Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 59, Issue 10

From: Barry Constantine <Barry.Constantine@xxxxxxxx>
Date: Wed, 13 Apr 2011 10:17:26 -0700
Hello,

This is chained to the original VoIP analysis question that I asked last week.

I conducted a packet capture of a VoIP call when using the Microsoft Communicator audio (and USB headset).

I can open the attached capture file and decode as RTP, but doing a stream analysis does not allow me to view any graphs or listen to the call.  I am using Wireshark version 1.4.

If any can look at the attached capture (small sample), it would be appreciated.

Thanks,
Barry

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx
Sent: Tuesday, April 12, 2011 3:00 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 59, Issue 10

Send Wireshark-users mailing list submissions to
        wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
        wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
        wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Wireshark runtime error in readin TCPDump trace (Alireza Attar)
   2. Re: Wireshark-users Digest, Vol 59, Issue 9 (Barry Constantine)
   3. Re: Wireshark runtime error in readin TCPDump     trace
      (Stephen Fisher)
   4. Wireshark 1.5.1 is now available (Gerald Combs)
   5. Error: invalid command name "errOut" (Vinay Kumar)
   6. Re: VoIP RTP Analysis, Lost Packet Analysis (Martin Visser)
   7. Re: VoIP RTP Analysis, Lost Packet Analysis
      (RUOFF, LARS (LARS)** CTR **)
   8. Re: Error: invalid command name "errOut" (Jaap Keuter)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Apr 2011 12:21:49 -0700 (PDT)
From: "Alireza Attar" <attar@xxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Wireshark runtime error in readin TCPDump
        trace
Message-ID: <yx4dMRye.1302549709.6705110.attar@localhost>
Content-Type: text/plain; charset=ISO-8859-1


Hi all,

I am trying to read a TCPDump file available on the web (see below link)
using WireShark.

http://www.thefengs.com/wuchang/work/cstrike/tcpdump.11Apr0855.04

I have tried both a Windows based machine and a linux machine to read the
file. However in both cases after about 19%-20% of data is read the
Wireshark crashes with runtime error message. Is this related to the
size of the trace I am reading, memory issue on my machine or an error
in the trace. Any feedback is appreciated.

Regards,
Ali


------------------------------

Message: 2
Date: Mon, 11 Apr 2011 12:55:55 -0700
From: Barry Constantine <Barry.Constantine@xxxxxxxx>
To: "wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark-users Digest, Vol 59, Issue 9
Message-ID:
        <94DEE80C63F7D34F9DC9FE69E39436BE3A0451B524@xxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

OK, it must have been captured on a SPAN port and it has duplicate packets in it.

Thanks a lot Lars!

Barry

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx
Sent: Monday, April 11, 2011 3:00 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 59, Issue 9

Send Wireshark-users mailing list submissions to
        wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
        wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
        wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Re: Wireshark-users Digest, Vol 59, Issue 8 (Barry Constantine)
   2. Re: Wireshark-users Digest, Vol 59, Issue 8 (Boonie)
   3. Re: VoIP RTP Analysis, Lost Packet Analysis
      (RUOFF, LARS (LARS)** CTR **)
   4. Re: Wireshark-users Digest, Vol 59, Issue 8 (j.snelders)


----------------------------------------------------------------------

Message: 1
Date: Sun, 10 Apr 2011 12:05:35 -0700
From: Barry Constantine <Barry.Constantine@xxxxxxxx>
To: "wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark-users Digest, Vol 59, Issue 8
Message-ID: <54877A58-BA2A-47EA-B409-998E14218EEB@xxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Sure, but where do I post the capture file to?

Thanks, Barry


On Apr 10, 2011, at 3:02 PM, "wireshark-users-request@xxxxxxxxxxxxx" <wireshark-users-request@xxxxxxxxxxxxx> wrote:

> Send Wireshark-users mailing list submissions to
>    wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>    wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
>    wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>   1. Re: VoIP RTP Analysis, Lost Packet Analysis (Jake Peavy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 9 Apr 2011 19:20:42 -0600
> From: Jake Peavy <djstunks@xxxxxxxxx>
> To: Community support list for Wireshark
>    <wireshark-users@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis
> Message-ID: <BANLkTi=5Ngzq5OJ6jx51VZ0UegZRRzLLFg@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="windows-1252"
>
> On Sat, Apr 9, 2011 at 8:23 AM, Barry Constantine <
> Barry.Constantine@xxxxxxxx> wrote:
>
>> Hi,
>>
>>
>>
>> I am analyzing VoIP capture files in Wireshark 1.4 and am confused about
>> the RTP analysis results.
>>
>>
>>
>> The jitter results match what I expect, but the packet loss results do not.
>>
>>
>>
>> I know for a fact that the file contains no packet loss and yet the RTP
>> analysis screen reports all packets as lost ?negatively? (and gives an odd
>> -100% value).
>>
>>
>>
>> Any ideas?
>>
>
>
> Can you post a sample capture?
>
> --
> -jp
>
> They were a proud people. In fact, some said they were too proud. If you
> asked them why they were so proud, they'd just laugh and say, "We're not
> even going to answer that." Later, they were tied to the bumper of a car and
> dragged around the block, as onlookers shrieked with delight. But one old
> man, who had a banjo, just shook his head and walked away. The crowd noticed
> this and set him on fire.
>
> deepthoughtsbyjackhandey.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110409/bae58dd6/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 59, Issue 8
> **********************************************


------------------------------

Message: 2
Date: Mon, 11 Apr 2011 07:38:35 +0200
From: "Boonie" <newsboonie@xxxxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark-users Digest, Vol 59, Issue 8
Message-ID: <5D2A5A3B66F6488F95338284682777CC@AMD>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
        reply-type=original


----- Original Message -----
From: "Barry Constantine" <Barry.Constantine@xxxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Sunday, April 10, 2011 9:05 PM
Subject: Re: [Wireshark-users] Wireshark-users Digest, Vol 59, Issue 8


> Sure, but where do I post the capture file to?
>
> Thanks, Barry


You may want to post it here: http://www.cloudshark.org/

But, be aware it is public and you can not erase it.

Dave



------------------------------

Message: 3
Date: Mon, 11 Apr 2011 09:30:22 +0200
From: "RUOFF, LARS (LARS)** CTR **" <lars.ruoff@xxxxxxxxxxxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis
Message-ID:
        <23C6087F32FB3A43941E25922F87538E21E556F606@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Content-Type: text/plain; charset="us-ascii"


What you describe can happen if you have all packets as duplicates or if they all have the same RTP sequence number.
Your sample capture file will tell us.
If you limit the file to a reasonable size (10 successive RTP packets from the stream will be sufficient to see where the problem is), there's no problem for posting it as an attachment on this list.

Lars



________________________________

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Barry Constantine
Sent: samedi 9 avril 2011 16:24
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis



Hi,



I am analyzing VoIP capture files in Wireshark 1.4 and am confused about the RTP analysis results.



The jitter results match what I expect, but the packet loss results do not.



I know for a fact that the file contains no packet loss and yet the RTP analysis screen reports all packets as lost "negatively" (and gives an odd -100% value).



Any ideas?



Thanks,

Barry



------------------------------

Message: 4
Date: Mon, 11 Apr 2011 10:52:47 +0200
From: "j.snelders" <j.snelders@xxxxxxxxxx>
To: "Community support list for Wireshark"
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark-users Digest, Vol 59, Issue 8
Message-ID: <4CA9A73F000A1BF5@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"

You can also use YouSendIt:
www.yousendit.com
It is free for files up to 100MB.

My best
Joke

On Mon, 11 Apr 2011 07:38:35 +0200 Boonie wrote:
>----- Original Message -----
>From: "Barry Constantine" <Barry.Constantine@xxxxxxxx>
>To: <wireshark-users@xxxxxxxxxxxxx>
>Sent: Sunday, April 10, 2011 9:05 PM
>Subject: Re: [Wireshark-users] Wireshark-users Digest, Vol 59, Issue 8
>
>
>> Sure, but where do I post the capture file to?
>>
>> Thanks, Barry
>
>
>You may want to post it here: http://www.cloudshark.org/
>
>But, be aware it is public and you can not erase it.
>
>Dave







------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 59, Issue 9
**********************************************


------------------------------

Message: 3
Date: Mon, 11 Apr 2011 14:58:31 -0600
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark runtime error in readin
        TCPDump trace
Message-ID: <20110411205831.GA96348@xxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On Mon, Apr 11, 2011 at 12:21:49PM -0700, Alireza Attar wrote:

> I have tried both a Windows based machine and a linux machine to read
> the file. However in both cases after about 19%-20% of data is read
> the Wireshark crashes with runtime error message. Is this related to
> the size of the trace I am reading, memory issue on my machine or an
> error in the trace. Any feedback is appreciated.

You're probably just running out of memory.  I've loaded 46% of that
file so far (752MB) and it's cosuming 3.5GB of RAM.  See this web page
for more details: http://wiki.wireshark.org/KnownBugs/OutOfMemory



------------------------------

Message: 4
Date: Mon, 11 Apr 2011 14:00:48 -0700
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
To: wireshark-announce@xxxxxxxxxxxxx,   Community support list for
        Wireshark <wireshark-users@xxxxxxxxxxxxx>,      Developer support list for
        Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: [Wireshark-users] Wireshark 1.5.1 is now available
Message-ID: <4DA36C00.5020806@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm proud to announce the release of Wireshark 1.5.1. This is an
experimental release intended to test features that will go into
Wireshark 1.6.

What is Wireshark?

   Wireshark is the world's most popular network protocol analyzer.
   It is used for troubleshooting, analysis, development and
   education.

What's New

  Bug Fixes

   The following bugs have been fixed:

     o Wireshark is unresponsive when capturing from named pipes on
       Windows. (Bug 1759)

     o Ring buffers are no longer turned on by default when using
       multiple capture files.

  New and Updated Features

   The following features are new (or have been significantly
   updated) since version 1.4:

     o Wireshark can import text dumps, similar to text2pcap.

     o You can now view Wireshark's dissector tables (for example the
       TCP port to dissector mappings) from the main window.

     o TShark can show a specific occurrence of a field when using
       '-T fields'.

     o Custom columns can show a specific occurrence of a field.

     o You can hide columns in the packet list.

     o Wireshark can now export SMB objects.

     o dftest and randpkt now have manual pages.

     o TShark can now display iSCSI service response times.

     o Dumpcap can now save files with a user-specified group id.

     o Syntax checking is done for capture filters.

     o You can display the compiled BPF code for capture filters in
       the Capture Options dialog.

     o You can now navigate backwards and forwards through TCP and
       UDP sessions using Ctrl+, and Ctrl+. .

     o Packet length is (finally) a default column.

     o TCP window size is now avaiable both scaled and unscaled. A
       TCP window scaling graph is available in the GUI.

     o 802.1q VLAN tags are now shown by the Ethernet II dissector.

     o Various dissectors now display some UTF-16 strings as proper
       Unicode including the DCE/RPC and SMB dissectors.

     o The RTP player now has an option to show the time of day in
       the graph in addition to the seconds since beginning of
       capture.

     o The RTP player now shows why media interruptions occur.

     o Graphs now save as PNG images by default.

     o TShark can read and write host name information from and to
       pcapng-formatted files. Wireshark can read it. TShark can dump
       host name information via

       [-z hosts]

     o The tshark -z option now uses the

       [-z <proto>,srt]

       syntax instead of

       [-z <proto>,rtt]

       for all protocols that support service response time
       statistics. This syntax now matches Wireshark's syntax for
       this option.

  New Protocol Support

   ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing
   Protocol, Constrained Application Protocol (COAP), Digium TDMoE,
   Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel
   over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband
   Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik
   MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio
   header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD,
   ReLOAD Framing, RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink,
   WAI authentication, Wi-Fi P2P (Wi-Fi Direct)

  Updated Protocol Support

  New and Updated Capture File Support

   Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP
   OpenVMS TCPTrace, IPFIX (the file format, not the protocol),
   Lucent/Ascend debug, Microsoft Network Monitor, Network
   Instruments, TamoSoft CommView


Digests

wireshark-1.5.1.tar.bz2: 21127616 bytes
MD5(wireshark-1.5.1.tar.bz2)=9c934fa4e2d1cb1b0585c1a0956bd80b
SHA1(wireshark-1.5.1.tar.bz2)=9a17ca74bbf9c508cd722f2287ea5e7eb93f51ee
RIPEMD160(wireshark-1.5.1.tar.bz2)=f97f8f368a70c45568883d4f861eed36f9856b90

wireshark-win32-1.5.1.exe: 18907608 bytes
MD5(wireshark-win32-1.5.1.exe)=5d8320020b853ccbe1c4644b7deb8685
SHA1(wireshark-win32-1.5.1.exe)=ed4e8215ffde454e3fef95d351cf10fbd7c69717
RIPEMD160(wireshark-win32-1.5.1.exe)=b93cfd3c71d1b154a1861fafb2651373ba58393c

wireshark-win64-1.5.1.exe: 22356611 bytes
MD5(wireshark-win64-1.5.1.exe)=2c7bfe85abd96f94542a7842ed6c84e5
SHA1(wireshark-win64-1.5.1.exe)=c489363f54b55ac19b33bf28febc1380520c68e3
RIPEMD160(wireshark-win64-1.5.1.exe)=a3ccccd29bd7000445b76c4d196ca0451e566fa9

wireshark-1.5.1.u3p: 25258080 bytes
MD5(wireshark-1.5.1.u3p)=85cd0e52b03f4352e6508ae7589296a9
SHA1(wireshark-1.5.1.u3p)=8754d8a55299a0ea5f70d2b76075106c7d04b0e7
RIPEMD160(wireshark-1.5.1.u3p)=42b18ace398343ced2ab80544013020e85adc001

WiresharkPortable-1.5.1.paf.exe: 19769672 bytes
MD5(WiresharkPortable-1.5.1.paf.exe)=271b31fe3e189e2a4ca5d5388d908024
SHA1(WiresharkPortable-1.5.1.paf.exe)=e23cefd36bdbab8e16f72acc4e441cf77fc0c91b
RIPEMD160(WiresharkPortable-1.5.1.paf.exe)=3280f0de991939520407fd26b19b6507828e8a02

Wireshark 1.5.1 Intel 32.dmg: 47995111 bytes
MD5(Wireshark 1.5.1 Intel 32.dmg)=6dc706bbc38b1a5865c0abeeb7dd2908
SHA1(Wireshark 1.5.1 Intel 32.dmg)=c45a2b2c7b94ebbcdd0512c8b3b8e38618902851
RIPEMD160(Wireshark 1.5.1 Intel
32.dmg)=0b4763402db772f39625f5df367f87ee3a47b711

Wireshark 1.5.1 Intel 64.dmg: 43314737 bytes
MD5(Wireshark 1.5.1 Intel 64.dmg)=b3a5ce957aef3c95e4936b14bfeed36e
SHA1(Wireshark 1.5.1 Intel 64.dmg)=a1959275c359c53ef681637bed34520b01934a13
RIPEMD160(Wireshark 1.5.1 Intel
64.dmg)=b9c2765f467ea24f92a6387f755ea1f190ee62f8

Wireshark 1.5.1 PPC 32.dmg: 50634026 bytes
MD5(Wireshark 1.5.1 PPC 32.dmg)=b44232437fcc5c7b327f3a13b89b9111
SHA1(Wireshark 1.5.1 PPC 32.dmg)=66f8d09fd662fa903ebcd18815f8d5ed5311601f
RIPEMD160(Wireshark 1.5.1 PPC
32.dmg)=c7f9d12fe7e13c887abff796212a97f8202e2519

patch-wireshark-1.5.0-to-1.5.1.diff.bz2: 1566926 bytes
MD5(patch-wireshark-1.5.0-to-1.5.1.diff.bz2)=225103a1d2fc6890abbb62fe87a14b12
SHA1(patch-wireshark-1.5.0-to-1.5.1.diff.bz2)=2aea37c3f2fba0228832e5b9db42026f7bc06a37
RIPEMD160(patch-wireshark-1.5.0-to-1.5.1.diff.bz2)=8844b5570e821fbc6ddcc9d34c06e38ce78d9139
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2jbAAACgkQpw8IXSHylJpBIwCdFJnjTEYJJ/0HYFzcvoHET2Un
oDQAoL9SLMuwSJLqx5L+MCe2KFBAKocp
=bVG3
-----END PGP SIGNATURE-----


------------------------------

Message: 5
Date: Tue, 12 Apr 2011 10:55:51 +0530
From: Vinay Kumar <vinaykumar.l@xxxxxxxxxxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Cc: Vinay Kumar <vinaykumar.l@xxxxxxxxxxxxxxxxxx>
Subject: [Wireshark-users] Error: invalid command name "errOut"
Message-ID: <4DA3E25F.2090807@xxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Hi All,

I am getting following Wireshark error during TCLSim Setup for Analyzer:

*/invalid command name "errOut"
invalid command name "errOut"
    while executing
"errOut "Error in $ANALYZER_BIN_DIR/tshark.exe -D command. This may
occur because Wireshark has never executed and had the Preference
information saved..."
    invoked from within
"if [catch {exec $ANALYZER_BIN_DIR/tshark.exe -D} ALL_INTERFACE] {
                    errOut "Error in $ANALYZER_BIN_DIR/tshark.exe -D
command. This may occur ..."
    ("wireshark" arm line 16)
    invoked from within
"switch $module {
            ethereal {
                # Source global variables
            global ANALYZER_BIN_DIR
                if {$ANALYZER_BIN_DIR == ""} {
                        tk_messageBox -par..."
    (procedure "SelectAnalyzerInterface" line 3)
    invoked from within
"SelectAnalyzerInterface $ANALYZER_PARSER"
    invoked from within
".setup.notebook.fSEC.frame1.analyzerFrame.captButton invoke"
    ("uplevel" body line 1)
    invoked from within
"uplevel #0 [list $w invoke]"
    (procedure "tk::ButtonUp" line 24)
    invoked from within
"tk::ButtonUp .setup.notebook.fSEC.frame1.analyzerFrame.captButton"
    (command bound to event)/*


The version of Wireshark Used is *0.99.7*. Please let me know the reason
for getting this error and changes in Wireshark settings required.

Thanks & Best Regards,
Vinay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110412/e354db12/attachment.html>

------------------------------

Message: 6
Date: Tue, 12 Apr 2011 19:16:04 +1000
From: Martin Visser <martinvisser99@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis
Message-ID: <BANLkTinJayiMvsb125=YYVC5cyQYc6fMjg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

I can't imagine any normal network where you would get duplicate RTP packets
(they are UDP datagrams, so who is going to resend them?)

Regards, Martin

MartinVisser99@xxxxxxxxx


On 11 April 2011 17:30, RUOFF, LARS (LARS)** CTR ** <
lars.ruoff@xxxxxxxxxxxxxxxxxx> wrote:

>
> What you describe can happen if you have all packets as duplicates or if
> they all have the same RTP sequence number.
> Your sample capture file will tell us.
> If you limit the file to a reasonable size (10 successive RTP packets from
> the stream will be sufficient to see where the problem is), there's no
> problem for posting it as an attachment on this list.
>
> Lars
>
>
>
> ________________________________
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:
> wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Barry Constantine
> Sent: samedi 9 avril 2011 16:24
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis
>
>
>
> Hi,
>
>
>
> I am analyzing VoIP capture files in Wireshark 1.4 and am confused about
> the RTP analysis results.
>
>
>
> The jitter results match what I expect, but the packet loss results do not.
>
>
>
> I know for a fact that the file contains no packet loss and yet the RTP
> analysis screen reports all packets as lost "negatively" (and gives an odd
> -100% value).
>
>
>
> Any ideas?
>
>
>
> Thanks,
>
> Barry
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110412/7d143c1d/attachment.html>

------------------------------

Message: 7
Date: Tue, 12 Apr 2011 11:31:25 +0200
From: "RUOFF, LARS (LARS)** CTR **" <lars.ruoff@xxxxxxxxxxxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis
Message-ID:
        <23C6087F32FB3A43941E25922F87538E21E55BAE79@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Content-Type: text/plain; charset="us-ascii"

It can be a capture method artefact, like badly configured mirroring.

But thinking about it, pairwise duplicate packet should give a total of -50% packet loss.
-100% seems to indicate that *all* packets are seen as duplicate of the first one, otherwise said that sequence number is not increasing at all.

regards,
Lars



________________________________

From: Martin Visser [mailto:martinvisser99@xxxxxxxxx]
Sent: mardi 12 avril 2011 11:16
To: Community support list for Wireshark
Cc: RUOFF, LARS (LARS)** CTR **
Subject: Re: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis


I can't imagine any normal network where you would get duplicate RTP packets (they are UDP datagrams, so who is going to resend them?)

Regards, Martin

MartinVisser99@xxxxxxxxx



On 11 April 2011 17:30, RUOFF, LARS (LARS)** CTR ** <lars.ruoff@xxxxxxxxxxxxxxxxxx> wrote:



        What you describe can happen if you have all packets as duplicates or if they all have the same RTP sequence number.
        Your sample capture file will tell us.
        If you limit the file to a reasonable size (10 successive RTP packets from the stream will be sufficient to see where the problem is), there's no problem for posting it as an attachment on this list.

        Lars



        ________________________________

        From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Barry Constantine
        Sent: samedi 9 avril 2011 16:24
        To: wireshark-users@xxxxxxxxxxxxx
        Subject: [Wireshark-users] VoIP RTP Analysis, Lost Packet Analysis




        Hi,



        I am analyzing VoIP capture files in Wireshark 1.4 and am confused about the RTP analysis results.



        The jitter results match what I expect, but the packet loss results do not.



        I know for a fact that the file contains no packet loss and yet the RTP analysis screen reports all packets as lost "negatively" (and gives an odd -100% value).



        Any ideas?



        Thanks,

        Barry


        ___________________________________________________________________________
        Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
        Archives:    http://www.wireshark.org/lists/wireshark-users
        Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                    mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe





------------------------------

Message: 8
Date: Tue, 12 Apr 2011 12:05:59 +0200
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Error: invalid command name "errOut"
Message-ID: <04DD72EE-1D60-48F2-B42F-731596D43769@xxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Hi,

First of all this isn't a 'Wireshark product' you're referring to, but a derivative. You may ask the TCLSim people.

>From what I see the problem could be that you don't run the program with enough privileges to open the interfaces to capture on.

Try running as root. Even better, have the TCLSim people go with a newer Wireshark release and use privilege separation, which is a safer solution.

Thanks,
Jaap

Send from my iPhone

On 12 apr. 2011, at 07:25, Vinay Kumar <vinaykumar.l@xxxxxxxxxxxxxxxxxx> wrote:

> Hi All,
>
> I am getting following Wireshark error during TCLSim Setup for Analyzer:
>
> invalid command name "errOut"
> invalid command name "errOut"
>     while executing
> "errOut "Error in $ANALYZER_BIN_DIR/tshark.exe -D command. This may occur because Wireshark has never executed and had the Preference information saved..."
>     invoked from within
> "if [catch {exec $ANALYZER_BIN_DIR/tshark.exe -D} ALL_INTERFACE] {
>                     errOut "Error in $ANALYZER_BIN_DIR/tshark.exe -D command. This may occur ..."
>     ("wireshark" arm line 16)
>     invoked from within
> "switch $module {
>             ethereal {
>                 # Source global variables
>             global ANALYZER_BIN_DIR
>                 if {$ANALYZER_BIN_DIR == ""} {
>                         tk_messageBox -par..."
>     (procedure "SelectAnalyzerInterface" line 3)
>     invoked from within
> "SelectAnalyzerInterface $ANALYZER_PARSER"
>     invoked from within
> ".setup.notebook.fSEC.frame1.analyzerFrame.captButton invoke"
>     ("uplevel" body line 1)
>     invoked from within
> "uplevel #0 [list $w invoke]"
>     (procedure "tk::ButtonUp" line 24)
>     invoked from within
> "tk::ButtonUp .setup.notebook.fSEC.frame1.analyzerFrame.captButton"
>     (command bound to event)
>
>
> The version of Wireshark Used is 0.99.7. Please let me know the reason for getting this error and changes in Wireshark settings required.
>
> Thanks & Best Regards,
> Vinay
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110412/004d8ce5/attachment.html>

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 59, Issue 10
***********************************************

Attachment: VoIP_Communicator_Snippet.pcap
Description: VoIP_Communicator_Snippet.pcap