Ask Your Question

Guy Harris's profile - activity

2019-06-24 22:35:07 +0000 answered a question Looking to debug 802.3AT PoE+ LLDP power class negotiation frames exchanged between a Non-Cisco PoE-Plus Powered device and a Cisco switch

Is there a dissector already created for this purpose? Wireshark has an LLDP dissector. If so, is it able to id

2019-06-24 22:35:07 +0000 received badge  Rapid Responder (source)
2019-06-24 18:57:39 +0000 edited question Why doesn't mstp.frame_type ne 0 filter out token passing?

filters do not seem to work I would like to upload a picture but I get error:" details must have > 10 points" Anywho

2019-06-24 18:56:48 +0000 answered a question How to get all tcp-stream by passed filter?

Unfortunately, there's currently no filter to check for that (unlike, for example, checking for the time between the ini

2019-06-24 18:56:48 +0000 received badge  Rapid Responder (source)
2019-06-22 02:54:18 +0000 answered a question File Downloads using Chrome are much slower than Microsoft Edge

A display filter of http.user_agent contains "string" where "string" is something that {Chrome, Edge} puts into the U

2019-06-22 02:54:18 +0000 received badge  Rapid Responder (source)
2019-06-21 18:12:32 +0000 commented question Wireshark indicates that MIB modules are missing. It reports the error when reading RFC1215 MIB. What additional MIBs are required?

What was the exact text of the error message?

2019-06-21 02:01:35 +0000 commented answer Why doesn't mstp.frame_type ne 0 filter out token passing?

...where "packet" means "link-layer frame" in this context. There are protocols where more than one PDU for that protoc

2019-06-20 22:09:11 +0000 commented question Why doesn't mstp.frame_type ne 0 filter out token passing?

That won't work. file:/// URLs are URLs that refer to local files, and work only on your machine. I infer from the "On

2019-06-20 22:06:03 +0000 answered a question Installation of version 3.0.2 fails due to vcredist_x64.exe location.

The appropriate place to report problems - especially if you have a solution you're proposing, as in this case - is the

2019-06-20 22:06:03 +0000 received badge  Rapid Responder (source)
2019-06-20 21:13:34 +0000 commented answer How to capture filter on BLE address?

My take is that Wireshark capture filters use the Berkeley Packet Filter syntax Yes, given that Wireshark (dumpcap,

2019-06-20 01:51:48 +0000 commented answer How to capture filter on BLE address?

Nothing inherently prevents capture filters from existing for Bluetooth LE. To support it would require 1) whatever sof

2019-06-19 23:49:41 +0000 edited question Why do I get a link error when I call proto_tree_add_format_wsp_text() in my dissector?

How can I call proto_tree_add_format_wsp_text() in my dissector I am trying to make a call to proto_tree_add_format_wsp_

2019-06-19 23:34:44 +0000 edited question Why do I get a link error when I call proto_tree_add_format_wsp_text() in my dissector?

I want to call methods from proto.c in my dissector. What library or dll do I need to link to. I am using Windows platfo

2019-06-18 17:00:43 +0000 commented question How can I find my number in TCP header/payload?

Do you mean "how do I find packets that have a given number, in ASCII, somewhere in the packet?"

2019-06-18 03:59:54 +0000 commented question tshark filter wlan.fcs.status==1 does not work with v3.0.2,

What do you mean by "shark"? Do you mean Wireshark, TShark, or some other program?

2019-06-17 22:26:39 +0000 commented answer Why is "show packet bytes Ctrl-Shift-O" grayed out and not working?

Perhaps the menu item should be renamed "Show Field Bytes", as it doesn't show all the bytes of the entire frame selecte

2019-06-15 14:04:57 +0000 commented answer ERSPAN ID - Adding Information to captured packets

That's a separate question, and should be asked separately. (This is a Q&A site - think of it as a crowdsourced FAQ

2019-06-15 14:02:38 +0000 answered a question How to add some field to decode netflow

As Spooky notes, this would require code changes. You should submit an enhancement request on the Wireshark Bugzilla fo

2019-06-15 14:02:38 +0000 received badge  Rapid Responder (source)
2019-06-12 03:18:01 +0000 answered a question Dissector to parse smtp with specific content, but let normal smtp dissector handle it otherwise.

I had the sneaking feeling the "M" could also stand for "Military". :-) (The "United States" in the specification name

2019-06-09 22:30:19 +0000 received badge  Rapid Responder (source)
2019-06-09 22:30:19 +0000 answered a question How does wireshark read TCP headers

My textbook knowledge tells me that the AP is a layer 2 device. So how does the trace collected from the AP provide a

2019-06-07 20:49:06 +0000 commented question PTPv2 Malformed Packet (Exception occurred)

Wireshark no longer supports autotools, so current releases do not include a configure script. You need to install CMak

2019-06-07 20:46:43 +0000 commented question TCP traffic is not captured over npcap loopback.

And if it still doesn't work, file a bug against npcap as an nmap issue on GitHub.

2019-06-06 21:05:15 +0000 commented answer Wireshark can sniff ethernet frame over serial port?

What is the format of the data going over the serial port? Is it in the form of raw Ethernet packet data, with one 8-bi

2019-06-06 21:00:55 +0000 edited question how to change packet length in the packet header for every incoming packet

how to change packet length in the packet header for every incoming packet I am getting "Frame 1 too long(18109400 bytes

2019-06-06 20:59:56 +0000 commented answer how to change packet length in the packet header for every incoming packet

pcap_hdr_tr.magic_number = 0xd4c3b2a1; As per the pcap-savefile man page, the magic number is 0xa1b2c3d4, no 0xd4c3b

2019-06-06 20:59:39 +0000 commented answer how to change packet length in the packet header for every incoming packet

pcap_hdr_tr.magic_number = 0xd4c3b2a1; As per the pcap-savefile man page, the magic number is 0xa1b2c3d4, no 0xd4c3b

2019-06-06 20:50:52 +0000 commented question how to change packet length in the packet header for every incoming packet

What program is writing the headers to the pipe? That program may be buggy. What happens if you run the program, send

2019-06-06 20:49:15 +0000 commented question npcap loopback driver Locks up Win 10

Again, I would STRONGLY suggest that you report this as an Npcap issue. Most Wireshark developers have no knowledge of

2019-06-06 20:43:53 +0000 commented question Dissector to parse smtp with specific content, but let normal smtp dissector handle it otherwise.

Is the "traffic" you're searching for keywords the SMTP protocol's commands and responses or the contents of the message

2019-06-06 07:37:13 +0000 commented answer npcap loopback driver Locks up Win 10

...because it's also a separate project from Wireshark. File a bug report at the map GitHub site, using the link Graham

2019-06-05 19:27:31 +0000 commented question how to change packet length in the packet header for every incoming packet

Either 1) you really do have packets that large or 2) somehow the file you're trying to read got damaged, and there may

2019-06-05 01:42:08 +0000 edited question TLS dissectors missing in "decode as" feature (ex: TPKT)

TSL dissectors missing in "decode as" feature (ex: TPKT) Hi. I've been working with Wireshark quite a bit, and when I co

2019-06-05 01:41:27 +0000 commented answer viewing a pcap that uses non UTC timestamps with a thiszone offset seems to ignore the offset

Libpcap discards the "thiszone" value, dating back to libpcap 0.4 (i.e., a LONG time ago), so tcpdump doesn't know it or

2019-06-04 19:33:02 +0000 answered a question Has anyone else noticed that the Wi-SUN FAN decoder incorrectly decodes the Explicit Channel Plan?

File a bug on the Wireshark Bugzilla, then.

2019-06-04 19:33:02 +0000 received badge  Rapid Responder (source)
2019-06-04 08:04:02 +0000 commented question Wireshark (Version 3.0.0 (v3.0.0-0-g937e33de) ) always shows DSCP value as CS0 for TCP and CS7 for UDP

I m not able to upload screen shots as it needs 60 points. Jaap said "share a capture file", not "share a screensho

2019-05-31 01:01:10 +0000 commented question need help to understand trace Issue with SMB File Access Slowness from Windows 10 Client

So what is the issue and where is the trace? Without that, we can't give you any help.

2019-05-30 20:44:10 +0000 commented answer Can I capture from an IP phone?

See the CaptureSetup/Ethernet page on the Wireshark Wiki for more information on capturing on switched networks.

2019-05-30 20:37:22 +0000 commented answer Can I capture from an IP phone?

The "V" in "VLAN" stands for "virtual"; ultimately, on an Ethernet network, a machine is plugged into a physical LAN, so

2019-05-30 18:02:48 +0000 answered a question Is wireshark capable of decoding MBO IE - oui 50:6f:9A oui type=0x16

From a quick look at the source, the answer appears to be "no".

2019-05-30 18:02:48 +0000 received badge  Rapid Responder (source)
2019-05-30 17:57:06 +0000 received badge  Rapid Responder (source)
2019-05-30 17:57:06 +0000 answered a question How exactly does tshark -z hosts come up with the list?

Just DNS packets, from a quick look at the code; we don't use NBNS traffic to get NetBIOS names.

2019-05-30 17:46:16 +0000 answered a question How does mac os open multiple cap packets?

Wireshark does not support having multiple capture files open in the same process, so it can't fully function as a stand

2019-05-30 17:46:16 +0000 received badge  Rapid Responder (source)