Wireshark-users: [Wireshark-users] More issues with network monitor 3.3 traces
From: "noah davids" <ndav1@xxxxxxx>
Date: Wed, 21 Jul 2010 21:49:10 -0700
Well I downloaded Version 1.5.0-SVN-33606 (SVN Rev 33606 from /trunk) and was able to read and decode the first network monitor 3.3 trace but not another. The second gives me the error "The capture file has a packet with a network a network type Wireshark doesn't support. (netmon: network type 0 unknown or unsupported)."

Also I discovered the following when displaying the first trace. I have a display filter of "ssl" and the TCP preference "Validate the TCP checksum if possible" is checked

No. Time Source Destination TTL Protocol Window size Info 910 18.186473 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Hello 914 18.231395 10.111.1.21 10.1.1.191 115 TCP 65465 [TCP segment of a reassembled PDU] 915 18.232372 10.111.1.21 10.1.1.191 115 TLSv1 65465 [TCP Previous segment lost] Ignored Unknown Record 918 18.233348 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 921 18.279247 10.111.1.21 10.1.1.191 115 TLSv1 65283 Change Cipher Spec, Encrypted Handshake Message 922 18.297802 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 923 18.297802 10.1.1.191 10.111.1.21 128 SSL 65492 [Unreassembled Packet [incorrect TCP checksum]] 930 18.341747 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 932 18.343700 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 934 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 936 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 938 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 942 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 944 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 946 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 948 18.432567 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record


But when I uncheck the TCP preference "Validate the TCP checksum if possible" the trace changes to

No. Time Source Destination TTL Protocol Window size Info 910 18.186473 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Hello 914 18.231395 10.111.1.21 10.1.1.191 115 TCP 65465 [TCP segment of a reassembled PDU] 915 18.232372 10.111.1.21 10.1.1.191 115 TLSv1 65465 Server Hello, Certificate, Server Hello Done 918 18.233348 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 921 18.279247 10.111.1.21 10.1.1.191 115 TLSv1 65283 Change Cipher Spec, Encrypted Handshake Message 922 18.297802 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 923 18.297802 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 930 18.341747 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 932 18.343700 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 934 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 936 18.387645 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 938 18.387645 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 942 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 944 18.431591 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 946 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 948 18.432567 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU]

Why should validating the checksum change the interpretation of the data?




Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth

If you are not the intended recipient of this E-mail it would be nice if you deleted it and notified me that you received it incorrectly. On the other hand, E-mail in an insecure mechanism; nothing in this E-mail can be considered confidential. I have no doubts that copies of this E-mail have been archived by my ISP, your ISP and probably the FBI, CIA and NSA. I suspect that Interpol, MI-6, SVR (think KGB) and MSS (Chinese) will have copies shortly, the NSIS (Kenya) will have it by the end of the week.