Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 35, Issue 1

Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 35, Issue 1

From: "Michael Grice" <mgrice@xxxxxxxxxxxxxxx>

Date: Wed, 1 Apr 2009 15:09:49 -0400

Title: Re: Wireshark-users Digest, Vol 35, Issue 1

RRRRRrr
Michael Grice
The AfroTech
(O) 480.522.1096
(F) 888.631.3384

----- Original Message -----
From: wireshark-users-bounces@xxxxxxxxxxxxx <wireshark-users-bounces@xxxxxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx <wireshark-users@xxxxxxxxxxxxx>
Sent: Wed Apr 01 15:00:03 2009
Subject: Wireshark-users Digest, Vol 35, Issue 1

Send Wireshark-users mailing list submissions to
        wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
        wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
        wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."

Today's Topics:

   1. Re: Is this normal? (Stephen Fisher)
   2. Re: searching for keywords in DATA fields (Abhik Sarkar)
   3. filtering on Ethernet MAC OUI (noah davids)
   4. Decoding problem in ANSI MAP messages (Sanjay Nayak)
   5. Re: Decoding problem in ANSI MAP messages (Anders Broman)

----------------------------------------------------------------------

Message: 1
Date: Tue, 31 Mar 2009 13:16:34 -0600
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Is this normal?
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <20090331191634.GC26516@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On Tue, Mar 31, 2009 at 12:59:26PM -0400, Peter Hartmann wrote:

> I also see quite a bit of this kind of thing. From what I understand,
> this address 239.255.1.1 falls in a range dedicated to multicast.
> I'm also wondering if the spanning tree packets mean that there is a
> cable plugged in to a switch twice. Could that be?
>
> 54 7.619442 10.3.85.127 239.255.1.1 UDP Source port: dnox Destination
> port: dnox

Yes, this is a muliticast in the range that is "locally administered."
Maybe this is an audio and/or video broadcast that just happens to use
port 4022 (dnox)?

> 57 8.000269 Netgear_de:9b:97 Spanning-tree-(for-bridges)_00 STP Conf.
> Root = 32768/00:0f:b5:de:9b:97 Cost = 0 Port = 0x8001

This is not indicative of anything out of the ordinary.

Steve

------------------------------

Message: 2
Date: Wed, 1 Apr 2009 11:45:15 +0400
From: Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
Subject: Re: [Wireshark-users] searching for keywords in DATA fields
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
        <c460e4040904010045o22ab1c1fn20fd47e24dbaee0a@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

Just wanted to throw in another method to achieve the same result... I have
used display filters similar to this:

- search for text
*frame contains "text"*

- or search for a byte pattern
*frame contains 6d:e1:90:e8*

- or using regular expressions
*frame matches "user-agent: Mozilla.*Nokia.*"*

HTH
Abhik.

On Wed, Mar 25, 2009 at 8:15 PM, Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>wrote:

> On Wed, Mar 25, 2009 at 11:28:40AM -0400, Parkis, Scott wrote:
>
> > How would I search for a file name or keyword in the data fields in
> > filtering a capture?
>
> Edit menu - Find Packet then choose by String and put your search
> criteria in the box.
>
>
> Steve
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20090401/39d72507/attachment.html

------------------------------

Message: 3
Date: Wed, 1 Apr 2009 04:27:03 -0700
From: "noah davids" <ndav1@xxxxxxx>
Subject: [Wireshark-users] filtering on Ethernet MAC OUI
To: <Wireshark-users@xxxxxxxxxxxxx>
Message-ID: <156FCE29866A495F8717E8F9637CB0C5@noahdesk>
Content-Type: text/plain; charset="iso-8859-1"

Is there any way to filter on just the Ethernet MAC OUI? I've tried data [0:2] but that only does the data and there does not appear to be a frame [0:2].

Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20090401/589b66d3/attachment.htm

------------------------------

Message: 4
Date: Wed, 1 Apr 2009 18:18:43 +0530
From: Sanjay Nayak <sanjay.nayak.bdk@xxxxxxxxx>
Subject: [Wireshark-users] Decoding problem in ANSI MAP messages
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
        <54246fd00904010548k38bad78emf7b1ebed86745a00@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Hello

I want to decode the ANSI MAP Authentication Failure Report message in
the latest wireshark.

According to the section 2.4 of the spec.

http://www.3gpp2.org/Public_html/specs/X.S0004-540-E_v2.0_070723.pdf

Here there are seven mandatory parameters for the message
Authentication Failure Report.

1. Electronic serial number
2. MSID(i.e MIN/IMSI)
3.Report Type
4.System Access Type
5.System Capabilities(Serving)

That i have already given in my message.

But here for the parameter MSID,
if i give IMSI instead of MIN. Then it shows
BER Error: Unknown field in SET class:CONTEXT(2) tag:242.

Also it shows two tag errors at the last

1.BER Error: Missing field in SET class:CONTEXT(2) tag:8 expected
2.BER Error: Missing field in SET class:CONTEXT(2) tag:44 expected

That means it considers two extra parameters as mandatory. Plz
suggest what is the problem with it?

For parameters the spec is

http://www.3gpp2.org/Public_html/specs/X.S0004-550-E_v2.0_070723.pdf

Regd's
Sanjay

------------------------------

Message: 5
Date: Wed, 1 Apr 2009 18:25:37 +0200
From: "Anders Broman" <a.broman@xxxxxxxxx>
Subject: Re: [Wireshark-users] Decoding problem in ANSI MAP messages
To: "'Community support list for Wireshark'"
        <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <EFB88931EE084DE7961CC0D182E99A98@dittcb7aa3551c>
Content-Type: text/plain;       charset="iso-8859-1"

Hi,
I Committed a fix in revision 27923. The problem is that the dissector is
assembled from a number of standard documents and the may be cut-and-paste
Errors, missed updates etc. And a poor standard at that in my opinion...
Regards
Anders

-----Ursprungligt meddelande-----
Fr?n: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] F?r Sanjay Nayak
Skickat: den 1 april 2009 14:49
Till: wireshark-users@xxxxxxxxxxxxx
?mne: [Wireshark-users] Decoding problem in ANSI MAP messages

Hello

I want to decode the ANSI MAP Authentication Failure Report message in
the latest wireshark.

According to the section 2.4 of the spec.

http://www.3gpp2.org/Public_html/specs/X.S0004-540-E_v2.0_070723.pdf

Here there are seven mandatory parameters for the message
Authentication Failure Report.

1. Electronic serial number
2. MSID(i.e MIN/IMSI)
3.Report Type
4.System Access Type
5.System Capabilities(Serving)

That i have already given in my message.

But here for the parameter MSID,
if i give IMSI instead of MIN. Then it shows
BER Error: Unknown field in SET class:CONTEXT(2) tag:242.

Also it shows two tag errors at the last

1.BER Error: Missing field in SET class:CONTEXT(2) tag:8 expected
2.BER Error: Missing field in SET class:CONTEXT(2) tag:44 expected

That means it considers two extra parameters as mandatory. Plz
suggest what is the problem with it?

For parameters the spec is

http://www.3gpp2.org/Public_html/specs/X.S0004-550-E_v2.0_070723.pdf

Regd's
Sanjay
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users

End of Wireshark-users Digest, Vol 35, Issue 1
**********************************************

Prev by Date: Re: [Wireshark-users] filtering on Ethernet MAC OUI
Next by Date: Re: [Wireshark-users] filtering on Ethernet MAC OUI
Previous by thread: Re: [Wireshark-users] List Server
Next by thread: Re: [Wireshark-users] [Bug 3360]Wiresharkgivesdecodingerrorduring rnsap messagedissection
Index(es):
- Date
- Thread