Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 19, Issue 13

Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 19, Issue 13

Date: Thu, 6 Dec 2007 09:57:06 -0700

I upgraded my wireshark 0.99.4 on fc5 to 0.99.6 and I noticed that it is the

same i.e the field option is not available in it but it is available inwindows

version, do you know if there is any fc5 version that got the T fields in its
tshark?

Thanks,


Quoting wireshark-users-request@xxxxxxxxxxxxx:

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. run wireshark as regular user (Ivan Matousek)
   2. Re: Trace wifi (hce)
   3. Re: run wireshark as regular user (Jeff Morriss)
   4. Problems with wireless decryption (Magee, Owen)
   5. help - write Data to flat file (Yoav Newman)


----------------------------------------------------------------------

Message: 1
Date: Wed, 5 Dec 2007 13:43:55 -0800 (PST)
From: Ivan Matousek <matousek@xxxxxxxxx>
Subject: [Wireshark-users] run wireshark as regular user
To: Wireshark-users@xxxxxxxxxxxxx
Message-ID: <200712052143.lB5LhspR023814@xxxxxxxxx>
Content-Type: TEXT/plain; charset=us-ascii


Hi,

I am just testing wireshark on ubuntu 7.10 as root but I cannot
run it from the regular user. What do I need to set or configure?


Thanks

Ivan Matousek
Vancouver




------------------------------

Message: 2
Date: Thu, 6 Dec 2007 09:17:49 +1100
From: hce <webmail.hce@xxxxxxxxx>
Subject: Re: [Wireshark-users] Trace wifi
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<95455e980712051417r5a325da3x4841cd8284e5c0fd@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

On Dec 5, 2007 6:59 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

hce wrote:
> On Dec 5, 2007 2:41 PM, hce <webmail.hce@xxxxxxxxx> wrote:

> My applology, the wireshark-0.99.6 is running on linux FC6. And it is
> just capturing wifi data on its wifi port (will be required to capture
> all other traffic as well).

I.e., it's only capturing data frames, not management frames?


I would like to capture every frames including management frames if it works.

Initially, I need to capture data similar to following example:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Network_Join_Nokia_Mobile.pcap

To capture management frames, you'll have to put the adapter into
monitor mode.

See

http://wiki.wireshark.org/CaptureSetup/WLAN#head-bb8373ef4903fe9da2b8375331726541fb1ad32d


for information on putting the adapter into monitor mode.

> The libpcap version I used is libpcap-0.9.4-11.fc6.i386.rpm. How can I
> check whether this version supports 802.11 or not?

0.9.4 supports 802.11.


That is good news.

> I configured with Link-layer header type: Ethernet (it can only select
> either Ethnernet or Data Over Cable Service Interface) and with
> Capture packets in promiscuous mode (I tried to turn promiscuous mode
> off, not work either). The frame only include IEEE 802.3 Ethnernet.

Linux drivers that support monitor mode generally only provide 802.11
headers in monitor mode.


I'll be happy if I can get 802.11 shown above example in monitor mode.

> I checked to the document, it says  "This would probably require that
> you capture in promiscuous mode or in the mode called "monitor mode"
> or "RFMON mode". Where can I found monitor mode or RFMON mode in
> Capture Option?

It's not in the (current) Capture Options dialog.  It might get added at
some point, for at least some adapters on Linux
({Free,Net,Open,DragonFly}BSD handle monitor mode a bit more cleanly).

Therefore, you'll have to turn monitor mode on from the command line;
see the link above for information on how to do that, at least for some
adapters; what type of 802.11 adapter do you have on your machine?


Dlink DWL-G520 B version, an Atheros based card and running on
madwifi. I checked above link, it does not mention Dlink card. Please
also see following commands to load the wifi module and to configure
the wifi driver. One thing might be missing is to call dpchd after
wpa_supplicant, but I don't know how to do it. In wlanconfig it did
call the monitor for the ath0 port, is it what you mentioned the
monitor mode? I have to say it is my first time to use madwifi and
wireshark to capture 802.11, please correct me any mistake here.

# modprobe ath_pci

# wlanconfig ath0 create wlandev wifi0 wlanmode monitor

# ifconfig ath0 up

# wpa_supplicant -Dwext -iath0 -c /etc/wpa_supplicant.conf &

# wireshark

Thank you.

Kind regards,

Jim


------------------------------

Message: 3
Date: Wed, 05 Dec 2007 18:00:11 -0500
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Subject: Re: [Wireshark-users] run wireshark as regular user
To: Ivan Matousek <matousek@xxxxxxxxx>, 	Community support list for
	Wireshark <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <47572D7B.90009@xxxxxxxxx>
Content-Type: text/plain; charset=UTF-8; format=flowed



Ivan Matousek wrote:

Hi,

I am just testing wireshark on ubuntu 7.10 as root but I cannot
run it from the regular user. What do I need to set or configure?


You should be able to run Wireshark as a regular user but you will not
be able to capture--for that you generally need root access.  (Though on
at least some BSD operating systems you can simply chmod the appropriate
device to allow non-root users to capture.)

The upcoming release (0.99.7) will allow you to install the 'dumpcap'
utility as setuid-root and this will allow all users to capture with
Wireshark.  See:

http://wiki.wireshark.org/Development/PrivilegeSeparation


------------------------------

Message: 4
Date: Wed, 5 Dec 2007 17:01:19 -0800
From: "Magee, Owen" <Owen.Magee@xxxxxxxx>
Subject: [Wireshark-users] Problems with wireless decryption
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<62BABE024B7C074E9194E9727A418979F661EF@xxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;	charset="us-ascii"

I'm trying to use the 802.11 wireless decryption features in Wireshark
without much luck.  We're using Wireshark 0.99.6a on Windows XP with the
AirPCap Wi-Fi capture card.  It can capture non-encrypted data fine.
However, I'm trying to decrypt a CCMP/AES/WPA2 encrypted network.  I'm
seeing a couple of odd behaviors:

1.  When I go to the Decryption Keys window and try to add a WPA-PSK
entry (giving the key explicitly), it doesn't seem to take it.  Once I
click OK and then go back to the Decryption Keys window, the entry has
disappeared.

2.  I switched to using the passphrase and SSID (WPA-PWD), but it does
not appear to be working.  I'm sure that I have the SSID and the
passphrase correct, and I'm also sure that I'm capturing the 802.11i key
exchange as part of the capture.  I'm pinging a device on the Wi-Fi
network while capturing, but the frames are coming across as some sort
of LLC frame--it looks like garbage.  In any case, there's definitely no
ping packet in there.

Any hints as to what might be going wrong?  Does Wireshark not support
CCMP?

Thanks...

Owen



------------------------------

Message: 5
Date: Thu, 6 Dec 2007 13:10:39 +0200
From: "Yoav Newman" <yoav.newman@xxxxxxxxx>
Subject: [Wireshark-users] help - write Data to flat file
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
	<f4b70aee0712060310uaeab524nd107b9d45806a1d6@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hello,

How should I copy a *MANY* *captured packects data* (e.g. 5 captured packet
data ) into a file ??

Thanks for the help

Yoav
-------------- next part --------------
An HTML attachment was scrubbed...

URL:http://www.wireshark.org/lists/wireshark-users/attachments/20071206/7b7e51dd/attachment.html


------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 19, Issue 13
***********************************************

Prev by Date: [Wireshark-users] Throughput graphs fail
Next by Date: [Wireshark-users] Tshark FC5 T-fields
Previous by thread: [Wireshark-users] Throughput graphs fail
Next by thread: [Wireshark-users] Tshark FC5 T-fields
Index(es):
- Date
- Thread