Wireshark-users: Re: [Wireshark-users] Filtering Network address

From: "Muhammad Ghazali" <muhammad.ghazali@xxxxxxxxx>
Date: Tue, 20 Feb 2007 10:34:48 +0700
On 2/20/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Feb 19, 2007, at 6:46 PM, Muhammad Ghazali wrote:

> Can you tell me the trick how to measure the response time of the web
> application and the smtp response by manually looking at the packet?

Web and SMTP?  You said

        I want to measure the response time of a web application and the smtp
server from a branch office ...

Are you measuring two different things (the response time of a Web
application to HTTP requests, and the response of an SMTP server to
SMTP requests), or is this a Web application that causes e-mail to be
sent, so that the user fills out a form and clicks a button, and a
mail message is generated and sent as a result of clicking the button?

In fact, I'd like to measure the response time of 3 different things.
- The web applcation,
- web based email where a web application cause email to be sent,
- and smtp session where I will send (and receive) email from email
client (outlook express or other MUA).

> How can I follow a trace of a conversation? (From the Syn request
> until the end of the transaction). Example of the conversation is a
> login process to a web application.

If you select a packet in a TCP connection, and then select "Follow
TCP Stream" from the "Analyze" menu, Wireshark will:

        1) filter out all the packets that aren't in that TCP connection, so
only the packets in the connection are displayed;

        2) put the text of the data in the connection (assuming it *is* text
- it might be binary, in which case this is less useful) into a new
display window.

Ok. Will try this in a moment.

> I like the graphical statistic, how can I convert wireshark format
> into Sniffer Pro 475 one? I once converted an ethereal to sniffer
> format and it worked. But I've just tried the conversion (by  means of
> the save menu) from wireshark with no success.

"Wireshark" and "Ethereal" are the same program - we just changed the
name in the 0.99.2 release (see

        http://www.wireshark.org/faq.html#q1.2

I know.

for details).  There's also no "Wireshark format" or "Ethereal format"
- the native capture file format for Ethereal/Wireshark is libpcap
format, which is the format supported by the libpcap library used by
tcpdump and a number of other programs.  (It's more-or-less the
standard UN*X capture file format.)

You *should* be able to save a Wireshark capture in Sniffer format,
although you should note that there are two "Sniffer" formats - the
format used by the old Sniffers, which ran on top of MS-DOS, and the
format used by the newer Sniffer software, which runs on top of
Windows.  The old Sniffer format is given as "NA Sniffer (DOS)", and
the new Sniffer format is given as "NA Sniffer (Windows) 1.1" or "NA
Sniffer (Windows) 2.00x" - unless you have an older version of the
Windows Sniffer software, you probably want the 2.00x version.

If you try to save in that format, what happens?  Does Wireshark not
let you choose that format?  If it doesn't, what type of capture do
you have (Ethernet, 802.11, some type of WAN, etc.)?  If it does let
you choose that format, what happens if you save in that format?  Can
a Sniffer read the file?

The Wireshark let me choose Sniffer (Windows) 2.00x format. But the
Sniffer Pro can't open the converted file. I am capturing ethernet
frames.

Thanks for the assistance.