I captured some packets from server(like: ip.addr == 111.11.11.111 && data), and want to send them again. How to do it? Googling didn't yield any easy way not involving some complex stuff resulting in a script being able to send only this specific request, without any flexibility.
I'am using only Windows 10
A very simple program that can do this is PlayCap from Signal 11 Software, but there are several others too. You might want to have a look at the various Traffic Generators listed on the Wireshark Tools wiki page for other potential solutions.
Related
I'm reading packets with wireshark and most of these packets are repeating multiple times per second (identical). I don't want to see those. They're too many to manually filter (thousands).
So what I'd like is some filter like:
This packet was already captured/displayed, I won't display it again.
Is this possible using wireshark or is any other software (linux) available for this? I definitely need this feature in live capture so doing some magic with a dump file is not an option.
I have a problem where I need to check the TCP packets on a machine.
We use a closed source VOIP system here and I want to open a program when an incoming calls happens.
The VOIP system's software shows the call, however has no functionality to call external software.
I used Wireshark to capture my PCs packets and I'm able to filter the packets easily by
ip.src==AAA.BBB.CCC.DDD && giop.request_op == "pushEvents" && giop.len > 300 && tcp contains "CallInfo"
Now I can work with this package if my custom software could read the package from pipe
Is there a library for purebasic that can do this capturing and filtering??
Alternatively Is there a way to trigger wireshark (console start) so it outputs the filtered data to pipe? (I noticed tshark could do this but does not support this display filter)
Thanks for any constructive answer not hitting me for rtfm ;-)
tshark is just a terminal/console interface to the same engine as GUI Wireshark. It should support all the same protocol dissectors and display filters as GUI app.
I'm pretty sure you're doing something wrong while launching it. Please provide more info why you didn't manage to get tshark working.
To solve your problem: I would launch a tshark with the filter you've come up with so only those packets are displayed on the output. Then I would pipe the output to the simple python/bash/whatever script that launches the app you want on every line of input.
You will also need to take care of specific situations like:
ensure the input line is what it was supposed to be (you can get error lines etc from tshark)
perhaps avoid launching the app if it's already running
I'm building an application that uses TCP sockets to communicate. I want to test how it behaves under slow-speed conditions.
There are similar question on the site, but as I understand it, they deal with HTTP traffic, or are about Linux. My traffic is not HTTP, just ordinary TCP sockets, and the OS is Windows.
I tried using fiddler's setting for Modem Speed but it didn't work, it seems to work only for HTTP connections.
While it is true that you probably want to invest in an extensive set of unit tests, You can simulate various network conditions using VMWare Workstation:
You will have to install a virtual machine for testing, setup bridged networking (for the vm to access your real network) and upload your code to the vm.
After that you can start changing the settings and see how your application performs.
NetLimiter can also be used, but it has fewer options (in your case, packet loss is very interesting to test and is not available in netlimiter).
There is an excellent utility for Windows that can do throttling and much more:
https://jagt.github.io/clumsy/
I think you're taking the wrong approach here.
You can achieve everything that you need with some well designed unit tests. All of the things that a slow network link causes can be simulated in a unit test environment in controlled conditions.
Things that your code MUST handle to deal with "slow" links are just things that you should be dealing with anyway, including:
The correct handling of fragmented messages. All of your network reading code needs to correctly assume that each read will return between 1 byte and the size of your read buffer. You should never assume that you'll get complete 'messages' as TCP knows nothing of your concept of messages.
TCP flow control causing either your synchronous sends to fail with some form of 'try later' error or your async sends to succeed and potentially use an uncontrolled amount of resources (see here for more details). Note that this can happen even on 'fast' links if you are sending faster than the receiver is consuming.
Timeouts - again this isn't limited to "slow" links. All of your timeout handling code should be robust and tested. You may want to make sure that any read timeout is based on any read completing rather than reading a complete message in x time. You may be getting your data at a slow rate but whilst you're still getting data the link is alive.
Connection failure - again not something specific to "slow" links. You need to know how you deal with connections being reset at any time.
In summary nothing you can achieve by running your client and server on a simulated slow network cannot be achieved with a decent set of unit tests and everything that you would want to test on such a link is something that could affect any of your connections on any speed of link.
I am trying to find a solution to monitor the traffic (in and out) through a specific port. It is not required to capture the packets, or do anyting else. What it does is to be a traffic listener to make sure there are messages sent to or received from this port every 10 minutes. It has to be running at the background all the time (like a daemon), and without significant performance impact. Based on my research, one choice is to use an existing tool to do that. There are a bunch of tools out there to monitor or sniff the traffic, such as wireshark. Well, seems most of them monitor the traffic passing through a interface, instead of a port, or they can't run as a daemon. Another choice to write a program to do this. SharpPcap seems to be a good choice, but I still need to capture and analyze the packets to know whether such traffic exist. Could somebody suggest what I should do?
SharpPcap handles packet capturing in the same manner as Wireshark, so you can set filters to limit the packet being captured to a specific port the same way in SharpPcap as you can in wireshark. Except, SharpPcap will be a much lighter weight option vs wireshark.
Download the SharpPcap source tree and look at the Example05.SetFilter.
To narrow down the results so you capture only the packets you want to see you'll need to employ a few filters.
Pcap uses a common language across all applications that use it do specify the filters to set. Capture programs that use winpcap (windows) or libpcap (*nix) include, sharppcap, wireshark, pcap.net, winpcap, libpcap, tcpdump, etc... For a great resource on how to use pcap filters see this link.
Here are the filters you need:
ether host ehost
port port
Where the ehost is the MAC address of the computer sending/receiving the packets and the port is the port you want to monitor. So the full filter string would be.
SetFilter("ether host ff:ff:ff:ff:ff:ff and port 60");
The MAC and port here are for illustration purposes only, you'd obviously change them with the values that pertain to your specific setup.
This, used in the SetFilter example will simply print out a line of info with the time of when the packet was captured to the command line every time a packet is captured and meets the criteria if your filter.
If you want more detailed info about the packet, such as info from the headers or the packet's payload, you'll need to parse the incoming raw packet. Be sure to ask for help on the sourceforge project's forum if you need some tips on how to do this. The project developers are very active and always willing to help.
The best way that will limit the impact your tool will have on performance is via an ETW (Event Tracing for Windows) Real-time Consumer (i.e. a tool that activates an ETW trace and reads it immediately instead of saving it to a file). This MSDN sample is a great way to see how to do this via C# and it gives you some code to get started.
My son has a MacOS 9 box to which he is sending remote AppleEvents from his Leopard-based MacBook. Is there any way, programmatically, that I can send remote AppleEvents via TCP/IP from my Windows 7 Toshiba?
If it helps, apple events are sent on port 3031 via TCP/UDP.
From the high level, there are four pieces to apple events:
The data aggregation API (data requests are put into an opaque in memory structure). This API as it stands was wordy and painful to use. Thank goodness you have access to languages that have better data aggregation tools
Conversion/serialization - the opaque data structure is turned into something that can be serialized and transported to another process and for same machine events, this may be a null serialization
Transport the data is transported from one process to another. Single machine is probably just enqueuing a copy of the data. Remote machine is transport over a network protocol, which could be TCP/IP (but it works with AppleTalk as well) and may require authentication.
Deserialization/Conversion
You will most likely need to do steps 2, 3, and 4. If you don't care about getting any information back, you can skip 4, since one of the flags in a sent event is "no reply".
There are a relatively small number of types in the AE data model. I would write code on your OS X machine to send each and every type and reverse engineer the packets when they're sent. To speed up the process you might want to use appscript, on the OS X machine which will let you send events from Ruby, Objective C, or Python.
Sniff the packets between the MacBook and the MacOS 9 box using something like tcpdump or Wireshark. This will tell you what an AppleEvent looks like on the wire.
Then replicate those packets using your programming environment of choice on Windows.
I suggest wrapping up the code that you write into a library that you can reuse in other applications.
Good luck - this might be quite tricky!!
if you're talking about growl notification, there are libraries to use that. for example, here is the growl library for ruby