Wireshark · Wireshark-users: Re: [Wireshark-users] windows script to convert snoop to pcap

Wireshark-users: Re: [Wireshark-users] windows script to convert snoop to pcap

From: miguel olivares varela <klica_sk8@xxxxxxxxxxx>

Date: Thu, 20 Mar 2008 02:40:56 -0700

Hi

this is my script maybe someone else can use it in a script ms-dos

@echo off
setlocal ENABLEDELAYEDEXPANSION
FOR %%f IN (*.snoop) DO SET List= %%~nf.pcap & tshark -r %%f -w !List!
pause

best regards

> From: wireshark-users-request@xxxxxxxxxxxxx
> Subject: Wireshark-users Digest, Vol 22, Issue 54
> To: wireshark-users@xxxxxxxxxxxxx
> Date: Tue, 18 Mar 2008 18:12:52 +0000
>
> Send Wireshark-users mailing list submissions to
> wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
> wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
> wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Setting up fields with little endianess for a custom
> dissector (Leandro Lucarella)
> 2. Re: GUI problem with Mac OS X (R S)
> 3. Re: Terminal Server traffic (Albert Jurado)
> 4. Re: windows script to convert snoop to pcap (Bill Meier)
> 5. Wireshark 1.0.0pre1 is now available (Gerald Combs)
> 6. Re: GUI problem with Mac OS X (Andreas Fink)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 18 Mar 2008 10:47:05 -0300
> From: Leandro Lucarella <llucax@xxxxxxxxx>
> Subject: Re: [Wireshark-users] Setting up fields with little endianess
> for a custom dissector
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID: <froh4r$dap$1@xxxxxxxxxxxxx>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Guy Harris wrote:
> > On Mar 17, 2008, at 11:25 AM, Leandro Lucarella wrote:
> >
> >> But I still can't find a way to tell (looked at FT_* and BASE_*
> >> constants) wireshark to interpret the field as little endian.
> >
> > The byte order is *NOT* a property of the field; there exist protocols
> > (X11 and DCE RPC, to name two) where a given field might appear as
> > little-endian in some packets and big-endian in other packets, even in
> > the same capture.
> >
> > At least as I read the Wireshark Lua reference manual section of the
> > Wireshark User's Manual, you want to do
> >
> > subtree:add_le(pf, buffer(0, 4))
> >
> > to add a little-endian 4-byte quantity, but I'm not an expert on the
> > Lua support. Luis?
>
> Yeap! That did the trick! Thank you!
>
> Another Lua-specific question: is there any way to activate Lua support
> in a user-basis or via some configuration file in /etc? Because init.lua
> it's in /usr/share/... and when using a distribution (I'm using Debian),
> if I edit the file to comment "disable_lua = true; do return end;",
> every time a new version of the package is installed, I lost that
> "configuration".
>
> TIA.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 18 Mar 2008 02:15:17 +0000
> From: R S <lmodern@xxxxxxxxxxx>
> Subject: Re: [Wireshark-users] GUI problem with Mac OS X
> To: <andreas@xxxxxxxx>
> Cc: wireshark-users@xxxxxxxxxxxxx
> Message-ID: <BAY115-W51E5BC510BB99082953A64BC060@xxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Andreas,
>
> When I launch it in X11, things don't get better. I still have the wireshark tab appearing in the menu bar with nothing next to it.
> Any suggestions?
>
>
> Robert
>
> From: Andreas Fink <afink@xxxxxxxxxxxxx>
>
>
>
> Date: Sat, 15 Mar 2008 18:58:27 +0100
>
>
>
>
>
>
>
>
>
> You need to launch it in X11, not Terminal.This is true for 10.4 but not for 10.5 where X11 is launched automatically.
>
> From: lmodern@xxxxxxxxxxx
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: GUI problem with Mac OS X
> Date: Sat, 15 Mar 2008 01:12:22 +0000
>
>
>
>
>
>
>
>
>
>
>
> Hi,
>
> I installed Wireshark on my Mac OS X 10.4.11 and it
> worked fine for a couple of times. Now, when I launch it in the
> terminal, the GUI simply doesn't appear.
> Is anyone familiar with this problem?
>
>
> Cheers,
>
> Robert
>
> Helping your favorite cause is as easy as instant messaging. You IM, we give. Learn more.
>
> _________________________________________________________________
> Shed those extra pounds with MSN and The Biggest Loser!
> http://biggestloser.msn.com/
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.wireshark.org/lists/wireshark-users/attachments/20080318/c9eddd31/attachment.htm
>
> ------------------------------
>
> Message: 3
> Date: Tue, 18 Mar 2008 10:35:10 -0400
> From: "Albert Jurado" <ajurado@xxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Terminal Server traffic
> To: "Community support list for Wireshark"
> <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
> <E5F1CBF66E89284990145888F143272FBA05CE@xxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks Hansang.
>
> That's what I thought at first but I couldn’t find the spot to look for it in Wireshark (I'm a newbie). Why wouldn't Wireshark be able to dissect this? Or is Wireshark just capturing what it's told to capture?
>
> Thx.
>
> Albert
> Email: ajurado@xxxxxxxxxxxxxxxx
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Hansang Bae
> Sent: Sunday, March 16, 2008 1:37 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Terminal Server traffic
>
> Albert Jurado wrote:
> > I've attached a small capture file. Maybe someone can take a look at it and make something of it.
> >
> > If you look for the following ip address (10.10.10.23) you'll should see the out of order packets.
>
>
> Albert,
> They are the same packets. Notice the IP ID field, you have duplicates.
> Basically, you captured it twice. Chances are, you spanned the entire
> vlan and you captured it as it came out of one server and entered the
> other server.
>
>
> --
>
> Thanks,
> Hansang
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
> ------------------------------
>
> Message: 4
> Date: Tue, 18 Mar 2008 10:58:40 -0400
> From: Bill Meier <wmeier@xxxxxxxxxxx>
> Subject: Re: [Wireshark-users] windows script to convert snoop to pcap
> To: Community support list for Wireshark
> <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <47DFD8A0.8070202@xxxxxxxxxxx>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> miguel olivares varela wrote:
> >
> >
> >
> > @echo off
> > setlocal ENABLEDELAYEDEXPANSION
> > FOR %%f IN (*.snoop) DO SET Liste= "%%f" & tshark -r “%%f" -w “!Liste!”
> >
> > i need to use two variables "f" and "liste" asign "f" to "liste" but i
> > don't know how can i change the extension of the file in "liste".
> >
>
> Try something like: SET Liste=%%~nf.lis
>
> See the help documentation for the for statement.
>
>
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 18 Mar 2008 09:05:12 -0700
> From: Gerald Combs <gerald@xxxxxxxxxxxxx>
> Subject: [Wireshark-users] Wireshark 1.0.0pre1 is now available
> To: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>,
> Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>,
> Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> Message-ID: <47DFE838.80309@xxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Wireshark 1.0.0pre1 is now available for testing. Installers for Windows, OS X,
> and source code can be downloaded immediately from
>
> http://www.wireshark.org/download/prerelease/wireshark-setup-1.0.0pre1.exe
> http://www.wireshark.org/download/prerelease/wireshark-1.0.0pre1.u3p
> http://www.wireshark.org/download/prerelease/WiresharkPortable-1.0.0pre1.paf.exe
> http://www.wireshark.org/download/prerelease/Wireshark%201.0.0pre1%20Intel.dmg
> http://www.wireshark.org/download/prerelease/wireshark-1.0.0pre1.tar.gz
>
> The Mac OS X installer is new for this release, and is experimental.
>
> An in-progress list of changes can be found in the release notes at
> http://www.wireshark.org/docs/relnotes/wireshark-1.0.0.html.
>
> Please report any problems you find to the wireshark-dev mailing list or
> open a ticket at http://bugs.wireshark.org/ .
>
> Barring any problems, version 1.0.0 will be released during Sharkfest on Monday,
> March 31st.
>
>
> File verification information:
>
> wireshark-setup-1.0.0pre1.exe: 21714062 bytes
> MD5(wireshark-setup-1.0.0pre1.exe)=7f406a60a390f573574965b70251eb42
> SHA1(wireshark-setup-1.0.0pre1.exe)=ddf3da6c890114d5af46648e9e7c0fd1a39e19be
> RIPEMD160(wireshark-setup-1.0.0pre1.exe)=a3920da1c101a93df2f7de19318c893c39b203b1
>
> wireshark-1.0.0pre1.u3p: 19955689 bytes
> MD5(wireshark-1.0.0pre1.u3p)=f0ab6a932165643bfcef64c33e7bdd6e
> SHA1(wireshark-1.0.0pre1.u3p)=48a7856a47ce275bcf23d517d54ed8e9a02eca3c
> RIPEMD160(wireshark-1.0.0pre1.u3p)=01079112e38c1b06dafa7db5af78e04d882ea1de
>
> WiresharkPortable-1.0.0pre1.paf.exe: 17365814 bytes
> MD5(WiresharkPortable-1.0.0pre1.paf.exe)=2b9f6ff0c0772435022d25344754804c
> SHA1(WiresharkPortable-1.0.0pre1.paf.exe)=c43755cae61883360902badf159a155833ca0af5
> RIPEMD160(WiresharkPortable-1.0.0pre1.paf.exe)=fd264fda26417b1f64c88d5aadef605fc0093ff9
>
> Wireshark 1.0.0pre1 Intel.dmg: 59056532 bytes
> MD5(Wireshark 1.0.0pre1 Intel.dmg)=bb4eaf3bb4f03e4d4e568f4235c9054e
> SHA1(Wireshark 1.0.0pre1 Intel.dmg)=de962edf9592553ba98a1eb4b762f9eec29a3a6f
> RIPEMD160(Wireshark 1.0.0pre1 Intel.dmg)=284f3db752d9920f18ac1eb85919ec981601d2a5
>
> wireshark-1.0.0pre1.tar.gz: 17041792 bytes
> MD5(wireshark-1.0.0pre1.tar.gz)=a8b478c8698e5e4afbe1cd8f329f573b
> SHA1(wireshark-1.0.0pre1.tar.gz)=815c8f03935da4ef2baa2b088c8a9d49e7d3ab6f
> RIPEMD160(wireshark-1.0.0pre1.tar.gz)=d2ac844587987620472c07f25ffded7ea485a7e3
>
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 18 Mar 2008 19:12:36 +0100
> From: Andreas Fink <afink@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] GUI problem with Mac OS X
> To: Community support list for Wireshark
> <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <43419409-E690-41BF-9105-A3D6857AFC85@xxxxxxxxxxxxx>
> Content-Type: text/plain; charset="utf-8"
>
>
> On 18.03.2008, at 19:08, Andreas Fink wrote:
>
> what version of wireshark you have installed and where you got it from?
> how you launch it?
>
> The versions I've built install into /usr/local/bin/wireshark and
> require X11 and a bunch of libraries it dpeends on. If you installed
> similar libraries using "Ports", or "Fink" package manager you might
> get into dynamic linking issues.
>
> check this with the otool.
>
> This is the output I got on my MacOS X 10.5 system:
>
> $ otool -L /usr/local/bin/wireshark
> /usr/local/bin/wireshark:
> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/
> ApplicationServices (compatibility version 1.0.0, current version
> 34.0.0)
> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/
> CoreFoundation (compatibility version 150.0.0, current version 476.0.0)
> /System/Library/Frameworks/CoreServices.framework/Versions/A/
> CoreServices (compatibility version 1.0.0, current version 32.0.0)
> /usr/local/lib/libwiretap.0.dylib (compatibility version 1.0.0,
> current version 1.1.0)
> /usr/local/lib/libwireshark.0.dylib (compatibility version 1.0.0,
> current version 1.1.0)
> /usr/lib/libcrypto.0.9.7.dylib (compatibility version 0.9.7, current
> version 0.9.7)
> /usr/local/lib/libpcre.0.dylib (compatibility version 1.0.0, current
> version 1.1.0)
> /usr/lib/libpcap.A.dylib (compatibility version 1.0.0, current
> version 1.0.0)
> /usr/local/lib/libgtk-x11-2.0.0.dylib (compatibility version
> 1201.0.0, current version 1201.3.0)
> /usr/local/lib/libgdk-x11-2.0.0.dylib (compatibility version
> 1201.0.0, current version 1201.3.0)
> /usr/local/lib/libatk-1.0.0.dylib (compatibility version 2010.0.0,
> current version 2010.1.0)
> /usr/local/lib/libgdk_pixbuf-2.0.0.dylib (compatibility version
> 1201.0.0, current version 1201.3.0)
> /usr/local/lib/libpangocairo-1.0.0.dylib (compatibility version
> 1901.0.0, current version 1901.0.0)
> /usr/local/lib/libpangoft2-1.0.0.dylib (compatibility version
> 1901.0.0, current version 1901.0.0)
> /usr/local/lib/libpango-1.0.0.dylib (compatibility version 1901.0.0,
> current version 1901.0.0)
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
> version 111.0.0)
> /usr/local/lib/libcairo.2.dylib (compatibility version 14.0.0,
> current version 14.6.0)
> /usr/X11/lib/libfontconfig.1.dylib (compatibility version 3.0.0,
> current version 3.0.0)
> /usr/X11/lib/libfreetype.6.dylib (compatibility version 10.0.0,
> current version 10.16.0)
> /usr/lib/libexpat.1.dylib (compatibility version 7.0.0, current
> version 7.0.0)
> /usr/X11/lib/libpng12.0.dylib (compatibility version 1.0.0, current
> version 1.0.0)
> /usr/X11/lib/libXrender.1.dylib (compatibility version 5.0.0, current
> version 5.0.0)
> /usr/X11/lib/libX11.6.dylib (compatibility version 9.0.0, current
> version 9.0.0)
> /usr/X11/lib/libXau.6.dylib (compatibility version 7.0.0, current
> version 7.0.0)
> /usr/X11/lib/libXdmcp.6.dylib (compatibility version 7.0.0, current
> version 7.0.0)
> /usr/local/lib/libgobject-2.0.0.dylib (compatibility version
> 1501.0.0, current version 1501.0.0)
> /usr/local/lib/libgmodule-2.0.0.dylib (compatibility version
> 1501.0.0, current version 1501.0.0)
> /usr/local/lib/libgthread-2.0.0.dylib (compatibility version
> 1501.0.0, current version 1501.0.0)
> /usr/local/lib/libglib-2.0.0.dylib (compatibility version 1501.0.0,
> current version 1501.0.0)
> /usr/local/lib/libintl.8.dylib (compatibility version 9.0.0, current
> version 9.2.0)
> /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos
> (compatibility version 5.0.0, current version 5.0.0)
> /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current
> version 19.0.0)
> /usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current
> version 7.0.0)
> /usr/local/lib/libportaudio.2.dylib (compatibility version 3.0.0,
> current version 3.0.0)
> /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
> 1.2.3)
> /usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current
> version 1.0.0)
>
> You might also trash the preferences in ~/.wireshark/ to see if some
> old settings move your window off screen or the like.
>
>
>
> On 18.03.2008, at 03:15, R S wrote:
> > Andreas,
> >
> > When I launch it in X11, things don't get better. I still have the
> > wireshark tab appearing in the menu bar with nothing next to it.
> > Any suggestions?
> >
> >
> > Robert
> >
> > From: Andreas Fink <afink@xxxxxxxxxxxxx>
> > Date: Sat, 15 Mar 2008 18:58:27 +0100
> >
> > You need to launch it in X11, not Terminal.
> > This is true for 10.4 but not for 10.5 where X11 is launched
> > automatically.
> >
> >
> > From: lmodern@xxxxxxxxxxx
> > To: wireshark-users@xxxxxxxxxxxxx
> > Subject: GUI problem with Mac OS X
> > Date: Sat, 15 Mar 2008 01:12:22 +0000
> >
> > Hi,
> >
> > I installed Wireshark on my Mac OS X 10.4.11 and it worked fine for
> > a couple of times. Now, when I launch it in the terminal, the GUI
> > simply doesn't appear.
> > Is anyone familiar with this problem?
> >
> >
> > Cheers,
> >
> > Robert
> >
> > Helping your favorite cause is as easy as instant messaging. You IM,
> > we give. Learn more.
> >
> > Shed those extra pounds with MSN and The Biggest Loser! Learn
> > more._______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> Andreas Fink
>
> Fink Consulting GmbH
> Global Networks Schweiz AG
> BebbiCell AG
>
> ---------------------------------------------------------------
> Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333
> Address: Clarastrasse 3, 4058 Basel, Switzerland
> E-Mail: andreas@xxxxxxxx
> www.finkconsulting.com www.global-networks.ch www.bebbicell.ch
> ---------------------------------------------------------------
> ICQ: 8239353 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink
> Yahoo: finkconsulting SMS: +41792457333
>
> http://a-fink.blogspot.com/ A developers view about iPhone SDK
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.wireshark.org/lists/wireshark-users/attachments/20080318/42346177/attachment.htm
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 22, Issue 54
> ***********************************************

Express yourself instantly with MSN Messenger! MSN Messenger

Prev by Date: [Wireshark-users] help using tshark for rtcp analyze
Next by Date: [Wireshark-users] tshark & loopback
Previous by thread: Re: [Wireshark-users] windows script to convert snoop to pcap
Next by thread: [Wireshark-users] Setting up fields with little endianess for a custom dissector
Index(es):
- Date
- Thread