Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 11, Issue 32

From: "S R" <slegendr@xxxxxxxxx>
Date: Thu, 19 Apr 2007 08:51:44 -0400
Would you like me to send the captures to you at sake@xxxxxxxxxxsake**@**euronet.nl?  We are not having problems with all users, all domains. Inbound and outbound.

On 4/19/07, wireshark-users-request@xxxxxxxxxxxxx < wireshark-users-request@xxxxxxxxxxxxx> wrote:
Send Wireshark-users mailing list submissions to
       wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
       http://www.wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
       wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
       wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

  1. trouble w/ tshark static build on linux
     (wireshark-users@xxxxxxxxxxxxxxxxx)
  2. Re: capturing msn web cam traffic with wireshark.
     (Wonkyun*^^* Lee)
  3. Re: capturing msn web cam traffic with wireshark. (Guy Harris)
  4. Bizarre mail issue on network, Please someone,    help. (S R)
  5. Re: Bizarre mail issue on network, Please someone,        help.
     (Sake Blok)


----------------------------------------------------------------------

Message: 1
Date: Wed, 18 Apr 2007 17:54:09 -0700
From: wireshark-users@xxxxxxxxxxxxxxxxx
Subject: [Wireshark-users] trouble w/ tshark static build on linux
To: wireshark-users@xxxxxxxxxxxxx
Message-ID: < 200704190053.l3J0rpvD031413@xxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"; format=flowed

Hi,
I've successfully statically built tethereal before on linux, but
when I tried with tshark/wireshark 0.99.5, I keep getting errors like this:
can't find -lgmodule

I've tried
--enable-static --disable-wireshark --enable-tshark --disable-gtk2
and lots of other options to configure, with no success.
(configure seems to work OK, but make fails.)

I just want to get a static build of tshark.

This is on Fedora Core 6; I also tried on RHEL4.

I do have glib and gtk and gmodule, etc.

Thanks!
Barry



------------------------------

Message: 2
Date: Thu, 19 Apr 2007 10:43:12 +0900
From: "Wonkyun*^^* Lee" <wonlee@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] capturing msn web cam traffic with
       wireshark.
To: wireshark-users@xxxxxxxxxxxxx
Message-ID: <BAY143-F241983290156E59CA24097D5570@xxxxxxx >
Content-Type: text/plain; format=flowed

> > I am trying to capture traffic using Msn messenger, espec. with web
> > cam.
>
>You're trying to capture traffic with a webcam?  You mean by, for
>example, pointing a webcam at the screen while Wireshark is doing a
>live traffic capture, to display what Wireshark is showing? :-)
>
>Or do you mean you're trying to capture network traffic being put onto
>the network by a webcam?
>
==>
What I meant was, I want to capture traffic during 'WebCam/Video
conversation', ie when i have video-convesation w/ my friend or someone.
using msn messnger webcam feature.

there is equipment that we are trying to release in public, which allows to
have video conversation, it's something like video-telephone.
when i use this equipment, and wireshark, i can capture traffic with a
protocol ; H.263. and..G.722 , etc.
and it also tells me about their video type(qcif, cif ...), codec, and
bit-rate, picture type, etc....

but i cannot capture any of these things with msn messenger video
conversation, is it b/c it's encrypted?
all i see was just 'udp' protocol saying nothing..

is there anyway that i can see and analyze these things?

I want to see their picture coding type(i-frame, p-frame), time for
receiving each frame so i can calculate their frame rates, and so on...

I also tryed with SKYPE, but i know that it uses their own codec, so there
is no way to capture video frames, and analyze them.
but as far as i know, msn messnger uses standard codec, so it can co-work
with other messngers like yahoo or AOL..

I don't know whether you understand what i am trying to say, but i hope so..

cheers.. need help here..
plz tell me about other tools or some kind of dissectos that allow me to do
these things..

> > Is there any way that i can capture video codec, or video traffic?
> >
> > some kind of frame rate or something..
> >
> > I also tried with Skype, but i cannot find the way to do it..
>
>You can capture *any* sort of network traffic with Wireshark.
>
>Whether Wireshark can *dissect* that traffic, and show it as anything
>other than raw hex data, is another matter.
>
>And, even if it can dissect it, it won't display it as video.
>Wireshark's a network analyzer, not a video player, although some
>dissectors might support saving the contents of a video stream within
>a capture in some video format, just as it can save some VoIP traffic
>in an audio format.
>
>What *exactly* is it you're trying to do here?
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>http://www.wireshark.org/mailman/listinfo/wireshark-users

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



------------------------------

Message: 3
Date: Wed, 18 Apr 2007 19:03:52 -0700
From: Guy Harris < guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] capturing msn web cam traffic with
       wireshark.
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx >
Message-ID: <1887BAF1-6C1E-4304-A7D3-973C1471161C@xxxxxxxxxxxx>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes


On Apr 18, 2007, at 6:43 PM, Wonkyun*^^* Lee wrote:

> but i cannot capture any of these things with msn messenger video
> conversation, is it b/c it's encrypted?
> all i see was just 'udp' protocol saying nothing..

That doesn't necessarily mean you can't *capture* them.  It could just
mean that Wireshark can't *dissect* them; it might have no dissector
for whatever protocol MSN Messenger is using, or it might not
recognize the traffic as being MSN Messenger video traffic.

According to this page:

       http://www.hypothetic.org/docs/msn/client/invitation_types.php

the protocol it uses is RTP, for which Wireshark has a dissector.
However, RTP doesn't have a standard port number, so Wireshark can't
recognize RTP traffic based on the UDP port number; it would either
have to be told that a particular session is RTP traffic, or look at
the packet and try to guess whether it's RTP traffic or not.

To tell Wireshark that traffic to or from a particular port is RTP
traffic, select one of the UDP packets by clicking on it, and then
select "Dceode As..." from the "Analyze" menu.  Tell it to dissect
traffic to or from one of the given transport-layer ports as RTP.

To get it to try to guess whether traffic is RTP traffic or not,
select "Preferences" from the "Edit" menu, open up the "Protocols"
list, select "RTP" from the list, turn on the "Try to decode RTP
outside of conversations" option, and click "OK".

That doesn't guarantee that it'll recognize the codec, however.

> I also tryed with SKYPE, but i know that it uses their own codec, so
> there
> is no way to capture video frames, and analyze them.

It's possible to capture those frames with Wireshark (or TShark, or
tcpdump/WinDump, or...).  It's not possible to *analyze* them in
Wireshark or TShark without a dissector being written for the protocol
it uses and for the codec it uses.


------------------------------

Message: 4
Date: Wed, 18 Apr 2007 23:18:15 -0400
From: "S R" <slegendr@xxxxxxxxx >
Subject: [Wireshark-users] Bizarre mail issue on network, Please
       someone,        help.
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
       < 1c46bda30704182018w59c5a5f9vc0460f1b5293bc7e@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hello!

I was wondering if someone would be so kind as to help me in figuring out a
strange mail problem I'm having.  I'm having a ton of retransmissions with
mail, and it's sitting it the queue on my relay server.  I thought at first
it was some problem with my firewalls, but I'm starting to think that's not
the case.  I've run a capture on my relay server, and I'm starting to think
it may be something with my switch/router.... something in between - and
perhaps these messages aren't even making it to the firewall.

I'm having some problems interpreting this log, but it appears at times that
I'm not getting an ACK from my router, so I retransmit, which continues for
2 days until the timeout and the msg bounces with a rejection notice.

However, it's even more bizarre because I haven't located any packet loss.
I don't think it's an MTU problem, and the only time I can replicate the
email issue is by attempting to send .html attachments (not embedded)  They
aren't being received inbound and not reaching the recipient outbound.

This is a major issue, as it's backing up my queues, and we have some
applications that mail html attachments for reporting, etc.

Can anyone help me? I have dissected about everything I can think of.  There
are no rules on my Firewalls to prevent any attachments, no filtering is
turned on with my mail server or firewall.

TIA!!  I hope you all can find it in your heart to help me retain my sanity.

-S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20070418/e23234dd/attachment.html

------------------------------

Message: 5
Date: Thu, 19 Apr 2007 07:26:42 +0200
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Bizarre mail issue on network, Please
       someone,        help.
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <[email protected] >
Content-Type: text/plain; charset=us-ascii

On Wed, Apr 18, 2007 at 11:18:15PM -0400, S R wrote:
>
> I'm having some problems interpreting this log, but it appears at times that
> I'm not getting an ACK from my router, so I retransmit, which continues for
> 2 days until the timeout and the msg bounces with a rejection notice.

I assume that with "log" you refer to the capture made on the relay-server?
With the ACK you are refering to a TCP-ACK coming from the smtp server
you are trying to send mail to? With retransmit, do you mean a TCP
retransmit, or do you mean that the TCP-session ends and the smtp-daemon
"retries" sending it after it's configured interval? Since you say this
continues for two days ending with a rejection notice. I assume you
were talking about the second option.

> However, it's even more bizarre because I haven't located any packet loss.
> I don't think it's an MTU problem, and the only time I can replicate the
> email issue is by attempting to send .html attachments (not embedded)  They
> aren't being received inbound and not reaching the recipient outbound.

Does this happen with only one recipient domain or with all domains
you are tryin to send ".html" attachements too? ie can it be that the
problem is caused by the remote site instead of yours?

> Can anyone help me? I have dissected about everything I can think of.  There
> are no rules on my Firewalls to prevent any attachments, no filtering is
> turned on with my mail server or firewall.

Could you send me a (binary) capture file of one SMTP session in which
the message is not fully deliverd?

Cheers,


Sake


------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 11, Issue 32
***********************************************