Wireshark-users: Re: [Wireshark-users] Filtering Network address

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 19 Feb 2007 19:08:46 -0800

On Feb 19, 2007, at 6:46 PM, Muhammad Ghazali wrote:

Can you tell me the trick how to measure the response time of the web
application and the smtp response by manually looking at the packet?

Web and SMTP?  You said

	I want to measure the response time of a web application and the smtp
server from a branch office ...

Are you measuring two different things (the response time of a Web application to HTTP requests, and the response of an SMTP server to SMTP requests), or is this a Web application that causes e-mail to be sent, so that the user fills out a form and clicks a button, and a mail message is generated and sent as a result of clicking the button?


How can I follow a trace of a conversation? (From the Syn request
until the end of the transaction). Example of the conversation is a
login process to a web application.

If you select a packet in a TCP connection, and then select "Follow TCP Stream" from the "Analyze" menu, Wireshark will:

1) filter out all the packets that aren't in that TCP connection, so only the packets in the connection are displayed;

2) put the text of the data in the connection (assuming it *is* text - it might be binary, in which case this is less useful) into a new display window.


I like the graphical statistic, how can I convert wireshark format
into Sniffer Pro 475 one? I once converted an ethereal to sniffer
format and it worked. But I've just tried the conversion (by  means of
the save menu) from wireshark with no success.

"Wireshark" and "Ethereal" are the same program - we just changed the name in the 0.99.2 release (see

	http://www.wireshark.org/faq.html#q1.2

for details). There's also no "Wireshark format" or "Ethereal format" - the native capture file format for Ethereal/Wireshark is libpcap format, which is the format supported by the libpcap library used by tcpdump and a number of other programs. (It's more-or-less the standard UN*X capture file format.)

You *should* be able to save a Wireshark capture in Sniffer format, although you should note that there are two "Sniffer" formats - the format used by the old Sniffers, which ran on top of MS-DOS, and the format used by the newer Sniffer software, which runs on top of Windows. The old Sniffer format is given as "NA Sniffer (DOS)", and the new Sniffer format is given as "NA Sniffer (Windows) 1.1" or "NA Sniffer (Windows) 2.00x" - unless you have an older version of the Windows Sniffer software, you probably want the 2.00x version.

If you try to save in that format, what happens? Does Wireshark not let you choose that format? If it doesn't, what type of capture do you have (Ethernet, 802.11, some type of WAN, etc.)? If it does let you choose that format, what happens if you save in that format? Can a Sniffer read the file?