Wireshark-users: Re: [Wireshark-users] Packet Analysis of Wireshark

From: Revathi Rangachari <masrrev@xxxxxxxxx>
Date: Fri, 17 Apr 2009 13:16:53 +0530
Hi

Please find attached the screen shot where I included the data that I
intent to capture.  This is Oracle 11i instance application running on
an IP and port no.8045.

The wire shark displays data when the application is running and
retrieves data.  But when I enter data in a Form and say Submit
Wireshark does not display anything on  the screen but the Status Bar
displays the number of Packets captured and the number keeps
incrementing.

When I save this, I do see the contents of the data captured.  But
they are in bytes or hex format ( the format) of which I am not very
sure.  The trace starts at Ethernet layer.

My question is how to get this data to a readable format?

Thanks in advance
Revathi


On Wed, Apr 15, 2009 at 10:54 PM,
<wireshark-users-request@xxxxxxxxxxxxx> wrote:
> Send Wireshark-users mailing list submissions to
>        wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>        wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
>        wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>   1. Getting the error rate statistics (Vladimir Malygin)
>   2. Packet Analysis captured by Wireshark (Revathi Rangachari)
>   3. Re: tshark io,stat usage (Florent Deybach)
>   4. Can Wireshark tell me the IP and mac of a device, before it's
>      on the network? (John Arwine)
>   5. Packet Analysis of Wireshark (Revathi Rangachari)
>   6. Re: Packet Analysis of Wireshark (Anders Broman)
>   7. Re: Packet Analysis captured by Wireshark (Guy Harris)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 15 Apr 2009 11:50:39 +0400
> From: Vladimir Malygin <thamiorsinister@xxxxxxxxx>
> Subject: [Wireshark-users] Getting the error rate statistics
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID:
>        <9f0e3b7c0904150050x2ff6780fo959b18d63b84466f@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Please help. I need to get TCP error rate statistics of a connection. How
> should I do it?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.wireshark.org/lists/wireshark-users/attachments/20090415/63f0c625/attachment.htm
>
> ------------------------------
>
> Message: 2
> Date: Wed, 15 Apr 2009 16:17:29 +0530
> From: Revathi Rangachari <masrrev@xxxxxxxxx>
> Subject: [Wireshark-users] Packet Analysis captured by Wireshark
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID:
>        <5cfd52c10904150347n5aa954b6g4a86b2de2a040082@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi
>
> How to analyze the packets captured by wireshark.  Capture outputs
> certain set of data in bytes, but how to decipher the captured data?
> A sample data is given below:
>
> 0000  17 03 01 00 31 63 2e 9f 05 9f de 92 60 2d 85 8f   ....1c......`-..
> 0010  db e6 29 46 dd 23 b3 c5 43 f5 9a 77 ce 03 66 6e   ..)F.#..C..w..fn
> 0020  c7 d0 ad 4a d7 da e1 20 cc 5e 6f 02 eb 28 16 42   ...J... .^o..(.B
> 0030  c3 ae d0 bb cf 09
>
> The guide says that this data is in bytes.  How to make this data meaningful?
>
> Any help in this regard will be  highly appreciated.  I need this
> urgently for one of my projects.  I am a IT professional.
>
> Thanks in advance.
> masrrev
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 14 Apr 2009 17:21:41 +0200
> From: Florent Deybach <fdeybach@xxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark io,stat usage
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
>        <28889dad0904140821q3f23015m9bcb8dc5b35e1aa0@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> You're right, I've found the bug:
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2880
>
> Thanks for the advice !!
>
> regards
>
> 2009/4/14  <j.snelders@xxxxxxxxxx>:
>> Hi Florent,
>>
>> You have to use the . as decimal symbol.
>>
>> Please check:
>> Settings -> Control Pannel -> Regional And Language Options
>>
>> Regards
>> Joan
>>
>> On Tue, 14 Apr 2009 15:33:14 +0200 Florent Deybach wrote:
>>>Hello,
>>>
>>>I am trying to use tshark to generate statistics using the AVG, SUM,
>>>etc... functions.
>>>I am not able to use the filter parameter, i.e.:
>>>
>>>The following commands :
>>>
>>>$tshark -r D:\capture-00033.pcap -qz io,stat,30,AVG(frame.pkt_len)frame.pkt_len
>>>and
>>>$tshark -r D:\capture-00033.pcap -qz io,stat,30
>>>
>>>give me the same output:
>>>
>>>===================================================================
>>>IO Statistics
>>>Interval: 30.000 secs
>>>Column #0:
>>> ? ? ? ? ? ? ? ?| ? Column #0
>>>Time ? ? ? ? ? ?|frames| ?bytes
>>>000.000-030.000 ?222841 ?61137025
>>>030.000-060.000 ? ?9155 ? 2257762
>>>===================================================================
>>>
>>>In fact, I can put whatever I want in the filter parameter, I always
>>>get the same output as if the parameter isn't set....
>>>
>>>For example with the parameter
>>>-z io,stat,1,ip.addr==1.2.3.4
>>>I get the same output as without it (and the IP is a fake, it should
>>>give me no stats...): -z io,stat,1
>>>
>>>What did I wrong ??
>>>
>>>Thanks,
>>>
>>>Florent
>>>___________________________________________________________________________
>>>Sent via: ? ?Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>Archives: ? ?http://www.wireshark.org/lists/wireshark-users
>>>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> ? ? ? ? ? ? mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>>
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via: ? ?Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives: ? ?http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> ? ? ? ? ? ? mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 14 Apr 2009 09:46:58 -0700
> From: "John Arwine" <JohnA@xxxxxxxxxx>
> Subject: [Wireshark-users] Can Wireshark tell me the IP and mac of a
>        device, before it's on the network?
> To: <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
>        <1CAEF4BAEAD6574689909C7338E88FEFB9D72A@xxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> Occasionally I run into an industrial device that I need to integrate
> with.  My first step is getting it an IP address assigned by the Network
> control people.  They need this request early, usually before the device
> is properly set up / programmed.  I need to give them the devices MAC
> before they will give me an IP.
>
>
>
> I am looking for a method to plug into the device and get it to tell me
> it's MAC address, and hostname if it has one.
>
>
>
> I know that many devices have MAC printed on the NIC, but not all
> manufacturers are that polite, that's the reason for my request.
>
> Yes, I know that if I can find the default IP, I use command prompt
> command "arp -a" after I ping the device and get the MAC.
>
> My problem is that I can't always find the Default IP.
>
>
>
> Is there some method by which I can use a laptop and Wireshark to
> somehow force the unit to respond, so that I can capture it's IP?
>
>
>
> Thank you!
>
> John Arwine
>
> ATS Automation
>
> Group Operations Manager
>
> 425-251-9680 Front Desk
>
> 425-264-9339 Desk
>
> 206-276-0602 Cell
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.wireshark.org/lists/wireshark-users/attachments/20090414/12dbfe43/attachment.htm
>
> ------------------------------
>
> Message: 5
> Date: Wed, 15 Apr 2009 16:07:12 +0530
> From: Revathi Rangachari <masrrev@xxxxxxxxx>
> Subject: [Wireshark-users] Packet Analysis of Wireshark
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID:
>        <5cfd52c10904150337p53d0f011g8779e9598237eae3@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi
>
> How to analyze the packets captured by wireshark.  Capture outputs
> certain set of data in bytes, but how to decipher the captured data?
> A sample data is given below:
>
> 0000  17 03 01 00 31 63 2e 9f 05 9f de 92 60 2d 85 8f   ....1c......`-..
> 0010  db e6 29 46 dd 23 b3 c5 43 f5 9a 77 ce 03 66 6e   ..)F.#..C..w..fn
> 0020  c7 d0 ad 4a d7 da e1 20 cc 5e 6f 02 eb 28 16 42   ...J... .^o..(.B
> 0030  c3 ae d0 bb cf 09
>
> The guide says that this data is in bytes.  How to make this data meaningful?
>
> Any help in this regard will be  highly appreciated.  I need this
> urgently for one of my projects.  I am a IT professional.
>
> Thanks in advance.
> Revathi
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 15 Apr 2009 16:38:01 +0200
> From: "Anders Broman" <anders.broman@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Packet Analysis of Wireshark
> To: "Community support list for Wireshark"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
>        <E48F3A0F80C4B642BF6A5FF3257DFBB90674BF54@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>
> Content-Type: text/plain;       charset="us-ascii"
>
> Hi,
> I'm not sure I understand the question...
> There is no way to deciper that data without knowing something about the
> capture...
> What layer does the trace start at? Ethernet? What does Wirehark show?
> Regards
> Anders
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Revathi
> Rangachari
> Sent: den 15 april 2009 12:37
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Packet Analysis of Wireshark
>
> Hi
>
> How to analyze the packets captured by wireshark.  Capture outputs
> certain set of data in bytes, but how to decipher the captured data?
> A sample data is given below:
>
> 0000  17 03 01 00 31 63 2e 9f 05 9f de 92 60 2d 85 8f   ....1c......`-..
> 0010  db e6 29 46 dd 23 b3 c5 43 f5 9a 77 ce 03 66 6e   ..)F.#..C..w..fn
> 0020  c7 d0 ad 4a d7 da e1 20 cc 5e 6f 02 eb 28 16 42   ...J... .^o..(.B
> 0030  c3 ae d0 bb cf 09
>
> The guide says that this data is in bytes.  How to make this data
> meaningful?
>
> Any help in this regard will be  highly appreciated.  I need this
> urgently for one of my projects.  I am a IT professional.
>
> Thanks in advance.
> Revathi
> ________________________________________________________________________
> ___
> Sent via:    Wireshark-users mailing list
> <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 15 Apr 2009 10:24:45 -0700
> From: Guy Harris <guy@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Packet Analysis captured by Wireshark
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <12C5454E-5D1D-40B7-B7A5-FE4A79D51833@xxxxxxxxxxxx>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
>
> On Apr 15, 2009, at 3:47 AM, Revathi Rangachari wrote:
>
>> How to analyze the packets captured by wireshark.  Capture outputs
>> certain set of data in bytes, but how to decipher the captured data?
>
> I believe there's a program called "Wireshark" that can read a capture
> file from Wireshark and dissect the captured data. :-)
>
>> A sample data is given below:
>>
>> 0000  17 03 01 00 31 63 2e 9f 05 9f de 92 60 2d 85 8f   ....
>> 1c......`-..
>> 0010  db e6 29 46 dd 23 b3 c5 43 f5 9a 77 ce 03 66
>> 6e   ..)F.#..C..w..fn
>> 0020  c7 d0 ad 4a d7 da e1 20 cc 5e 6f 02 eb 28 16 42   ...J... .^o..
>> (.B
>> 0030  c3 ae d0 bb cf 09
>>
>> The guide says that this data is in bytes.  How to make this data
>> meaningful?
>
> Look at the middle pane in the Wireshark window, rather than the
> bottommost pane.  If Wireshark doesn't display a detailed dissection
> in the middle pane, either it doesn't understand one or more of the
> protocols in the packet (in which case, to make it meaningful,
> somebody would have to contribute dissectors for those protocols), or
> it doesn't recognize that those are the protocols (in which case, to
> make it meaningful, Wireshark might have to be explicitly told, e.g.
> through the "Decode As" menu option, that those are the protocols, or
> the dissectors might have to be changed to try to "heuristically"
> recognize packets), or the data is encrypted and Wireshark isn't
> decrypting it (in which case, either Wireshark will have to have code
> added to it to decrypt the packets, or you'll have to supply the
> information needed to decrypt it).
>
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 35, Issue 34
> ***********************************************
>

Attachment: DataCapture.JPG
Description: JPEG image