Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 12, Issue 46

Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 12, Issue 46
From: "William Grayson" <wgrayson@xxxxxxxxxx>
Date: Wed, 23 May 2007 14:36:10 -0400
Wireshark-

These will be point-to-point voip just carrying carrier class 4 traffic.
We will be testing SIP.




-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Wednesday, May 23, 2007 2:32 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 12, Issue 46

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Monitoring VoIP Traffic (William Grayson)
   2. Re: Monitoring VoIP Traffic (Irakli Natshvlishvili)
   3. Re: Help about 'decode as' (Stephen Fisher)
   4. Re: Help.. (Stephen Fisher)
   5. Re: Conflict with Cisco VPN? (Mark McWhinney)


----------------------------------------------------------------------

Message: 1
Date: Wed, 23 May 2007 13:52:50 -0400
From: "William Grayson" <wgrayson@xxxxxxxxxx>
Subject: [Wireshark-users] Monitoring VoIP Traffic
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<5B65B838AF47B046A5CFB4963BECC3DA84630A@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;	charset="us-ascii"

Dear Wireshark-

I am in the process of deploying a VoIP carrier network where I am
installing Juniper M7i routers in 10 cities.  What tools can I use out
there to monitor voip traffic and do some vulnerability testing?

I would like to pretend I am a DoS person out there attacking the
network.

wg

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Wednesday, May 23, 2007 1:17 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 12, Issue 45

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Sniffing AIM traffic (Mike W)
   2. Help needed on interpretation of dump (Wolfgang Heidrich)


----------------------------------------------------------------------

Message: 1
Date: Wed, 23 May 2007 11:22:52 -0400
From: "Mike W" <mike.wilhide@xxxxxxxxx>
Subject: [Wireshark-users] Sniffing AIM traffic
To: wireshark <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<b3c95b150705230822i4d932122i864eaf17776044f6@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

I've been playing around with Wireshark recently, attempting to get
familiar
with the app and with traffic analyzing.  I wanted to see what would
happen
if I tried sniffing AIM traffic from one of the PCs on my LAN.

When AIM is connecting to the oscar server directly, I'll see no AIM
traffic
at all.  I sign on/off (I see the HTTP traffic generated by this
process,
but nothing else), send messages, get buddy info, etc.  but Wireshark
isn't
picking up any AIM packets.  I have the filter set to only view traffic
from
the host running AIM.  When I route AIM through my Squid proxy, I can
see
everything as HTTP requests.  I've gone through all my settings, which I
haven't changed since installation, and can't see anything wrong with
them.

Is there something that I'm missing here?  Am I looking at the wrong
traffic?  I've tried with no filters, as well as filtering by port and
host.

At first I thought that my NIC wasn't dropping into promiscuous mode
properly or something, but I can still seea lot of traffic from other
hosts
on my network.  I also tried sniffing from my windows machine using
Wireshark, but with the same results.

Any help would be very appreciated.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20070523/aebb
c887/attachment.htm 

------------------------------

Message: 2
Date: Wed, 23 May 2007 16:54:31 +0200
From: "Wolfgang Heidrich" <Wolfgang.Heidrich@xxxxxxxxxxx>
Subject: [Wireshark-users] Help needed on interpretation of dump
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<BNEAICJDIBNIHPODBJMGEECDCNAA.Wolfgang.Heidrich@xxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hello,
although I have disabled all which look like "windows is phoning home" I
found an irritating entry in last nights dump - starting from line 426
onwards. As there is something mentioned like redirect, do I have
malware on
my PC? Who can help me? The dump-file is attached.
If someone finds other irregularites, please inform me as I am a starter
with wireshark.
rgds
akelus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dump9.cap
Type: application/octet-stream
Size: 558539 bytes
Desc: not available
Url :
http://www.wireshark.org/lists/wireshark-users/attachments/20070523/f412
2417/attachment.obj 

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 12, Issue 45
***********************************************


------------------------------

Message: 2
Date: Wed, 23 May 2007 10:03:49 -0800
From: "Irakli Natshvlishvili" <iraklin@xxxxxxxxx>
Subject: Re: [Wireshark-users] Monitoring VoIP Traffic
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<7716730f0705231103q7cc6a40ew321466a60b6f6c7d@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Well, you have not mentioned what type of VoIP network are you deploying
-
SIP/MGCP/H323/Skinny?

Secondly, 'vulnerability testing' requires definitiondepending on the
network and infrastructure. What exactly are you going to test - how
your
firewalls pass/block voip traffic? How your application servers and
endpoints react on malformed messages? Is it possible to do
Man-in-the-middle attack or password sniffing/decrypting?


--i.n.

On 5/23/07, William Grayson <wgrayson@xxxxxxxxxx> wrote:
>
> Dear Wireshark-
>
> I am in the process of deploying a VoIP carrier network where I am
> installing Juniper M7i routers in 10 cities.  What tools can I use out
> there to monitor voip traffic and do some vulnerability testing?
>
> I would like to pretend I am a DoS person out there attacking the
> network.
>
> wg
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
> wireshark-users-request@xxxxxxxxxxxxx
> Sent: Wednesday, May 23, 2007 1:17 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Wireshark-users Digest, Vol 12, Issue 45
>
> Send Wireshark-users mailing list submissions to
>         wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://www.wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>         wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
>         wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>    1. Sniffing AIM traffic (Mike W)
>    2. Help needed on interpretation of dump (Wolfgang Heidrich)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 23 May 2007 11:22:52 -0400
> From: "Mike W" <mike.wilhide@xxxxxxxxx>
> Subject: [Wireshark-users] Sniffing AIM traffic
> To: wireshark <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
>         <b3c95b150705230822i4d932122i864eaf17776044f6@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I've been playing around with Wireshark recently, attempting to get
> familiar
> with the app and with traffic analyzing.  I wanted to see what would
> happen
> if I tried sniffing AIM traffic from one of the PCs on my LAN.
>
> When AIM is connecting to the oscar server directly, I'll see no AIM
> traffic
> at all.  I sign on/off (I see the HTTP traffic generated by this
> process,
> but nothing else), send messages, get buddy info, etc.  but Wireshark
> isn't
> picking up any AIM packets.  I have the filter set to only view
traffic
> from
> the host running AIM.  When I route AIM through my Squid proxy, I can
> see
> everything as HTTP requests.  I've gone through all my settings, which
I
> haven't changed since installation, and can't see anything wrong with
> them.
>
> Is there something that I'm missing here?  Am I looking at the wrong
> traffic?  I've tried with no filters, as well as filtering by port and
> host.
>
> At first I thought that my NIC wasn't dropping into promiscuous mode
> properly or something, but I can still seea lot of traffic from other
> hosts
> on my network.  I also tried sniffing from my windows machine using
> Wireshark, but with the same results.
>
> Any help would be very appreciated.
>
> Thank you.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
http://www.wireshark.org/lists/wireshark-users/attachments/20070523/aebb
> c887/attachment.htm
>
> ------------------------------
>
> Message: 2
> Date: Wed, 23 May 2007 16:54:31 +0200
> From: "Wolfgang Heidrich" <Wolfgang.Heidrich@xxxxxxxxxxx>
> Subject: [Wireshark-users] Help needed on interpretation of dump
> To: <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
>         <BNEAICJDIBNIHPODBJMGEECDCNAA.Wolfgang.Heidrich@xxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
> although I have disabled all which look like "windows is phoning home"
I
> found an irritating entry in last nights dump - starting from line 426
> onwards. As there is something mentioned like redirect, do I have
> malware on
> my PC? Who can help me? The dump-file is attached.
> If someone finds other irregularites, please inform me as I am a
starter
> with wireshark.
> rgds
> akelus
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: dump9.cap
> Type: application/octet-stream
> Size: 558539 bytes
> Desc: not available
> Url :
>
http://www.wireshark.org/lists/wireshark-users/attachments/20070523/f412
> 2417/attachment.obj
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 12, Issue 45
> ***********************************************
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>



-- 
I.N.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20070523/86d8
5d1d/attachment.htm 

------------------------------

Message: 3
Date: Wed, 23 May 2007 11:20:59 -0700
From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Subject: Re: [Wireshark-users] Help about 'decode as'
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <20070523182059.GA82079@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On Wed, May 23, 2007 at 04:41:05PM +0800, majun wrote:

> 	I found that we can input protocols type like 'rtp' on a 
> RedHat(Wireshark 0.99.5 GTK2+) PC when we use 'decode as', but I can't

> do this on a Windows XP SP2 laptop, that's quite annoying, and XP 
> could not remember the 'decode as' window's size after resizing.
> 	Any ideas? 
> 	BTW: I have test both 0.99.5 and 
> wireshark-setup-0.99.6-SVN-21890.exe on my laptop. No one works.

Wireshark code is usually identical between the Unix and Windows 
versions.  I'm not quite sure what problem you are reporting - you can't

do Decode As->RTP on Windows, but you can on Redhat?  Or something else?


Steve



------------------------------

Message: 4
Date: Wed, 23 May 2007 11:23:17 -0700
From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Subject: Re: [Wireshark-users] Help..
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <20070523182317.GB82079@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On Wed, May 23, 2007 at 04:33:43PM +0530, Babu A wrote:

> I have recently started using Wireshark and I need to understand and 
> analyze the error messages better... Can any one point me to a 
> location where I can get information... the current type errors that I

> would like to interpret are:
> 
> 1.	Out-of-Order
> 2.	Previous Segment Lost
> 3.	Dup ack
> 4.	TCP Windows Update
> 5.	TCP Retransmission

Check out http://wiki.wireshark.org/TCP and 
http://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers and let us know 
what other questions you have.  Any good book that covers TCP should 
also cover these topics in detail.


Steve



------------------------------

Message: 5
Date: Wed, 23 May 2007 11:31:49 -0700
From: "Mark McWhinney" <msm@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] Conflict with Cisco VPN?
To: "'Community support list for Wireshark'"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<20070523183150.239E475808C@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;	charset="us-ascii"

Oddly, while the VPN was broken, the Ethereal/WinPcap worked fine.

I finally fixed the problem today by reinstalling the network card's
drivers.  For future reference, it was a Realtek TRL8139/810x NIC.



-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Ulf Lamping
Sent: Wednesday, May 23, 2007 12:53 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Conflict with Cisco VPN?

Mark McWhinney wrote:
> Hello,
>
> Recently I installed Ethereal 0.99 / WinPcap 3 then upgraded to the
current
> Wireshark 0.99.5 / WinPcap 4 on my Windows XP Pro laptop.
>
> I have been using Cisco VPN for a while without any trouble.  Now, the
VPN
> does not work on my network card but does work with my Wireless
connection.
>
> Is it possible that Ethereal/Wireshark/WinPcap damaged a driver or
something
> else that would muck up my TCP packets?
>   
 From several years of experience: In the world of computers, everything

is possible ;-)
> I uninstalled Ethereal/Wireshark/WinPcap and re-installed the Cisco
VPN
> client but am still getting the same results.
>
> Any tips or pointers?
>
>   
See: http://wiki.wireshark.org/CaptureSetup/InterferingSoftware

You may better ask the WinPcap team about this. Wireshark is very 
certainly *not* the cause of your problems, but WinPcap probably is.

Regards, ULFL
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 12, Issue 46
***********************************************
Prev by Date: Re: [Wireshark-users] Conflict with Cisco VPN?
Next by Date: Re: [Wireshark-users] Help about 'decode as'
Previous by thread: Re: [Wireshark-users] Monitoring VoIP Traffic
Next by thread: [Wireshark-users] Comparing packets
Index(es):
- Date
- Thread