Wireshark-users: [Wireshark-users] More issues with network monitor 3.3 traces
From: "noah davids" <ndav1@xxxxxxx>
Date: Wed, 21 Jul 2010 21:49:10 -0700
Well I downloaded Version 1.5.0-SVN-33606 (SVN Rev 33606 from /trunk) and
was able to read and decode the first network monitor 3.3 trace but not
another. The second gives me the error "The capture file has a packet with a
network a network type Wireshark doesn't support. (netmon: network type 0
unknown or unsupported)."
Also I discovered the following when displaying the first trace. I have a display filter of "ssl" and the TCP preference "Validate the TCP checksum if possible" is checked
No. Time Source Destination TTL Protocol Window size Info 910 18.186473 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Hello 914 18.231395 10.111.1.21 10.1.1.191 115 TCP 65465 [TCP segment of a reassembled PDU] 915 18.232372 10.111.1.21 10.1.1.191 115 TLSv1 65465 [TCP Previous segment lost] Ignored Unknown Record 918 18.233348 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 921 18.279247 10.111.1.21 10.1.1.191 115 TLSv1 65283 Change Cipher Spec, Encrypted Handshake Message 922 18.297802 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 923 18.297802 10.1.1.191 10.111.1.21 128 SSL 65492 [Unreassembled Packet [incorrect TCP checksum]] 930 18.341747 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 932 18.343700 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 934 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 936 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 938 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 942 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 944 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 946 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record 948 18.432567 10.1.1.191 10.111.1.21 128 TLSv1 65492 [TCP Previous segment lost] Ignored Unknown Record
But when I uncheck the TCP preference "Validate the TCP checksum if possible" the trace changes to
No. Time Source Destination TTL Protocol Window size Info 910 18.186473 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Hello 914 18.231395 10.111.1.21 10.1.1.191 115 TCP 65465 [TCP segment of a reassembled PDU] 915 18.232372 10.111.1.21 10.1.1.191 115 TLSv1 65465 Server Hello, Certificate, Server Hello Done 918 18.233348 10.1.1.191 10.111.1.21 128 TLSv1 65535 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 921 18.279247 10.111.1.21 10.1.1.191 115 TLSv1 65283 Change Cipher Spec, Encrypted Handshake Message 922 18.297802 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 923 18.297802 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 930 18.341747 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 932 18.343700 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 934 18.387645 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 936 18.387645 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 938 18.387645 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 942 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 944 18.431591 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU] 946 18.431591 10.1.1.191 10.111.1.21 128 TLSv1 65492 Application Data 948 18.432567 10.1.1.191 10.111.1.21 128 TCP 65492 [TCP segment of a reassembled PDU]
Why should validating the checksum change the interpretation of the data? Noah Davids =+=+=+=+=+=+=+=+=+=+=+=+=+=+ Serendipity is a function of bandwidthIf you are not the intended recipient of this E-mail it would be nice if you deleted it and notified me that you received it incorrectly. On the other hand, E-mail in an insecure mechanism; nothing in this E-mail can be considered confidential. I have no doubts that copies of this E-mail have been archived by my ISP, your ISP and probably the FBI, CIA and NSA. I suspect that Interpol, MI-6, SVR (think KGB) and MSS (Chinese) will have copies shortly, the NSIS (Kenya) will have it by the end of the week.
- Follow-Ups:
- Re: [Wireshark-users] More issues with network monitor 3.3 traces
- From: Guy Harris
- Re: [Wireshark-users] More issues with network monitor 3.3 traces
- Prev by Date: Re: [Wireshark-users] Wireshark filter "contains" question
- Next by Date: [Wireshark-users] MEGACO - calculate packet retransmissions
- Previous by thread: Re: [Wireshark-users] Wireshark filter "contains" question
- Next by thread: Re: [Wireshark-users] More issues with network monitor 3.3 traces
- Index(es):