[Wireshark-dev] command line tools

[Bret Jordan]

Dev list,

I wrote a command line tool that you might want to include in the Wireshark 
bundle of command line tools.

rewritecap is a tool for rebasing a PCAP file, editing layer2 and layer3 
addresses, and updating ARP packets. PCAP-ng files are not currently supported. 
This tool will accommodate 802.1Q tagged frames and Q-in-Q double tagged frames.

The timestamp changes allow you to rebase the PCAP file to a new date without 
changing the actual time of day or the inter-frame gaps. You can also timeshift 
all of the packets by a value in +/-00h00m00s format. Multiple timeshifts can 
be specified at the same time by separating them with a comma, thus 
--time-shift=2h,-3m

./rewritecap --help
./rewritecap -f test.pcap -n test2.pacp -y 2016 -m 3 -d 10
./rewritecap -f test.pcap -n test2.pcap --ip4 10.0.2.32 --ip4-new 2.2.2.2 --mac 
68:A8:6D:18:36:92 --mac-new 22:33:44:55:66:77
./rewritecap -f test.pcap -n test2.pcap --time-shift=2h1m3s
./rewritecap -f test.pcap -n test2.pcap --time-shift=2h,-1m

rebasecap is Apache 2.0 licensed and will compile to a static binary for Linux 
and Mac OS X.  It should also compile to a static binary for Windows but have 
not tested that.

It is written in Go 1.5.  Code, install, and compile instructions can be found 
here:

https://github.com/jordan2175/rewritecap 




Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not 
be unscrambled is an egg."













signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] GIOP dissector reply decode

[Andy Ling]

I'm currently using Wireshark 1.12.5 built on Windows 7 using Visual C++ 12

I am adding a GIOP plugin for our internal IDL using the following command to 
generate the plugin C code

C:\Python27\omniorb\omniORB-4.1.6\bin\x86_win32\omniidl.exe -p 
d:\wireshark-1.12.5\tools -b wireshark_be Q_Quentin.idl > packet-q_quentin.c

I am finding that the dissector is getting confused when trying to decode 
replies. It looks like it is only checking the GIOP request ID to determine 
which request a reply is for.

So when there are multiple machines making requests, the same request ID can 
get used for different requests. When this happens the replies can get decoded 
wrongly.

In fact multiple threads from a single source IP can use the same GIOP request 
ID on different ports. This can confuse the reply decode too.

I have had a quick look through the dissector code and can't work out what is 
doing this.

So can someone point me in the right direction and maybe give me some clues 
about where and whether this can be fixed.

Regards

Andy Ling
---
This email has been scanned for email related threats and delivered safely by 
Mimecast.
For more information please visit http://www.mimecast.com
---

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] command line tools

[Dario Lombardo]

Sounds pretty similar to tcprewrite, isn't it?

http://tcpreplay.synfin.net/wiki/tcprewrite

On Fri, Oct 30, 2015 at 1:14 AM, Bret Jordan  wrote:

> Dev list,
>
> I wrote a command line tool that you might want to include in the
> Wireshark bundle of command line tools.
>
> rewritecap is a tool for rebasing a PCAP file, editing layer2 and layer3
> addresses, and updating ARP packets. PCAP-ng files are not currently
> supported. This tool will accommodate 802.1Q tagged frames and
> Q-in-Q double tagged frames.
>
> The timestamp changes allow you to rebase the PCAP file to a new date
> without changing the actual time of day or the inter-frame gaps. You can
> also timeshift all of the packets by a value in +/-00h00m00s format.
> Multiple timeshifts can be specified at the same time by separating
> them with a comma, thus --time-shift=2h,-3m
>
> ./rewritecap --help
> ./rewritecap -f test.pcap -n test2.pacp -y 2016 -m 3 -d 10
> ./rewritecap -f test.pcap -n test2.pcap --ip4 10.0.2.32 --ip4-new 2.2.2.2
> --mac 68:A8:6D:18:36:92 --mac-new 22:33:44:55:66:77
> ./rewritecap -f test.pcap -n test2.pcap --time-shift=2h1m3s
> ./rewritecap -f test.pcap -n test2.pcap --time-shift=2h,-1m
>
> rebasecap is Apache 2.0 licensed and will compile to a static binary for
> Linux and Mac OS X.  It should also compile to a static binary for Windows
> but have not tested that.
>
> It is written in Go 1.5.  Code, install, and compile instructions can be
> found here:
>
> https://github.com/jordan2175/rewritecap
>
>
>
> Thanks,
> Bret
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can not be unscrambled is an egg."
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] GIOP dissector reply decode

[Michael Mann]

Couple of thoughts from a quick skim of the code/git history:
 
1. I presume giop_complete_request_list is for matching request/reply.  
Grepping its use will probably give you some clues as to where to look.
2. I'd recommend using the latest dev branch (master or at least master-2.0).  
Any fixes you find would need to be applied there (master) first and then 
backported to 1.12 (and 2.0)
3. It's possible some work was already done related to this (see bug 11123 in 
Bugzilla).   There have also been other GIOP dissector improvements since 1.12.
 
 
 
-Original Message-
From: Andy Ling 
To: 'wireshark-dev@wireshark.org' 
Sent: Fri, Oct 30, 2015 10:27 am
Subject: [Wireshark-dev] GIOP dissector reply decode



I’m currently using Wireshark 1.12.5 built on Windows 7 using Visual C++ 12
 
I am adding a GIOP plugin for our internal IDL using the following command to 
generate the plugin C code
 
C:\Python27\omniorb\omniORB-4.1.6\bin\x86_win32\omniidl.exe -p 
d:\wireshark-1.12.5\tools -b wireshark_be Q_Quentin.idl > packet-q_quentin.c
 
I am finding that the dissector is getting confused when trying to decode 
replies. It looks like it is only checking the GIOP request ID to determine 
which request a reply is for.
 
So when there are multiple machines making requests, the same request ID can 
get used for different requests. When this happens the replies can get decoded 
wrongly.
 
In fact multiple threads from a single source IP can use the same GIOP request 
ID on different ports. This can confuse the reply decode too.
 
I have had a quick look through the dissector code and can’t work out what is 
doing this.
 
So can someone point me in the right direction and maybe give me some clues 
about where and whether this can be fixed.
 
Regards
 
Andy Ling
 
 
 


 
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com 
 

___
Sent
via:Wireshark-dev mailing list 
Archives:   
https://www.wireshark.org/lists/wireshark-dev
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-dev

mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
 

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] command line tools

[Guy Harris]

On Oct 29, 2015, at 5:14 PM, Bret Jordan  wrote:

> I wrote a command line tool that you might want to include in the Wireshark 
> bundle of command line tools.
> 
> rewritecap is a tool for rebasing a PCAP file, editing layer2 and layer3 
> addresses, and updating ARP packets. PCAP-ng files are not currently 
> supported.

If it doesn't use libwiretap, and thus doesn't support the formats that 
Wireshark itself can read and write, it's not clear that it really belongs in 
the Wireshark bundle.

We can, however, point to its repository from the Tools page of the Wireshark 
Wiki:

https://wiki.wireshark.org/Tools

> It is written in Go 1.5.

...which means that it would, at best, end up being an *optional* part of the 
bundle, as we're not going to require a Go compiler in order to build Wireshark 
itself.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] -fPIC on Ubuntu Wily

[Hauke Mehrtens]

On 10/27/2015 11:45 PM, Evan Huus wrote:
> After recently upgrading to Ubuntu 15.10, my cmake configure failed with:
> -- Performing Test WORKS_WITH_FPIC - Failed
> CMake Error at CMakeLists.txt:938 (message):
>   Couldn't compile Qt without -fPIC nor with -fPIC
> 
> Digging into the logs, the test being run (and its output) is as follows:
> 
> /usr/bin/c++-Wall -W -Wextra -Wendif-labels -Wpointer-arith
> -Warray-bounds -Wformat-security -fwrapv -fno-strict-overflow
> -fno-delete-null-pointer-checks -Wvla -Waddress -Wattributes
> -Wdiv-by-zero -Wignored-qualifiers -Wpragmas -Wno-overlength-strings
> -Wwrite-strings -Wno-long-long -fexcess-precision=fast
> -DWORKS_WITH_FPIC -fPIC -fPIE -I/usr/include/x86_64-linux-gnu/qt5
> -I/usr/include/x86_64-linux-gnu/qt5/QtCore
> -I/usr/lib/x86_64-linux-gnu/qt5/mkspecs/linux-g++-64-o
> CMakeFiles/cmTryCompileExec1538407922.dir/src.cxx.o -c
> /home/eapache/pkg/linux_amd64/wireshark.org/wireshark/CMakeFiles/CMakeTmp/src.cxx
> In file included from
> /usr/include/x86_64-linux-gnu/qt5/QtCore/qnamespace.h:37:0,
>  from 
> /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs.h:41,
>  from /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject.h:40,
>  from
> /usr/include/x86_64-linux-gnu/qt5/QtCore/qabstractanimation.h:37,
>  from /usr/include/x86_64-linux-gnu/qt5/QtCore/QtCore:4,
>  from
> /home/eapache/pkg/linux_amd64/wireshark.org/wireshark/CMakeFiles/CMakeTmp/src.cxx:1:
> /usr/include/x86_64-linux-gnu/qt5/QtCore/qglobal.h:1052:4: error:
> #error "You must build your code with position independent code if Qt
> was built with -reduce-relocations. " "Compile your code with -fPIC
> (-fPIE is not enough)."
>  #  error "You must build your code with position independent code if
> Qt was built with -reduce-relocations. "\
> ^
> 
> I suspect because we are passing both -fPIC *and* -fPIE (and that
> -fPIE is being passed second) something is not working correctly? I'm
> not familiar with how those flags work together.
> 
> Thoughts?
> Evan

Hi,

I have the same problem in debian testing with QT 5.4 and also with the
new qt5.5.1 which I got as a normal update today.

Here is the issue:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11643

Here someone else reported the same problem some time ago:
https://www.wireshark.org/lists/wireshark-bugs/201505/msg00563.html

Hauke
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Wireshark 2.0.0rc2 is now available

[Gerald Combs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm proud to announce the release of Wireshark 2.0.0rc2.


   This is the second release candidate for Wireshark 2.0.
 __

What is Wireshark?

   Wireshark is the world's most popular network protocol analyzer. It is
   used for troubleshooting, analysis, development and education.
 __

What's New

   Wireshark 2.0 features a new user interface which should provide a
   smoother, faster user experience.

  New and Updated Features

   The following features are new (or have been significantly updated)
   since version 2.0.0rc1:
 * For new installations on UN*X, the directory for user preferences
   is $HOME/.config/wireshark rather than $HOME/.wireshark. If that
   directory is absent, preferences will still be found and stored
   under $HOME/.wireshark.
 * Qt port:
  + The SIP Statistics dialog has been added.
  + You can now create filter expressions from the display filter
toolbar.
  + Bugs in the UAT prefererences dialog has been fixed.
 * Several dissector and Qt UI crash bugs have been fixed.
 * Problems with the Mac OS X application bundle have been fixed.

   The following features are new (or have been significantly updated)
   since version 1.99.9:
 * Qt port:
  + The LTE RLC Graph dialog has been added.
  + The LTE MAC Statistics dialog has been added.
  + The LTE RLC Statistics dialog has been added.
  + The IAX2 Analysis dialog has been added.
  + The Conversation Hash Tables dialog has been added.
  + The Dissector Tables dialog has been added.
  + The Supported Protocols dialog has been added.
  + You can now zoom the I/O and TCP Stream graph X and Y axes
independently.
  + The RTP Player dialog has been added.
  + Several memory leaks have been fixed.

   The following features are new (or have been significantly updated)
   since version 1.99.8:
 * Qt port:
  + The MTP3 statistics and summary dialogs have been added.
  + The WAP-WSP statistics dialog has been added.
  + The UDP multicast statistics dialog has been added.
  + The WLAN statistics dialog has been added.
  + The display filter macros dialog has been added.
  + The capture file properties dialog now includes packet
comments.
  + Many more statistics dialogs can be opened from the command
line via -z 
  + Most dialogs now have a cancellable progress bar.
  + Many packet list and packet detail context menus items have
been added.
  + Lua plugins can be reloaded from the Analyze menu.
  + Many bug fixes and improvements.

   The following features are new (or have been significantly updated)
   since version 1.99.7:
 * Qt port:
  + The Enabled Protocols dialog has been added.
  + Many statistics dialogs have been added, including Service
response time, DHCP/BOOTP, and ANSI.
  + The RTP Analysis dialog has been added.
  + Lua dialog support has been added.
  + You can now manually resolve addresses.
  + The Resolved Addresses dialog has been added.
  + The packet list scrollbar now has a minimap.
  + The capture interfaces dialog has been updated.
  + You can now colorize conversations.
  + Welcome screen behavior has been improved.
  + Plugin support has been improved.
  + Many dialogs should now more correctly minimize and maximize.
  + The reload button has been added back to the toolbar.
  + The "Decode As" dialog no longer saves decoding behavior.
  + You can now stop loading large capture files.
  + The Bluetooth HCI Summary has been added.

   The following features are new (or have been significantly updated)
   since version 1.99.6:
 * Qt port:
  + The Bluetooth Devices dialog has been added.
  + The wireless toolbar has been added.
  + Opening files via drag and drop is now supported.
  + The Capture Filter and Display Filter dialogs have been added.
  + The Display Filter Expression dialog has been added.
  + Conversation Filter menu items have been added.
  + You can change protocol preferences by right clicking on the
packet list and details.

   The following features are new (or have been significantly updated)
   since version 1.99.4 and 1.99.5:
 * Qt port:
  + Capture restarts are now supported.
  + Menu items for plugins are now supported.
  + Extcap interfaces are now supported.
  + The Expert Information dialog has been added.
  + Display and capture filter completion is now supported.
 

Re: [Wireshark-dev] [Wireshark-commits] buildbot failure in Wireshark (development) on Windows 8.1 x86

[Gerald Combs]

This appears to be a false positive. I've submitted the installer to
clamav.net for analysis.

On 10/30/15 5:04 PM, buildbot-no-re...@wireshark.org wrote:
> The Buildbot has detected a new failure on builder Windows 8.1 x86 while 
> building wireshark. Full details are available at:
> 
> http://buildbot.wireshark.org/wireshark-master/builders/Windows%208.1%20x86/builds/4611
> 
> Buildbot URL: http://buildbot.wireshark.org/wireshark-master/
> 
> Buildslave for this Build: windows-8.1-x86
> 
> Build Reason: The SingleBranchScheduler scheduler named 'Gerrit' triggered 
> this build
> Build Source Stamp: [branch master] 252ac26fc2813785991ce1b9947dc39f2f6d6f10
> Blamelist: Michael Mann 
> 
> BUILD FAILED: failed compile_4 clamav-scan.cmd
> 
> Sincerely,
>  -The Buildbot
> 
> 
> 
> ___
> Sent via:Wireshark-commits mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-commits
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-commits
>  
> mailto:wireshark-commits-requ...@wireshark.org?subject=unsubscribe
> 

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe