postIt » wireshark

Wireshark filter out watchdog (DWR/SWA) …

Arif — Thu, 21 Oct 2010 08:04:54 +0000

Wireshark filter out watchdog (DWR/DWA) and CER/CEA
diameter and diameter.cmd.code != 280 and diameter.cmd.code != 257
Filter out accounting request/answer (ACR/ACA) and destination IP
diameter.cmd.code == 271 && ip.dst == 10.201.63.37

In Wireshark If coloring of TCP analysi …

Arif — Tue, 03 Aug 2010 10:52:38 +0000

In Wireshark
If coloring of TCP analysis is disturbing i.e. black higlights, uncheck the “Validate the TCP checksum if possible” in Edit > Preferences > Protocols > TCP

For SCAPv1 diameter TCP port in Wireshar …

Arif — Tue, 03 Aug 2010 03:28:53 +0000

For SCAPv1 diameter TCP port in Wireshark Edit > Preferences > Protocols must be altered from standard 3868 to 1812

Dictionaries for diameter /usr/share/wi …

Arif — Tue, 03 Aug 2010 03:06:33 +0000

Dictionaries for diameter
/usr/share/wireshark/diameter
After backup original dictionaries, to use SCAPv1 of Ericsson’ proprietary diameter protocol, replace them with:

dcca.xml        ericsson.xml    nasreq.xml   tgpp.xml
dictionary.dtd  imscxdx.xml     pps.xml      vfe.xml
dictionary.xml  mobileipv4.xml  sunping.xml

Original files were

chargecontrol.xml  Ericsson.xml  imscxdx.xml     sip.xml      TGPPRx.xml
dictionary.dtd     etsie2e4.xml  mobileipv4.xml  sunping.xml  TGPPSh.xml
dictionary.xml     gqpolicy.xml  nasreq.xml      TGPPGmb.xml

tcp.flags == 0x18 and ip.src == 10.201.6 …

Arif — Tue, 30 Mar 2010 12:14:53 +0000

tcp.flags == 0x18 and ip.src == 10.201.62.249 and ip.dst == 10.201.62.78

Filter out PSH ACK (flags 0x18: “Push” and “Acknowledgement”). In UCIP XML-RPC, it carries response from AIR server e.g. the following stream

HTTP/1.1 401 Access to /Air denied for this user ... Content-Length: 366 Content-Type: text/html Date: Fri, 26 Mar 2010 07:52:55 GMT Server

Filter out initial SYN (flags 0x02) of T …

Arif — Sun, 21 Mar 2010 00:03:24 +0000

Filter out initial SYN (flags 0x02) of TCP connection from specific source and destination:
tcp.flags == 0x02 and ip.src == 10.201.62.78 and ip.dst == 10.201.62.249

A series of sync packets will appear as:

No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.201.62.78          10.201.62.249         TCP      53161 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
      4 0.001124    10.201.62.78          10.201.62.249         TCP      53162 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
      7 0.001556    10.201.62.78          10.201.62.249         TCP      53163 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
     16 0.006334    10.201.62.78          10.201.62.249         TCP      53164 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
     20 0.009590    10.201.62.78          10.201.62.249         TCP      53165 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
     24 0.011687    10.201.62.78          10.201.62.249         TCP      53166 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0

In the above specific case, multiple ports i.e. 53163, 53162, etc. is starting conversation with port 10010 by sending out sync packets.