Wireshark mailing list archives
Re: Filtering on (negated) frame.time_relative filters out wrong frame.number
From: Miroslav Rovis <miro.rovis () croatiafidelis hr>
Date: Sat, 18 Mar 2017 15:01:06 +0100
On 170317-21:30+0100, Miroslav Rovis wrote:
On 170317-11:29+0000, Graham Bloice wrote:On 17 March 2017 at 11:23, Peter Wu <peter () lekensteyn nl> wrote:Can you try to prepare a smaller capture that can reproduce the issue which does not contain sensitive passwords?Posted: The Test Sample for the (Imaginary or Not) Bug http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-2.php
I made the follow-up: http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-3.php but reading it from top is huge excess and impertinent to point the developers to, so I'm writing this notice about it. :-) Pls. just find (somewhere in the middle of the page): $ tshark -o "ssl.keylog_file: dump_170317_0928_g0n_SSLKEYLOGFILE.txt" -r \ dump_170317_0928_g0n.pcap -Y \ '(!(frame.time_relative == 33.105837782))' \ -w dump_170317_0928_g0n_noPWft.pcap and ( but only if you want to see the rest of my testing, then also find PASTING NOTE: you are probably better off downloading (see below) and running first $ ./dump_170317_0928_g0n_noPWft_TEST1.sh PASTED ( and also the other scripts, 4 total ) You can see that, because it's the entire tests are in the two, and later two more, scripts. The first testing set is on negated filtering on frame.time_relative, and the second one is on negated filtering on frame.number: $ tshark -o "ssl.keylog_file: dump_170317_0928_g0n_SSLKEYLOGFILE.txt" -r \ dump_170317_0928_g0n.pcap -Y \ '(!(frame.number == 1070))' \ -w dump_170317_0928_g0n_noPWfn.pcap And those two command lines do what I wrote there, pasting from that page, respectively for the frame.time_relative negated filtering: PASTING ...Well, I can definitely see the issues I reported to Wireshark ML. The frame.time_relative == 33.105837782 which belongs to the frame that I want to remove is gone, but that frame is given a different --not its own, so wrong-- frame.time_relative, and that frame --that packet-- still remains, while some other frame is removed, and not the one that the command asked to be removed. PASTED and for the frame.number negated filtering: PASTING I will still find the password in all the places as previously. PASTED I simply get wrong packet out with those filtering. This is important: ================= I can post the files that I get, in case you don't get the wrong packet filtered out with your instance of Wireshark... ======================================================================= And finally a word for non-developers who are eager to learn a little: I wrote all that much because I believe it can be useful to newbies. I like to spread the use of good programs, and I like to read the network, and show others a tip or two about it if I can. The page is mostly for you, not the developers. Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
Attachment:
signature.asc
Description: Digital signature
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Filtering on (negated) frame.time_relative filters out wrong frame.number Miroslav Rovis (Mar 16)
- Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Peter Wu (Mar 17)
- Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Graham Bloice (Mar 17)
- Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Miroslav Rovis (Mar 17)
- Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Miroslav Rovis (Mar 17)
- Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Miroslav Rovis (Mar 18)
- Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Graham Bloice (Mar 17)
- Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Peter Wu (Mar 17)