Wireshark · Wireshark-users: Re: [Wireshark-users] tshark RTP decodes

Wireshark-users: Re: [Wireshark-users] tshark RTP decodes
From: Barry Constantine <Barry.Constantine@xxxxxxxx>
Date: Sun, 9 Sep 2012 12:37:12 +0000
Thanks for the suggestions Guy and Joerg.

I could not get the rtp heuristic to work in either the Wireshark user interface or tshark command line so used the -d option like this:

tshark -r voip.pcap -R -d udp.port==64625,rtp -T fields -e frame.number -e frame.time_delta -e rtp.timestamp -e rtp.seq > rtp_seq.txt

For what I am doing, manually entering the port is OK.

Thank you,
Barry Constantine

JDSU Communications Test
Principal Member Technical Staff
301-325-7069


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx
Sent: Tuesday, September 04, 2012 3:00 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 76, Issue 2

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Re: Wireshark 1.8.1 Duplicate protocol name (Paul Ring)
   2. Re: tshark RTP decodes (Joerg Mayer)
   3. Re: tshark RTP decodes (Guy Harris)
   4. Re: Wireshark 1.8.1 Duplicate protocol name (Joerg Mayer)
   5. Re: tcpdump forum ? (Aktuna, Ilker, Vodafone Turkey)
   6. Re: tcpdump forum ? (Sake Blok)
   7. Re: tcpdump forum ? (Aktuna, Ilker, Vodafone Turkey)
   8. Wireshark 1.8.2 and WOL (Marco Zuppone)
   9. Re: Wireshark 1.8.2 and WOL (Jaap Keuter)
  10. Re: Wireshark 1.8.2 and WOL (Marco Zuppone)


----------------------------------------------------------------------

Message: 1
Date: Mon, 3 Sep 2012 21:03:32 +0000 (UTC)
From: Paul Ring <plring@xxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Wireshark 1.8.1 Duplicate protocol name
Message-ID: <loom.20120903T225710-491@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii


Andreas <AndreasSander1@...> writes:

> 
> Am 25.07.2012 21:39, schrieb YJZ:
>  > After installing Wireshark 1.8.1 for "OS X 10.6 and later Intel 
> 64-bit" last night, tshark coredumps with:
>  >
>  > Duplicate protocol name "Coseventcomm Dissector Using GIOP API"! 
> This might be caused by an inappropriate plugin or a development error.
>  >
>  > The only plugin I have installed is cloudshark 1.0.1-162, in 
> ~/.wireshark/plugins/. Removing that doesn't make any difference.
> 
> Have you checked _all_ plug-in directories?
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@...>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@...?subject=unsubscribe
> 
> 


So, what I found was that I had to remove a number of plug-ins to get it to  run. I basically did a grep in  the plugin directory looking for GIOP.  BTW, the directory is:

/Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins

I created a directory called:

/Applications/Wireshark.app/Contents/Resources/lib/wireshark/oldplugins

and moved the plugins one by one till I now got a new error, that said the  offending Duplicate Protocol name was "SERCOS III V1.1".  So, grep'ed for  SERCOS and moved that plugin out and now it runs.

Not sure what functionality I'll lose moving this plugins, but at least it's  running.  Sure I'll find out what  I'm  missing later :)




------------------------------

Message: 2
Date: Tue, 4 Sep 2012 02:48:33 +0200
From: Joerg Mayer <jmayer@xxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark RTP decodes
Message-ID: <20120904004833.GC15681@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8

On Sat, Sep 01, 2012 at 04:03:54PM +0000, Barry Constantine wrote:
> I know how to redecode to RTP in UI, but would like to the same at command line and extract fields.
...
> tshark -r rtp_call.pcap -o rtp.heuristic_rtp:TRUE -T fields -e rtp.seq
...
> It accepts the -o option, but the rtp.seq field is displayed with no content.

Works for me here:
tshark -r rtp-only-test.pcap -o rtp.heuristic_rtp:TRUE -T fields -e rtp.seq

tshark -v
WARNING: no socket to connect to
TShark 1.9.0 (SVN Rev 44762 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.30.1, with libpcap, with libz 1.2.5, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.7.5, with Lua 5.1, without Python, with GnuTLS 3.0.3, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP.

Running on Linux 3.1.10-1.16-desktop, with locale de_DE.UTF-8, with libpcap version 1.1.1, with libz 1.2.5.

Built using gcc 4.7.1 20120723 [gcc-4_7-branch revision 189773].

Ciao
     J?rg

-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology.


------------------------------

Message: 3
Date: Mon, 3 Sep 2012 18:11:29 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark RTP decodes
Message-ID: <9B03C19B-052D-4495-B6A1-D1576161098B@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii


On Sep 3, 2012, at 5:48 PM, Joerg Mayer wrote:

> On Sat, Sep 01, 2012 at 04:03:54PM +0000, Barry Constantine wrote:
>> I know how to redecode to RTP in UI, but would like to the same at command line and extract fields.
> ...
>> tshark -r rtp_call.pcap -o rtp.heuristic_rtp:TRUE -T fields -e 
>> rtp.seq
> ...
>> It accepts the -o option, but the rtp.seq field is displayed with no content.
> 
> Works for me here:
> tshark -r rtp-only-test.pcap -o rtp.heuristic_rtp:TRUE -T fields -e 
> rtp.seq

"rtp.heuristic_rtp:TRUE" turns on a heuristic; it's a bit of a weak heuristic, but it might still fail to recognize RTP packets.  Perhaps it's recognizing them in your capture but not in Barry's capture.

"redecode to RTP in UI", I suspect, means "use "Decode As..."", which is a manual operation, so to do it purely from the command line you'd first have to run TShark on the capture to try to figure out what ports are being used for RTP traffic and then re-run TShark with the appropriate "-d" flag values.  If you want it done without that much user interaction, the heuristic is about the best that can be done.

Barry, if that's what "redecode to RTP in UI" means, what happens if you *don't* use that and, instead, just enable the heuristic in the RTP preferences?  Does it recognize all the relevant packets as RTP?  If so, and it's not working in TShark, that's a weird bug; we'd need to see a capture on which it happens to try to figure it out.  If not, then the heuristic would need to be changed; when the packets *are* dissected as RTP, what are:

	the version number (0, 2, or other);

	the destination ports to which the packets are sent?

------------------------------

Message: 4
Date: Tue, 4 Sep 2012 03:20:22 +0200
From: Joerg Mayer <jmayer@xxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark 1.8.1 Duplicate protocol name
Message-ID: <20120904012022.GE15681@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8

On Mon, Sep 03, 2012 at 09:03:32PM +0000, Paul Ring wrote:
> So, what I found was that I had to remove a number of plug-ins to get 
> it to  run. I basically did a grep in  the plugin directory looking 
> for GIOP.  BTW, the directory is:
..
> Not sure what functionality I'll lose moving this plugins, but at 
> least it's  running.  Sure I'll find out what  I'm  missing later :)

Most likely you loose nothing, because IIRC these dissectors were changed from plugins to builtin dissectors.

------------------------------------------------------------------------
r42974 | etxrab | 2012-06-01 17:57:05 +0200 (Fr, 01 Jun 2012) | 1 line

Make packet-coseventcomm.c a bultin dissector
------------------------------------------------------------------------


Ciao
      J?rg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology.


------------------------------

Message: 5
Date: Tue, 4 Sep 2012 05:19:43 +0000
From: "Aktuna, Ilker, Vodafone Turkey" <ilker.aktuna@xxxxxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcpdump forum ?
Message-ID:
	<570E79B43C20D449A7498C27DE26501405C66F06@vftrexchmbx02.vodafone.local>
	
Content-Type: text/plain; charset="utf-8"

Hi,

How can I add a network address condition to the following filter ?

?ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060)?

I want to add a source/dest network condition like ?net 10.10.0.0/16? , or ?net 192.168.202.96/27?

Thanks,
ilker

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Aktuna, Ilker, Vodafone Turkey
Sent: Thursday, August 30, 2012 11:11 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tcpdump forum ?

Yes, the filter worked fine. Thanks.

Well,it was working somehow. Maybe some version of libpcap was supporting it, is it impossible ?
I didn?t use tshark. I know that its display filters support this but they are not effective when capturing to file :(

Cheers,
ilker


From: wireshark-users-bounces@xxxxxxxxxxxxx<mailto:wireshark-users-bounces@xxxxxxxxxxxxx> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx]<mailto:[mailto:wireshark-users-bounces@xxxxxxxxxxxxx]> On Behalf Of Sake Blok
Sent: Thursday, August 30, 2012 8:26 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tcpdump forum ?

On 28 aug. 2012, at 15:07, "Aktuna, Ilker, Vodafone Turkey" <ilker.aktuna@xxxxxxxxxxxx<mailto:ilker.aktuna@xxxxxxxxxxxx>> wrote:

Sorry if I was misleading. I didn?t state that I could write the patch for ?ipip? . I meant that I could compile if the required code is supplied. I thought it was a easy for you to supply the required code. From your recent post I understand that I was wrong. So I?ll try to use what you suggested as a capture filter. (Thanks for the filter by the way)

Did the filter work?

 But I wonder how ?tcpdump? started not supporting this , as it was working fine on the previous server.

Any ideas ?

It sounds unlikely that it had ever worked. Are you sure you had ipip traffic back then? Or did you use tshark? Tshark is ipip aware in it's display filters (not in it's capture filters).

Cheers,
Sake

Yasal Uyar? :
Bu elektronik posta i?bu linki kullanarak ula?abilece?iniz Ko?ul ve ?artlar dokuman?na tabidir http://www.vodafone.com.tr/VodafoneHakkinda/eposta-hukuki-sartlar.php


Yasal Uyar? :
Bu elektronik posta i?bu linki kullanarak ula?abilece?iniz Ko?ul ve ?artlar dokuman?na tabidir http://www.vodafone.com.tr/VodafoneHakkinda/eposta-hukuki-sartlar.php


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20120904/f9777707/attachment.html>

------------------------------

Message: 6
Date: Tue, 4 Sep 2012 07:42:40 +0200
From: Sake Blok <sake@xxxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcpdump forum ?
Message-ID: <285E68D6-1702-4CE8-89FF-A78722D79848@xxxxxxxxxx>
Content-Type: text/plain; charset=windows-1252

On 4 sep 2012, at 07:19, Aktuna, Ilker, Vodafone Turkey wrote:

> How can I add a network address condition to the following filter ?
>  
> ?ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060)?
>  
> I want to add a source/dest network condition like ?net 10.10.0.0/16? , or ?net 192.168.202.96/27?

OK, you want to look at the IP src and IP dst address in the inner IP header, they are at offset 12 and 16, so you will have to use "ip[20+12:4]" and "ip[20+16:4]". You want to calculate the (sub)network address, so you need to "and" with the subnetmask and then compare to your subnet:

net 10.10.0.0/16:  ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or ip[20+16:4] & 0xffff0000 = 0x0a0a0000 net 192.168.202.96/27:  ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60

(255.255.0.0 = ff.ff.0.0 => 0xffff0000, 10.10.0.0 = 0a.0a.0.0 => 0x0a0a0000, 255.255.255.224 = ff.ff.ff.e0 => 0xffffffe0, 192.168.202.96 = c0.a8.ca.60 => 0xc0a8ca60)

In total:


ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or ip[20+16:4] & 0xffff0000 = 0x0a0a0000)

and

ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60)

Cheers,
Sake

------------------------------

Message: 7
Date: Tue, 4 Sep 2012 09:07:49 +0000
From: "Aktuna, Ilker, Vodafone Turkey" <ilker.aktuna@xxxxxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcpdump forum ?
Message-ID:
	<570E79B43C20D449A7498C27DE26501405C678B0@vftrexchmbx02.vodafone.local>
	
Content-Type: text/plain; charset="utf-8"

Hi,

That was quick :)
Thank you very much. It works just as expected.

Cheers,
ilker

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Tuesday, September 04, 2012 8:43 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tcpdump forum ?

On 4 sep 2012, at 07:19, Aktuna, Ilker, Vodafone Turkey wrote:

> How can I add a network address condition to the following filter ?
>
> ?ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060)?
>
> I want to add a source/dest network condition like ?net 10.10.0.0/16? , or ?net 192.168.202.96/27?

OK, you want to look at the IP src and IP dst address in the inner IP header, they are at offset 12 and 16, so you will have to use "ip[20+12:4]" and "ip[20+16:4]". You want to calculate the (sub)network address, so you need to "and" with the subnetmask and then compare to your subnet:

net 10.10.0.0/16:  ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or ip[20+16:4] & 0xffff0000 = 0x0a0a0000 net 192.168.202.96/27:  ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60

(255.255.0.0 = ff.ff.0.0 => 0xffff0000, 10.10.0.0 = 0a.0a.0.0 => 0x0a0a0000, 255.255.255.224 = ff.ff.ff.e0 => 0xffffffe0, 192.168.202.96 = c0.a8.ca.60 => 0xc0a8ca60)

In total:


ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or ip[20+16:4] & 0xffff0000 = 0x0a0a0000)

and

ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60)

Cheers,
Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Yasal Uyar? :
Bu elektronik posta i?bu linki kullanarak ula?abilece?iniz Ko?ul ve ?artlar dokuman?na tabidir http://www.vodafone.com.tr/VodafoneHakkinda/eposta-hukuki-sartlar.php



------------------------------

Message: 8
Date: Tue, 4 Sep 2012 10:47:48 +0100
From: Marco Zuppone <msz@xxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] Wireshark 1.8.2 and WOL
Message-ID: <914C4ADD-7671-4563-ACDC-395439761570@xxxxxx>
Content-Type: text/plain; charset=us-ascii

Hello,


I'm trying to sniff the WOL (Wake on line) traffic using Wireshark 1.8.2 32bit Windows version.
I remember that in the previous version the traffic was decoded as WOL and the filter was WOL.
The filter still exists but the magic packets are interpreted as ECHO. (They are UDP dst port 17) I tried to look in the Protocols menu but WOL does not exists...
 If I filter the traffic using the WOL filter nothing is returned.
If I use a WOL Sniffer tool the packet is correctly interpreted as magic packet.
 Any clues?

Kind regards,
Marco - StockTrader

------------------------------

Message: 9
Date: Tue, 04 Sep 2012 15:18:39 +0200
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark 1.8.2 and WOL
Message-ID: <ce93214f65d8f015a9110044e109fda2@xxxxxxxxx>
Content-Type: text/plain; charset=UTF-8; format=flowed

Hi,

What happens when you configure UDP to try heuristic dissectors first?

Thanks,
Jaap

On 2012-09-04 11:47, Marco Zuppone wrote:
> Hello,
>
>
> I'm trying to sniff the WOL (Wake on line) traffic using Wireshark
> 1.8.2 32bit Windows version.
> I remember that in the previous version the traffic was decoded as WOL 
> and the filter was WOL.
> The filter still exists but the magic packets are interpreted as ECHO. 
> (They are UDP dst port 17) I tried to look in the Protocols menu but 
> WOL does not exists...
>  If I filter the traffic using the WOL filter nothing is returned.
> If I use a WOL Sniffer tool the packet is correctly interpreted as 
> magic packet.
>  Any clues?
>
> Kind regards,
> Marco - StockTrader



------------------------------

Message: 10
Date: Tue, 4 Sep 2012 14:33:26 +0100
From: Marco Zuppone <msz@xxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark 1.8.2 and WOL
Message-ID: <69E69A18-3FD5-416E-A6CC-69D9C10F6D1B@xxxxxx>
Content-Type: text/plain; charset=us-ascii

Thanks Jaap!!!!
 You're the man!! :-)
 Regards,
Marco - StockTrader
On 4 Sep 2012, at 14:18, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

> Hi,
> 
> What happens when you configure UDP to try heuristic dissectors first?
> 
> Thanks,
> Jaap
> 
> On 2012-09-04 11:47, Marco Zuppone wrote:
>> Hello,
>> 
>> 
>> I'm trying to sniff the WOL (Wake on line) traffic using Wireshark
>> 1.8.2 32bit Windows version.
>> I remember that in the previous version the traffic was decoded as 
>> WOL and the filter was WOL.
>> The filter still exists but the magic packets are interpreted as 
>> ECHO. (They are UDP dst port 17) I tried to look in the Protocols 
>> menu but WOL does not exists...
>> If I filter the traffic using the WOL filter nothing is returned.
>> If I use a WOL Sniffer tool the packet is correctly interpreted as 
>> magic packet.
>> Any clues?
>> 
>> Kind regards,
>> Marco - StockTrader
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 76, Issue 2
**********************************************
Prev by Date: [Wireshark-users] Ethernet Port Speed
Next by Date: Re: [Wireshark-users] Ethernet Port Speed
Previous by thread: Re: [Wireshark-users] tshark RTP decodes
Next by thread: Re: [Wireshark-users] Wireshark 1.8.1 Duplicate protocol name
Index(es):
- Date
- Thread