Wireshark-users: [Wireshark-users] Wireshark log analysis needed - will pay
From: "Timothy Lang Sr." <tim@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Apr 2008 08:53:44 -0400
Looking to pay someone to help me review wireshark logs to resolve http
issue:

The problem is that we have several medical practices that run a
web-based Electronic Medical Records system. The system behaves
erratically, randomly displaying 'page cannot be displayed messages.' 

We have upgraded the Network infrastructure to a new dell 3348 10/100 l2
switch, and also replace the neat gear Access points with Cisco 1131AGs,
as well as increased the memory on the workstation s to 4GB. All these
changes and $$ have produced no measurable changes in performance of the
application. 

Now the hospital wants to do a 'in-depth' analysis of the network
traffic, and it is beyond our ability to say with clarity and certainty
we know what we are doing looking at wireshark logs for a specific
problem. We generally us it for troubleshooting errant workstations. 




-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Wednesday, April 23, 2008 8:49 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 23, Issue 81

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Re: Merging HTTP packets (Yang Zhang)
   2. tshark http reassembly (Yang Zhang)
   3. Re: "Follow {TCP, UDP,	SSL} Stream" output of a database
      connection (Guy Harris)
   4. Question Regarding Capture Interpretation (Andre Champoux)
   5. exporting packet data from all packets displayed	in hex
      (Hao Wei Tee)
   6. Difficulties decrypting SSL (Feeny, Michael (GWM-CAI))


----------------------------------------------------------------------

Message: 1
Date: Tue, 22 Apr 2008 19:51:45 -0400
From: Yang Zhang <yanghatespam@xxxxxxxxx>
Subject: Re: [Wireshark-users] Merging HTTP packets
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <480E7A11.10204@xxxxxxxxx>
Content-Type: text/plain; charset=UTF-8; format=flowed

Yang Zhang wrote:
> Guy Harris wrote:
>> Yang Zhang wrote:
>>
>>> Here's what I'm seeing:
>>
>> So it *did* reassemble frames 1 and 3 into an HTTP reply, but didn't 
>> appear to reassemble frame 10 with the frame that preceded it 
>> (presumably frame 9).
>>
>> We'd need to see the raw capture file in order to debug this.  File a

>> bug on bugzilla.wireshark.org, and attach the capture.
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> Done!
> 
> http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2450

So it turns out that I just had to disable the TCP option to validate 
checksums, because my platform has some type of hardware acceleration.


------------------------------

Message: 2
Date: Tue, 22 Apr 2008 21:18:05 -0400
From: Yang Zhang <yanghatespam@xxxxxxxxx>
Subject: [Wireshark-users] tshark http reassembly
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <480E8E4D.7040004@xxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi, I'd like to write some scripts that leverage the wireshark 
dissectors to analyze http traffic.  I'm currently thinking of writing 
up some Python scripts to read tshark -T pdml, but the output seems to 
be dissecting each packet individually - it doesn't provide the 
reassembly feature found in the wireshark GUI, and I believe this is 
causing some of the resulting http entities to be nonsensical (e.g., I 
see http packets that contain only a "data" field).

Does anybody have any advice on what I can do?  I'm not married to 
tshark by any means, so if there's another approach (e.g. Lua, MATE, or 
even a non-wireshark HTTP logging proxy) that is better suited for what 
I'm trying to do, then I'd be happy to hear about it too.

Thanks in advance for any help!


------------------------------

Message: 3
Date: Tue, 22 Apr 2008 18:22:52 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] "Follow {TCP, UDP,	SSL} Stream"
output
	of a database connection
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <C7288393-7CAD-4BCB-92AE-70C1057F7B98@xxxxxxxxxxxx>
Content-Type: text/plain; charset=GB2312; format=flowed; delsp=yes

Don't send mail to the -request addresses, such as wireshark-users- 
request; just send it to the real mailing list, such as wireshark-users.

Also, if you're not replying to a message that you received, don't  
send out mail as a reply, send out the mail directly - and if you  
*are* replying to a message in a digest, don't just reply to the  
digest mail.

On Apr 22, 2008, at 4:07 PM, ??? wrote:

> who can tell me what does this mean?
> ............................................... 
> 5.0.1.37 
>
........................................................................
........................................................................
........................................................................
........................................................................
........................................................................
........................................................................
...............................(.....0 
> }..h...`.................b................................ 
> 5.0.1.37 
> .................X 
> .......................X 
> .............N.........F.............N.........F.............[..... 
> 3 
> ................. 
> 3 
> ..... 
> 3 
>
........................................................................
........................................................................
........................................................................
........................................................................
..............................................................USER1 
> ....user11 
> ..... 
> 1.37 
>
........................................................................
........................................................................
........................................................................
........................................................................
........................................................................
........................................................................
.....................CREATE 
> ....LE #SYSTMPDM:....................Login successfully.
> <...
> ...................SYSTEM............
> ...211.69.192.86....2007-05-28  
> 16 
> : 
> 18 
> : 
> 05 
>
........................................................................
........................................................................
........................................................................
........................................................................
........................................................................
......|.Y.qx...|............j...
...i..........|Y.q....`....s..|j...............i.....q........|........j
.......2.......i..`........q.q.Y.q....|Y.q.B.qx...|j.......j......2+.q`.
..`....C.q.s..|....q.......q..........|....6
> ......q 
> ..............|....q......F........q......|....q......o...|....q..F...
> r 
> ..l 
> .......F 
> ....q 
> ......| 
> ....q 
> ..F 
> ....q 
> ...q 
> ......H 
> .......|....q...q..|...l...|...|....q..............|...V5.0.1.37- 
> Build 
> (2006.12.06 
>
).......................................................................
..............| 
> ...|..................... 
> 7.................................F.............[..... 
> 3 
> ................. 
> 3 
> ..... 
> 3 
>
........................................................................
........................................................................
........................................................................
........................................................................
........................................................................
.........................................I 
> ................................select * from  
> system.sysdba.sysdatabases where upper(name) =  
> upper 
> ('CW 
>
')......................................................................
........................................................................
........................................................................
........................................................................
........................................................................
.................................................[......................
.....X 
>
......................................NAMEVARCHARSYSDATABASESSYSDBASYSTE
M 
> ..................................IDSMALLINTSYSDATABASESSYSDBASYSTEM 
>
..................................RESVD1INTEGERSYSDATABASESSYSDBASYSTEM 
>
..................................RESVD2INTEGERSYSDATABASESSYSDBASYSTEM 
>
..................................RESVD3INTEGERSYSDATABASESSYSDBASYSTEM 
>
..................................RESVD4VARCHARSYSDATABASESSYSDBASYSTEM 
>
..................................RESVD5VARCHARSYSDATABASESSYSDBASYSTEM 
> .....................select ok  "CW".sysdba.syscolumns cols on  
> indkey*.Z.m....

I think it means that you took the output from "Follow TCP Stream",  
"Follow UDP Stream", or "Follow SSL Stream" for a connection to a  
database server and pasted it into a mail message.

The output of "Follow {TCP,UDP,SSL} Stream" is a lot less useful for  
binary protocols, such as the Oracle TNS protocol, Sybase/Microsoft  
TDS protocol, etc. used to talk to database servers.  You should look  
at the main Wireshark window to look at database traffic; if Wireshark  
displays protocols running on top of the TCP/UDP/SSL layer, look at  
that, otherwise send to wireshark-devel the raw network trace (not the  
output of "Follow {TCP,UDP,SSL} Stream" or any other text output) so  
we can figure out why Wireshark isn't showing protocols above  
{TCP,UDP,SSL}, and also tell us what type of database server is  
involved.

------------------------------

Message: 4
Date: Tue, 22 Apr 2008 22:48:54 -0700
From: "Andre Champoux" <andrec@xxxxxxxxxxxxxxxxx>
Subject: [Wireshark-users] Question Regarding Capture Interpretation
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	
<65FC6FEF241D74489AC49F6A4D5207AE12EBE7@vitalsrv01.vitalit.local>
Content-Type: text/plain; charset="us-ascii"

Hi,

 

I have two workstations on a managed switch (we put the managed switch
in to help diagnose the problem) and have found that saving files in a
particular application results in really poor performance. I did a
network capture from both workstations as well as used a tool called
Filemon on the remote workstation. What I notice in both the network
capture is this 

 

5342       18.380647            10.2.0.152            10.2.0.151
SMB       Write AndX Request, FID: 0x4022, 1 byte at offset 239500

 

I will receive a very long list of these of a small number of bytes.   

 

Can anyone explain what this means?

 

Thanks

 

Andre

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20080422/1c6e
b7f3/attachment.htm 

------------------------------

Message: 5
Date: Wed, 23 Apr 2008 14:57:56 +0800
From: "Hao Wei Tee" <hwtee2005@xxxxxxxxx>
Subject: [Wireshark-users] exporting packet data from all packets
	displayed	in hex
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
	<bfdf2ad90804222357p706822d1he883a40d889119b6@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

I need to export packet data from all packets to the clipboard/text file
in
hex.

Just the hex, no text or the number offset stuff.

(data as in [Data (xxxx bytes)])
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20080423/9cf3
26dc/attachment.htm 

------------------------------

Message: 6
Date: Wed, 23 Apr 2008 08:43:04 -0400
From: "Feeny, Michael \(GWM-CAI\)" <michael_feeny@xxxxxx>
Subject: [Wireshark-users] Difficulties decrypting SSL
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	
<936C21D4171BD04FBEC025F4B8B91169011AC578@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
	
Content-Type: text/plain; charset="us-ascii"

Hello. I have captured traffic, via the Opnet Capture Agent, on a
workstation. The packets consists mostly of SSL traffic that is
"tunnelled" through an HTTP Proxy server. That is, the workstation
issues HTTP "CONNECT" requests to create SSL tunnels thru the Proxy
Server.  There are multiple URLs, and thus multiple RSA Keys involved.

I would like to decrypt this traffic, so that I can analyze the various
HTTP calls made within the SSL tunnels.  I have the .PEM files necessary
to do this, but I'm not successful yet.  After entering the RSA Keys and
SSL log info into the Edit/Preferences box and hitting Apply, it seems
that some of the traffic is decrypted.  I now see "200 OK" messages that
are returned to the workstation, but not the HTTP requests that
generated those responses.  The HTTP requests are still encrypted. When
I look at the request packets, I see the HTTP Connect call, and then the
SSL handshake, but the rest of the conversation is still encrypted.
Below is what I entered into the "RSA Keys list:" box (with the IP's
sanitized).  Originally I had only the first set.  Then, when I saw
decrypted packets in only 1 direction, I added the other set (to no
avail).  
Below that, I've also included the first several lines of the SSL debug
file (not the whole file, which is huge - 4.5MB), in case that is
useful.
Any advice/suggestions would be greatly appreciated!
Michael Feeny
Merrill Lynch
RSA KEYS LIST
<Proxy IP>,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
<Proxy IP>,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
<Proxy IP>,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem; <Proxy
IP>,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem;
<Proxy IP>,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem;
<Wkstn IP>,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
<Wkstn IP>,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
<Wkstn IP>,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem; <Wkstn
IP>,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem;
<Wkstn IP>,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem

SSL DEBUG FILE
ssl_association_remove removing TCP 8080 - http handle 026212C0
ssl_init keys string:
199.43.68.161,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem;
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem;
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem;
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem;
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem;
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem;
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem
ssl_init found host entry 199.43.68.161,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init addr 199.43.68.161 port 8080 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
successfully loaded
association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
successfully loaded
association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem
ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem successfully
loaded
association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem
ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem
successfully loaded
association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry
146.125.199.87,8080,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem
ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem
successfully loaded
association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry 
ssl_init entry malformed can't find port in ''
ssl_init found host entry 169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
successfully loaded
association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem
successfully loaded
association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem
ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem successfully
loaded
association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem
ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem
successfully loaded
association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry
169.242.132.26,4257,http,\\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem
ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem
ssl_init private key file \\phccaims001\aim\AIM
Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem
successfully loaded
association_add TCP port 4257 protocol http handle 026212C0
association_find: TCP port 443 found 0293E2D8
ssl_association_remove removing TCP 443 - http handle 026212C0
association_add TCP port 443 protocol http handle 026212C0
association_find: TCP port 636 found 028EF3A0
ssl_association_remove removing TCP 636 - ldap handle 02653548
association_add TCP port 636 protocol ldap handle 02653548
association_find: TCP port 993 found 028EF728
ssl_association_remove removing TCP 993 - imap handle 0235B3D0
association_add TCP port 993 protocol imap handle 0235B3D0
association_find: TCP port 995 found 028EE008
ssl_association_remove removing TCP 995 - pop handle 026AF770
association_add TCP port 995 protocol pop handle 026AF770

dissect_ssl enter frame #602 (already visited)
dissect_ssl3_record: content_type 23
association_find: TCP port 8080 found 07F623A0
dissect_ssl3_record decrypted len 25
dissect_ssl3_record found association 07F623A0
decrypted app data fragment: HTTP/1.1 100 Continue  

Michael Feeny
Global Wealth Management Technology
Network and Security Integration
Office: 609-274-2761
Mobile:  484-995-1745
AOL IM: feenyman99
Pager:  888-merril0
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or
proprietary, and if you are not an intended recipient, please notify the
sender, do not use or share it and delete it. Unless specifically
indicated, this message is not an offer to sell or a solicitation of any
investment products or other financial product or service, an official
confirmation of any transaction, or an official statement of Merrill
Lynch. Subject to applicable law, Merrill Lynch may monitor, review and
retain e-communications (EC) traveling through its networks/systems. The
laws of the country of each sender/recipient may impact the handling of
EC, and EC may be archived, supervised and produced in countries other
than the country in which you are located. This message cannot be
guaranteed to be secure or error-free. This message is subject to terms
available at the following link:
http://www.ml.com/e-communications_terms/. By messaging with Merrill
Lynch you consent to the foregoing.
--------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20080423/7195
a332/attachment.htm 

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 23, Issue 81
***********************************************