Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 61, Issue 8
From: Barry Constantine <Barry.Constantine@xxxxxxxx>
Date: Fri, 10 Jun 2011 13:22:49 -0700
Hi Stephen, Thanks for your quick reply on the Wireshark 1.6 and Field occurrence feature. I kind of follow it, but not all the way. I used your example and added "ip.addr" as a column. I am not sure what you mean by "move the mouse over the field and you it will display the number of occurrences". Can you provide a little more detail? Thanks, Barry -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx Sent: Friday, June 10, 2011 3:00 PM To: wireshark-users@xxxxxxxxxxxxx Subject: Wireshark-users Digest, Vol 61, Issue 8 Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Help SMB Video DVCPRO Reading Troubleshooting ? (Tal Bar-Or) 2. EtherCAT can't be captured though Ethernet works (N Nguyen) 3. Time Display issues opening traces (Chris Alton) 4. Re: Time Display issues opening traces (Tim.Poth@xxxxxxxxxxx) 5. Re: Time Display issues opening traces (Jeff Morriss) 6. Wireshark 1.6 and Fields (Barry Constantine) 7. Re: EtherCAT can't be captured though Ethernet works (Guy Harris) 8. Re: Wireshark 1.6 and Fields (Stephen Fisher) ---------------------------------------------------------------------- Message: 1 Date: Fri, 10 Jun 2011 12:40:06 +0300 From: Tal Bar-Or <tbaror@xxxxxxxxx> To: wireshark-users@xxxxxxxxxxxxx Subject: [Wireshark-users] Help SMB Video DVCPRO Reading Troubleshooting ? Message-ID: <BANLkTi=95P7GAJU0ke1fViJjhFSRZfDQhw@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hello, I have current situation a client (win2k3) 1Gigbit net that using to edit video with flowing format HD 100mbit(dvcpro) + 4 wave Chanel audio , the media is located on storage nas(exanet ,redhat based). The issue is that while the client reading the video and when he needs to slide/scroll back the video the video is playing but the sound is getting behind the video lip-sync. I did a trace of 60 sec in around 22 sec to 27 slide/scroll back occur few sec after it we saw the sound getting behind the video lip-sync , in our video definition usually after 40ms DELAY we start to see lost frame or lip-sync issues . i did some analyze on the trace i can see that the storage having some delay read request issues few seconds after scrolling back the video more than half a minute and even more further. whats bothers me in the trace that when analyzing *tcp.analysis.ack_rtt* as well i can see that there is some periods of trace more than 50ms delays from both client and server , can i get into conclusion that the client suffer from some network congestion or also the storage?. any idea and tips would be appreciated since its one of my first *smb* analyzing. Please advice Thanks [image: s4strace.png?psid=1] -- [image: smbstat.png?psid=1] Tal Bar-or -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110610/e8232540/attachment.html> ------------------------------ Message: 2 Date: Fri, 10 Jun 2011 06:27:32 -0700 (PDT) From: N Nguyen <catsmemory2009@xxxxxxxxx> To: wireshark-users@xxxxxxxxxxxxx Subject: [Wireshark-users] EtherCAT can't be captured though Ethernet works Message-ID: <326155.27943.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" Hello, I am using EtherCAT, and I'd like to use wireshark to capture the frames. If I stop the EtherCAT, the eth0 is listed in the capture list, and everything is OK. But if I start EtherCAT, the ifconfig tells that there's only local loopback lo 127.0.0.1. And apparently wireshark cannot capture the EtherCAT, although I am transferring frames via my NIC card (RTL 8139). Does anyone have any comment? Thank you very much in advance!!! -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110610/48d66b67/attachment.html> ------------------------------ Message: 3 Date: Fri, 10 Jun 2011 11:10:36 -0400 From: Chris Alton <enfiniti27@xxxxxxxxxxx> To: <wireshark-users@xxxxxxxxxxxxx> Subject: [Wireshark-users] Time Display issues opening traces Message-ID: <BLU197-W3659BFB6638ABC2CBA91BD4640@xxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hi All, I wanted to know if there was any way to prevent Wireshark from displaying the trace time in local time but the actual time the trace was taken. This makes analyzing traces from different time zones a complete pain. If I have logs from somebody that are in their time zone but the trace is in mine it makes it a LOT harder to find things since I have to mentally compensate for this time zone change. Any help / info would be appreciated. Thanks, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110610/ebdc2109/attachment.html> ------------------------------ Message: 4 Date: Fri, 10 Jun 2011 11:35:05 -0400 From: <Tim.Poth@xxxxxxxxxxx> To: <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] Time Display issues opening traces Message-ID: <8E3496A7FE7C04479D0365EC4C59BAB46F6A62FB1A@xxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" If you're on windows you can set a timezone variable in a command prompt that will affect anything the uses the c runtime. If you launch wireshark from that command prompt the times will show up as you want. EG set TZ=GMT10 set TZ=GMT-5 hope that helps From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Chris Alton Sent: Friday, June 10, 2011 11:11 AM To: wireshark-users@xxxxxxxxxxxxx Subject: [Wireshark-users] Time Display issues opening traces Hi All, I wanted to know if there was any way to prevent Wireshark from displaying the trace time in local time but the actual time the trace was taken. This makes analyzing traces from different time zones a complete pain. If I have logs from somebody that are in their time zone but the trace is in mine it makes it a LOT harder to find things since I have to mentally compensate for this time zone change. Any help / info would be appreciated. Thanks, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110610/54d6dcba/attachment.html> ------------------------------ Message: 5 Date: Fri, 10 Jun 2011 11:37:46 -0400 From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] Time Display issues opening traces Message-ID: <4DF23A4A.1090305@xxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Chris Alton wrote: > Hi All, > > I wanted to know if there was any way to prevent Wireshark from > displaying the trace time in local time but the actual time the trace > was taken. This makes analyzing traces from different time zones a > complete pain. If I have logs from somebody that are in their time zone > but the trace is in mine it makes it a LOT harder to find things since I > have to mentally compensate for this time zone change. If you're on a UNIX-like system, it's quite easy to change the timezone Wireshark uses. Just run Wireshark like, for example: TZ=GMT wireshark If you're on Windows then there is no solution currently. But there is an enhancement request for such functionality, see: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2629 ------------------------------ Message: 6 Date: Fri, 10 Jun 2011 10:13:04 -0700 From: Barry Constantine <Barry.Constantine@xxxxxxxx> To: "wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx> Subject: [Wireshark-users] Wireshark 1.6 and Fields Message-ID: <94DEE80C63F7D34F9DC9FE69E39436BE3A0C2EE53F@xxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" Hi Folks, Hope this is not a dumb question, but I was wondering if anyone could provide more insight into these two (2) new features of 1.6: * TShark can show a specific occurrence of a field when using '-T fields'. * Custom columns can show a specific occurrence of a field. Thanks, Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110610/ac708a35/attachment.html> ------------------------------ Message: 7 Date: Fri, 10 Jun 2011 10:32:07 -0700 From: Guy Harris <guy@xxxxxxxxxxxx> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] EtherCAT can't be captured though Ethernet works Message-ID: <E6D59BE9-EE4F-4662-B996-E6900DDE187E@xxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Jun 10, 2011, at 6:27 AM, N Nguyen wrote: > I am using EtherCAT, and I'd like to use wireshark to capture the frames. > If I stop the EtherCAT, the eth0 is listed in the capture list, and everything is OK. > But if I start EtherCAT, the ifconfig tells that there's only local loopback lo 127.0.0.1. And apparently wireshark cannot capture the EtherCAT, although I am transferring frames via my NIC card (RTL 8139). What do you mean by "stop the EtherCAT" and "start the EtherCAT"? Is this something you do on the machine running Wireshark, or just on the network? If it's something you do on the machine running Wireshark, perhaps the EtherCAT implementation somehow turns the Ethernet adapter into something that the rest of the networking stack doesn't recognize as a network interface, so that the rest of the networking stack - including the packet capture mechanism - can't use it. (I'm guessing, from "local loopback lo 127.0.0.1", that you're running on Linux, where the loopback interface is generally called just "lo", rather than "lo0". What does "ifconfig -a" report when EtherCAT has been started and when EtherCAT has been stopped?) ------------------------------ Message: 8 Date: Fri, 10 Jun 2011 12:02:01 -0600 From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] Wireshark 1.6 and Fields Message-ID: <20110610180201.GA75169@xxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Fri, Jun 10, 2011 at 10:13:04AM -0700, Barry Constantine wrote: > Hope this is not a dumb question, but I was wondering if anyone could > provide more insight into these two (2) new features of 1.6: > > > * TShark can show a specific occurrence of a field when using '-T > fields'. > > * Custom columns can show a specific occurrence of a field. In Wireshark, you can add a new column of field type "custom" and then specify a filter name for the field name such as "ip.addr" and then the field occurence field can take different values as shown by the text when you point the mouse cursor to the field: 0 = all (default), 1 = first, 2 = second ..., -1 = last. So if in this example ip.addr shows up multiple times in the same packet, "1" will show only the value only from the first time it shows up in the dissection tree (middle pane). Otherwise all of them will show up with (if I remember correctly) commas in between. Tshark has something similar but I don't know the syntax off the top of my head (check "tshark -h" probably). ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 61, Issue 8 **********************************************
- Follow-Ups:
- Re: [Wireshark-users] Wireshark-users Digest, Vol 61, Issue 8
- From: Stephen Fisher
- Re: [Wireshark-users] Wireshark-users Digest, Vol 61, Issue 8
- Prev by Date: Re: [Wireshark-users] Time Display issues opening traces
- Next by Date: Re: [Wireshark-users] EtherCAT can't be captured though Ethernet works
- Previous by thread: Re: [Wireshark-users] Wireshark 1.6 and Fields
- Next by thread: Re: [Wireshark-users] Wireshark-users Digest, Vol 61, Issue 8
- Index(es):