monitors,  have no 
values when queried with Device Status Report/Memory Utilization or CPU
Utilization (using Internet Explorer 7.0.5730.13), but instead reports
"The counter is enabled for this device. Sometimes it takes a while to
get the first data points."  

Thanks in advance for your time and
reply,  

Rick Wojkovich 

Network Analyst 

MWRDGC-SWRP 

6001 Pershing
Rd.  

Cicero, IL 60804 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20101027/ef52
b192/attachment.htm 

------------------------------

Message: 8
Date: Wed, 27 Oct 2010 10:12:49 -0700
From: Maverick <[email protected]>
Subject: Re: [Wireshark-users] Analyzing many pcap files with tshark
To: Community support list for Wireshark
	<[email protected]>
Message-ID:
	<[email protected]>
Content-Type: text/plain; charset="iso-8859-1"

Thank you guys for your guidance.

On Tue, Oct 26, 2010 at 7:42 PM, Guy Harris <[email protected]> wrote:

>
> On Oct 26, 2010, at 7:31 PM, Maverick wrote:
>
> > So how this analysis is usually done? People work on individual
files and
> than use some other tool to collect the results of individual tool
>
> Probably.  See, for example, Boonie's reply to you, which has a
DOS/Windows
> command-line loop to process all the .pcap files in a directory by
running
> each of them through TShark individually; similar loops can be
constructed
> for UN*X shells.
>
________________________________________________________________________
___
> Sent via:    Wireshark-users mailing list
<[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:[email protected]
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20101027/5211
f4ba/attachment.htm 

------------------------------

_______________________________________________
Wireshark-users mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 53, Issue 21
***********************************************