Ask Your Question

Ross Jacobs's profile - activity

2019-08-19 04:29:56 +0000 commented question I want to capture concurrently and save it as multiple files where each file has its own distinct capture filter?

@Anders - I agree that this is the general solution, it sounds like he wants to a pcap created dynamically for each IP a

2019-08-18 17:19:58 +0000 commented question I want to capture concurrently and save it as multiple files where each file has its own distinct capture filter?

What are you actually trying to do here? If you want a record of all traffic to look at later and have sufficient storag

2019-08-18 16:43:10 +0000 commented question irql not less or equal

Wireshark does not require .net. Are you sure you are on the right forum?

2019-08-13 07:07:59 +0000 commented question how to move wireshark to system tray when it is minimized

Hi Prudvi, We need more info. Provide a screenshot (images can be added with or a link to a hosted file). Ideally, y

2019-08-13 07:05:05 +0000 commented answer tshark ring-buffer duration vs interval

Hi Sake, If this is your baby, can you add text to the manpage and --help? The example that Graham provided with number

2019-08-13 03:04:19 +0000 commented answer Is it possible to use an arp cache in your profile?

You had me at no :)

2019-08-13 03:03:34 +0000 marked best answer Is it possible to use an arp cache in your profile?

According to the docs, it looks like the system provides arp translations. Is it possible to access this via a profile file (to save/load for a specific capture)?

2019-08-13 02:52:42 +0000 commented answer Is it possible to use an arp cache in your profile?

Hi JFD, I think you may be misunderstanding the question. ARP and ethers entries are different. Per the documentation,

2019-08-13 02:15:27 +0000 commented answer Log analysis - suspicious inbound

This is a good answer. To add to this, most firewalls are "stateful" - they will maintain a list of active TCP/UDP conne

2019-08-12 19:34:41 +0000 received badge  Rapid Responder (source)
2019-08-12 19:34:41 +0000 answered a question How to fix the packet exchange between two devices?

Hi James, This is a Wireshark forum. This question does not appear to be about using Wireshark as a tool; rather that W

2019-08-12 19:24:26 +0000 commented answer Using a vlans file in profile

Thanks Graham! I can rebuild to v3.1.0

2019-08-12 13:22:11 +0000 marked best answer Using a vlans file in profile

Problem

I am trying to get VLAN resolution to work in both wireshark and tshark using a SampleCaptures vlan pcap. This pcap contains all sorts of vlans, including a vlan 7.

Description

Tested on Macos (v3.0.3), Linux (v2.6.8).

I have a vlan_profile folder in ~/.config/wireshark/profiles that contains this vlans file:

7 native
Using tshark, the name resolution is to "<7>".
bash$ tshark -r vlan.cap -Nv -C vlan_profile -T fields -e vlan.id_name -Y "vlan.id==7" -2 -o "nameres.vlan_name:true"
<7>
<7>
<7>
<7>
<7>

Using Wireshark configured with the vlan_profile profile, I get no packet results when filtering by not vlan.id_name matches "<[0-9]+>" and vlan.id_name. When using Wireshark, I have the "Resolve VLAN IDs" checkmark checked in Preferences.

Question

How is the vlans file used for vlan resolution?

2019-08-12 13:22:09 +0000 commented answer Using a vlans file in profile

I see this problem on both 2.6.8 AND 3.0.2, but moving the vlans file to ~/.config/wireshark fixed. Can you provide the

2019-08-12 00:31:01 +0000 edited question Using a vlans file in profile

Using a vlans file in profile Problem I am trying to get VLAN resolution to work in both wireshark and tshark using a S

2019-08-12 00:10:37 +0000 asked a question Using a vlans file in profile

Using a vlans file in profile Problem I am trying to get VLAN resolution to work in both wireshark and tshark using a S

2019-08-11 21:52:19 +0000 received badge  Rapid Responder (source)
2019-08-11 21:52:19 +0000 answered a question Use display filter functions in column definitions

Wireshark Bugzilla is the appropriate place for feature requests. In the interim, this script may help you. This will c

2019-08-11 20:05:10 +0000 received badge  Teacher (source)
2019-08-10 02:54:08 +0000 received badge  Popular Question (source)
2019-08-10 01:26:24 +0000 answered a question Streaming Stutters every 10 minutes on the PS4

Hi Atti, This is a Wireshark forum. If you ask a question about how to use Wireshark vis-a-vis this issue, it will be e

2019-08-10 01:26:24 +0000 received badge  Rapid Responder (source)
2019-08-10 01:19:45 +0000 answered a question Tool to sanitize packets

Hi Genesius, Sanitize: You want to use TraceWrangler, made by Wireshark Contributor Jasper Bongertz. Remove TCP payloa

2019-08-10 01:19:45 +0000 received badge  Rapid Responder (source)
2019-08-09 17:55:14 +0000 marked best answer How does tshark read files with dns entries saved with -H?

Description

Documentation says that -H, (which implies -Wn) writes data to pcapng files. With a local hosts file, when I try

bash$ ping 8.8.8.8 &
bash$ tshark -c 10 -f icmp -w temp.pcapng 
bash$ tshark -r temp.pcapng -H hosts -w temp2.pcapng

I see normal traffic with no modifications to display of IP address. Local hosts file looks something like this:

127.0.0.1      localhost
192.168.0.1    this_computer
8.8.8.8        google_dns

I can see that a pcapng Name Resolution Block exists with xxd:

bash$ xxd temp2.pcapng | grep this -B 5 -A 5
00000620: d0fb 763a 3757 76df 4c5d 0000 0000 f362  ..v:7Wv.L].....b
00000630: 0c00 0000 0000 1011 1213 1415 1617 1819  ................
00000640: 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829  ...... !"#$%&'()
00000650: 2a2b 2c2d 2e2f 3031 3233 3435 3637 0000  *+,-./01234567..
00000660: 8400 0000 0400 0000 3c00 0000 0100 1200  ........<.......
00000670: c0a8 01f6 7468 6973 5f63 6f6d 7075 7465  ....this_compute
00000680: 7200 0000 0100 0f00 0808 0808 676f 6f67  r...........goog
00000690: 6c65 5f64 6e73 0000 0000 0000 3c00 0000  le_dns......<...

Question

When I use tshark -r temp2.pcapng -NNn I see IP to name mappings (names I see are mbp.attlocal.net and dns.google). Using both Wireshark and tshark -r temp2.pcapng -Nd, I do not see "this_computer" or "google_dns" in place of IP addresses. How can I see the data stored in the Name Resolution Block with tshark?

2019-08-09 17:55:13 +0000 commented answer How does tshark read files with dns entries saved with -H?

What a genius! Thanks for your help Graham.

2019-08-09 09:55:36 +0000 commented answer How does tshark read files with dns entries saved with -H?

Cheers Graham. I wasn't aware of the "Reload as File Format/Capture" option. While this is useful information, my questi

2019-08-09 09:55:18 +0000 commented answer How does tshark read files with dns entries saved with -H?

Cheers Graham. I wasn't aware of the "Reload as File Format/Capture" option. While this is useful information, my questi

2019-08-09 09:54:44 +0000 commented answer How does tshark read files with dns entries saved with -H?

Cheers Graham. I wasn't aware of the "Reload as File Format/Capture" option. While this is useful information, my questi

2019-08-09 09:54:02 +0000 commented answer How does tshark read files with dns entries saved with -H?

Cheers Graham. I wasn't aware of the "Reload as File Format/Capture" option. While this is useful information, my questi

2019-08-09 03:40:46 +0000 asked a question Is it possible to use an arp cache in your profile?

Is it possible to use an arp cache in your profile? According to the docs, it looks like the system provides arp transla

2019-08-09 03:33:06 +0000 asked a question How does tshark read files with dns entries saved with -H?

How does tshark read files with dns entries saved with -H? Description Documentation says that -H, (which implies -Wn)

2019-08-08 20:35:44 +0000 edited answer To my knowledge I gained from 2 days working with wireshark, it is used to analyze network traffic and we could use filters to filter them. Is that right? Can we do something more than that using this tool?

What are you trying to do? Check Out Resources These are the some of the features that Wireshark has that you may want

2019-08-08 20:04:39 +0000 edited answer To my knowledge I gained from 2 days working with wireshark, it is used to analyze network traffic and we could use filters to filter them. Is that right? Can we do something more than that using this tool?

What are you trying to do? Depending on your answer, Wireshark may or may not be the right tool. These are the some of

2019-08-08 19:57:09 +0000 answered a question To my knowledge I gained from 2 days working with wireshark, it is used to analyze network traffic and we could use filters to filter them. Is that right? Can we do something more than that using this tool?

What are you trying to do? Depending on that, Wireshark may or may not be the right tool. These are the some of the fea

2019-08-08 19:57:09 +0000 received badge  Rapid Responder (source)
2019-08-08 19:35:42 +0000 commented question Is it possible to disable Wireshark's Splash screen?

Nuphar - it would be helpful to get some context on how you want this to work? Which page are you opening next and what

2019-08-08 15:20:36 +0000 commented answer tshark ring-buffer duration vs interval

Makes sense to me. Thanks for the quick response.

2019-08-08 15:19:05 +0000 marked best answer tshark ring-buffer duration vs interval

I am looking at the documentation for tshark -b, and it's unclear to me what the difference is between "interval" and "duration". Both are in seconds and at the end of NUM seconds, the file rotates.

For example, what is the difference between these two commands?

tshark -b files:5 -b duration:10 -w file
tshark -b files:5 -b interval:10 -w file

In both cases, I see the filename endings change and increase by 10 about every 10s that look something like this:

bash:/tmp/duration-test$ ls -1
file_00003_20190808003713
file_00004_20190808003723
file_00005_20190808003733
file_00006_20190808003743
file_00007_20190808003753