Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

More issues with network monitor 3.3 traces

From: "noah davids" <ndav1 () cox net>
Date: Wed, 21 Jul 2010 21:49:10 -0700
Well I downloaded Version 1.5.0-SVN-33606 (SVN Rev 33606 from /trunk) and 
was able to read and decode the first network monitor 3.3 trace but not 
another. The second gives me the error "The capture file has a packet with a 
network a network type Wireshark doesn't support. (netmon: network type 0 
unknown or unsupported)."

Also I discovered the following when displaying the first trace. I have a 
display filter of "ssl" and the TCP preference "Validate the TCP checksum if 
possible" is checked

   No.     Time        Source            Destination     TTL        Protocol 
Window size Info
    910 18.186473   10.1.1.191    10.111.1.21    128        TLSv1    65535 
Client Hello
    914 18.231395   10.111.1.21  10.1.1.191      115        TCP       65465 
[TCP segment of a reassembled PDU]
    915 18.232372   10.111.1.21  10.1.1.191      115        TLSv1    65465 
[TCP Previous segment lost] Ignored Unknown Record
    918 18.233348   10.1.1.191    10.111.1.21    128        TLSv1    65535 
Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
    921 18.279247   10.111.1.21  10.1.1.191      115        TLSv1    65283 
Change Cipher Spec, Encrypted Handshake Message
    922 18.297802   10.1.1.191    10.111.1.21    128        TLSv1    65492 
Application Data
    923 18.297802   10.1.1.191    10.111.1.21    128        SSL        65492 
[Unreassembled Packet [incorrect TCP checksum]]
    930 18.341747   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    932 18.343700   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    934 18.387645   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    936 18.387645   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    938 18.387645   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    942 18.431591   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    944 18.431591   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    946 18.431591   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record
    948 18.432567   10.1.1.191    10.111.1.21    128        TLSv1    65492 
[TCP Previous segment lost] Ignored Unknown Record


But when I uncheck the TCP preference "Validate the TCP checksum if 
possible" the trace changes to

    No.     Time         Source            Destination  TTL        Protocol 
Window size Info
    910 18.186473   10.1.1.191    10.111.1.21  128        TLSv1    65535 
Client Hello
    914 18.231395   10.111.1.21  10.1.1.191    115        TCP       65465 
[TCP segment of a reassembled PDU]
    915 18.232372   10.111.1.21  10.1.1.191    115        TLSv1    65465 
Server Hello, Certificate, Server Hello Done
    918 18.233348   10.1.1.191    10.111.1.21  128        TLSv1    65535 
Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
    921 18.279247   10.111.1.21  10.1.1.191    115        TLSv1    65283 
Change Cipher Spec, Encrypted Handshake Message
    922 18.297802   10.1.1.191    10.111.1.21  128        TLSv1    65492 
Application Data
    923 18.297802   10.1.1.191    10.111.1.21  128        TCP       65492 
[TCP segment of a reassembled PDU]
    930 18.341747   10.1.1.191    10.111.1.21  128        TLSv1    65492 
Application Data
    932 18.343700   10.1.1.191    10.111.1.21  128        TCP       65492 
[TCP segment of a reassembled PDU]
    934 18.387645   10.1.1.191    10.111.1.21  128        TLSv1    65492 
Application Data
    936 18.387645   10.1.1.191    10.111.1.21  128        TCP       65492 
[TCP segment of a reassembled PDU]
    938 18.387645   10.1.1.191    10.111.1.21  128        TCP       65492 
[TCP segment of a reassembled PDU]
    942 18.431591   10.1.1.191    10.111.1.21  128        TLSv1    65492 
Application Data
    944 18.431591   10.1.1.191    10.111.1.21  128        TCP       65492 
[TCP segment of a reassembled PDU]
    946 18.431591   10.1.1.191    10.111.1.21  128        TLSv1    65492 
Application Data
    948 18.432567   10.1.1.191    10.111.1.21  128        TCP       65492 
[TCP segment of a reassembled PDU]

Why should validating the checksum change the interpretation of the data?




Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth

If you are not the intended recipient of this E-mail it would be nice if you 
deleted it and notified me that you received it incorrectly. On the other 
hand, E-mail in an insecure mechanism; nothing in this E-mail can be 
considered confidential. I have no doubts that copies of this E-mail have 
been archived by my ISP, your ISP and probably the FBI, CIA and NSA. I 
suspect that Interpol, MI-6, SVR (think KGB) and MSS (Chinese) will have 
copies shortly, the NSIS (Kenya) will have it by the end of the week. 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: