Wireshark mailing list archives

Re: help me please

From: Forthofer Russ <Russ.Forthofer () ssfhs org>
Date: Mon, 19 Apr 2010 10:32:32 -0400

If you use the capture filter "host x.x.x.x" and only see that IP in one direction, it is possible that you are 
receiving the traffic on one NIC and sending on the other.    Check your route table.    You could also run the trace 
with the same capture filter on your second NIC.   In that case do you only see traffic in the other direction?

________________________________
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Wes
Sent: Monday, April 19, 2010 10:22 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] help me please

Using the Capture filter "host x.x.x.x" should capture anything From or To the x.x.x.x address.

Wes

--- On Mon, 4/19/10, Miszcsi Miszcsi <miszcsike () yahoo com> wrote:

From: Miszcsi Miszcsi <miszcsike () yahoo com>
Subject: Re: [Wireshark-users] help me please
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Date: Monday, April 19, 2010, 5:53 AM

Hello Everybody. Thanks Wes for help, it was very usefull, I got the right direction. The problem is that the host 
qualifier refers only as source to the IP adress and not as destination too. How can I make a capture filter for 
analysing both incoming and outgoing packets for a certain IP adress ? Using "and" and "src host"/"dst host" 
combinations can I build the filter ?

Have a nice day

Miszcsi

--- On Sat, 4/17/10, Wes <wes_r () yahoo com> wrote:

From: Wes <wes_r () yahoo com>
Subject: Re: [Wireshark-users] help me please
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Date: Saturday, April 17, 2010, 1:37 PM

One way to attack this is to verify the sniffer is actually capturing the packets in question by doing a capture 
without a capture filter. Then you should be able to build a display filter to see only the packets you want. From 
that, you should be able to create a capture filter to capture just those packets.

Wes

--- On Sat, 4/17/10, Pedro Tumusok <pedro.tumusok () gmail com> wrote:

From: Pedro Tumusok <pedro.tumusok () gmail com>
Subject: Re: [Wireshark-users] help me please
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Date: Saturday, April 17, 2010, 9:09 AM

Why do you need the to use the HOST address as a qualifier?
Would not tcp port 5050 be enough?
The reason is simple, because the internal host ip does not exist on the WAN (Internet) it means that this address is 
never in any packets that wireshark captures on the WAN interface. Have you tried to run the sniffer on the LAN 
interface?

Pedro

On Sat, Apr 17, 2010 at 12:29 PM, Miszcsi Miszcsi <miszcsike () yahoo com> wrote:
Hi

How to figure out the combination ? For this I should visualize somehow the NAT table, but I dont know how to do this.

Thanks

Miszcsi

PS I still need help in this problem :( Everybody on weekend holiday or sleeping ? :D Still stucked with the project...

--- On Sat, 4/17/10, Jaap Keuter <jaap.keuter () xs4all nl> wrote:

From: Jaap Keuter <jaap.keuter () xs4all nl>
Subject: Re: [Wireshark-users] help me please
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Date: Saturday, April 17, 2010, 8:28 AM

Hi,

It seems like the NAT function is interfering with your capture filter. Maybe you can figure out what the exact 
address/port translation function is by looking at all WAN interface data.

Thanks,
Jaap

Send from my iPhone

On 17 apr 2010, at 10:09, Miszcsi Miszcsi <miszcsike () yahoo com<http://mc/compose?to=miszcsike () yahoo com>> wrote:

Hello!

Please somebody help me with my problem !  I'm new in this and I'm stucked with my project because of this problem and 
I cannot going further.

Any concrete and real help would be appreciated.

I'm trying to monitor network traffic on windows gateway with Wireshark, specially IM traffic, Yahoo Messenger. I have 
2 fastethernet cards in the pc, one for WAN and one for LAN.
If I'm running the sniffer on an internal pc, i have both incoming and outgoing packets from and to yahoo server or in 
case of peertopeer messaging to and from remote discussion partner.
If I'm running the sniffer on the gateway using WAN interface for capture, I have only incoming packets, and no 
outgoing. For filtering @capture I'm using the option
"tcp port 5050 and host X.X.X.X" where X.X.X.X is the IP adress of the internal pc.
(Wireshark - Capture Options - and I enter in the Capture Filter field this, after then Start)
I have one staticly assigned real IP on the WAN, and dhcp assigned private IP's for internal pcs (192.168.0.X), they 
are assigned based on each pc's MAC adress, so they are constant and not interchanging. I'm using source NAT on WAN 
interface.

What I'm doing wrong or why outgoing packets doesn't appear in Wireshark ?

There is an example in Wireshark User's Guide from where I was inspired :

Example 4.1.  A capture filter for telnet that captures traffic to and from a particular host

tcp port 23 and host 10.0.0.5

Please somebody explain what is the solution or the problem what

makes that I see only incoming packets and nothing outgoing.

Best Regards
Miszcsi

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org<http://mc/compose?to=wireshark-users () 
wireshark org>>
Archives:    <http://www.wireshark.org/lists/wireshark-users> http://www.wireshark.org/lists/wireshark-users
Unsubscribe: <https://wireshark.org/mailman/options/wireshark-users> 
https://wireshark.org/mailman/options/wireshark-users
            <http://mc/compose?to=wireshark-users-request () wireshark org&subject=unsubscribe> 
mailto:wireshark-users-request () wireshark org?subject=unsubscribe<http://mc/compose?to=wireshark-users-request () 
wireshark org&subject=unsubscribe>

-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org<http://mc/compose?to=wireshark-users () 
wireshark org>>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org<http://mc/compose?to=wireshark-users-request () wireshark 
org>?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

--
Best regards / Mvh
Jan Pedro Tumusok

I know you love me
And you want to be Friends
And if you dont
at least you need to pretend

-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org</mc/compose?to=wireshark-users () wireshark 
org>>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org</mc/compose?to=wireshark-users-request () wireshark 
org>?subject=unsubscribe

The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient 
to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure 
under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, 
you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the 
intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

help me please Miszcsi Miszcsi (Apr 17)
- Re: help me please Jaap Keuter (Apr 17)
  - Re: help me please Miszcsi Miszcsi (Apr 17)
    - Re: help me please Pedro Tumusok (Apr 17)
    - Re: help me please Miszcsi Miszcsi (Apr 17)
    - Re: help me please Wes (Apr 17)
    - Re: help me please Miszcsi Miszcsi (Apr 19)
    - Re: help me please Wes (Apr 19)
    - Re: help me please Forthofer Russ (Apr 19)
    - Re: help me please dan meyer (Apr 19)
    - Re: help me please Miszcsi Miszcsi (Apr 19)