daje's profile - activity

ok, I think this is the only way. It would be nice to have such "splitting" feature as sniffing filter for tshark. Do yo

Hi,

reading dumpcap documentation https://www.wireshark.org/docs/man-pa... I got interested in the buffer ring filter packet => "packets:value switch to the next file after it contains value packets.". Do you have any examples or hints on how to use it? Can I write pcap according to packets flags or header information?

Thank you in advance

Thank you for the answer! Do you have any hint on how to manage a pacp according to packet content. My problem is mainly

Dumpcap/tshark hint on how to use -b filter Hi, reading dumpcap documentation https://www.wireshark.org/docs/man-pages

Track back exported objects to pcap file I'm currently using Tshark commands into a python script to automatize net snif

Track back exported objects to pcap file I'm currently using Tshark commands into a python script to automatize net snif

Track back exported objects to pcap file I'm currently using Tshark commands into a python script to automatize net snif

Track back exported objects to pcap file I'm currently using Tshark commands into a python script to automatize net snif

Track back exported objects to pcap file I'm currently using Tshark commands into a python script to automatize net snif

Track back exported objects to pcap file I'm currently using Tshark commands into a python script to automatize net snif

Track back exported objects to pcap file I'm currently using Tshark command "tashark -f mypcap --export-objects dicom, m

I noticed that if I extract dicom objects from a pcap file the result is different if Wireshark or Tshark is used. For Wireshark three dicom are extracted for each reassembled ID while for Tshark just one. For example, if I have a CT Image Storage Fragment (reassembled in #3721) with Wireshark I will have three files with #3721 while in Tshark just one. Can someone explain to me how come does it happen?

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16771

I can confirm that wireshark and tshark version 2.6 both give the same result without file repetition.

ops....you are right, I'm using two different versions of tshark(2.6) and wirteshark(3.2). I can repeat the test with Wi

dicom object extraction: discrepancy between tshark and wireshark I noticed that if I extract dicom objects from a pcap

My problem is described in this stack overflow question https://stackoverflow.com/questions/6....

Is this a known bug?

I would like to provide you the stack trace with gdb but I'm having trouble getting the binary, maybe you can guide me through this process.

Add output of thsark -v

ON THE HOST:

TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua
5.2.4, with GnuTLS 3.5.18, with Gcrypt 1.8.1, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.30.0, with LZ4, with Snappy, with libxml2 2.9.4.

Running on Linux 4.15.0-106-generic, with         Intel(R) Core(TM) i7-3770 CPU
@ 3.40GHz (with SSE4.2), with 15994 MB of physical memory, with locale
de_DE.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.1,
with zlib 1.2.11, binary plugins supported (13 loaded).

Built using gcc 7.4.0

ON CONTAINER:

TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.

Running on Linux 4.15.0-106-generic, with         Intel(R) Core(TM) i7-3770 CPU
@ 3.40GHz (with SSE4.2), with 15994 MB of physical memory, with locale C, with
libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt 1.8.5,
with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 9.3.0.

Sure, my intention is also to report this as Bug (just need to find some time). I wanted to thank you just for the fast

Sure, my intention is also to report this as Bug (just need to find some time). I wanted to thank you just for the fast

I confirm that the problem is only with version 3.2, when I switch to version 2.6 and ubuntu 18.4 I don't have this bug

I confirm that the problem is only with version 3.2, when I switch to version 2.6 I don't have this bug anymore. Thanks

tshark run in a docker container gives “Segmentation fault (core dumped)” My problem is described in this stack overflow

Running with -V I could see that tshark crashes exactly on dicom packet (segment). The output with -v you can find in t

tshark run in a docker container gives “Segmentation fault (core dumped)” My problem is described in this stack overflow

tshark run in a docker container gives “Segmentation fault (core dumped)” My problem is described in this stack overflow

Running with -V I could see that tshark crashes exactly on dicom packet (segment). The output with -v you can find in t

tshark run in a docker container gives “Segmentation fault (core dumped)” My problem is described in this stack overflow

tshark run in a docker container gives “Segmentation fault (core dumped)” My problem is described in this stack overflow

tshark run in a docker container gives “Segmentation fault (core dumped)” My problem is described in this stack overflow

I discovered that Dicom packets were corrupted, there fore it was not possible to extract DICOM object. I think it is po

Can't export dicom objects although present in pcap I want to export a dicom object from pcap file, I can see with packe

While exporting objects with Tshark there is the possibility to ask for the IPs involved?

I need to recover the information about IP sender and IP receiver of the file

I'm exporting dicom objects. Tshark version is 3.2.2

Tshark export object with IPs While exporting objects with Tshark there is the possibility to ask for the IPs involved?

Hi! Thanks, the export is working, but the file is kind of corrupt, I can't open it. Is it normal that on export I only

Hi! Thanks, the export is working, but the file is kind of corrupt, I can't open it. Is it normal that on export I only

I have pcap files with DICOM protocols, is it possible to read the content of the packet and extract the DICOM header of the file sent in the network? What I don't understand is if I can recover the file content from the packed information. Is this information stored in the packet bytes pane?

DICOM headers I have pcap files with DICOM protocols, is it possible to read the content of the packet and extract the D