Wireshark-users: Re: [Wireshark-users] Filtering on (negated) frame.time_relative filters out wro
On 170317-21:30+0100, Miroslav Rovis wrote:
> On 170317-11:29+0000, Graham Bloice wrote:
> > On 17 March 2017 at 11:23, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
> > > Can you try to prepare a smaller capture that can reproduce the
> > > issue which does not contain sensitive passwords?
>
> Posted:
>
> The Test Sample for the (Imaginary or Not) Bug
> http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-2.php
I made the follow-up:
http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-3.php
but reading it from top is huge excess and impertinent to point the
developers to, so I'm writing this notice about it. :-)
Pls. just find (somewhere in the middle of the page):
$ tshark -o "ssl.keylog_file: dump_170317_0928_g0n_SSLKEYLOGFILE.txt" -r \
dump_170317_0928_g0n.pcap -Y \
'(!(frame.time_relative == 33.105837782))' \
-w dump_170317_0928_g0n_noPWft.pcap
and
(
but only if you want to see the rest of my testing, then also find
PASTING
NOTE: you are probably better off downloading (see below) and running first
$ ./dump_170317_0928_g0n_noPWft_TEST1.sh
PASTED
( and also the other scripts, 4 total )
You can see that, because it's the entire tests are in the two, and
later two more, scripts.
The first testing set is on negated filtering on frame.time_relative,
and the second one is on negated filtering on frame.number:
$ tshark -o "ssl.keylog_file: dump_170317_0928_g0n_SSLKEYLOGFILE.txt" -r \
dump_170317_0928_g0n.pcap -Y \
'(!(frame.number == 1070))' \
-w dump_170317_0928_g0n_noPWfn.pcap
And those two command lines do what I wrote there, pasting from that
page, respectively for the frame.time_relative negated filtering:
PASTING
...Well, I can definitely see the issues I reported to Wireshark ML. The
frame.time_relative == 33.105837782 which belongs to the frame that I
want to remove is gone, but that frame is given a different --not
its own, so wrong-- frame.time_relative, and that frame --that packet--
still remains, while some other frame is removed, and not the one that
the command asked to be removed.
PASTED
and for the frame.number negated filtering:
PASTING
I will still find the password in all the places as previously.
PASTED
I simply get wrong packet out with those filtering.
This is important:
=================
I can post the files that I get, in case you don't get the wrong packet
filtered out with your instance of Wireshark...
=======================================================================
And finally a word for non-developers who are eager to learn a little: I
wrote all that much because I believe it can be useful to newbies. I
like to spread the use of good programs, and I like to read the network,
and show others a tip or two about it if I can. The page is mostly for
you, not the developers.
Regards!
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
Attachment:
signature.asc
Description: Digital signature