Pages

Showing posts with label wireshark. Show all posts
Showing posts with label wireshark. Show all posts

Install f5 wireshark plugin f5ethtrailer.so on MacOS

The documentation I could find on F5 devcentral about installing the f5 wireshark plugin goes about compiling wireshark from sources, patching the code to include the f5 plugin, etc. After downloading the 2.2.0 version I could see that the plugin is already in binary format, namely f5ethtrailer.so (this goes for all platforms, except windows where this is a dll file).

To install the plugin in wireshark, you just need to figure what is the plugin directory (Wireshark -> About Wireshark (Folders tab) menu in MacOS). The copy the f5ethtrailer.so into the Global Plugins folder. (/Applications/Wireshark.app/Contents/PlugIns/wireshark/ in MacOS Sierra)

Then restart wireshark and double check the plugin is present by checking the menu Wireshark -> About Wireshark (Plugins tab)
Posted by No comments:
Labels: ,

How to remove Juniper ethernet encapsulation from pcap packet capture

When capturing packets on a Junos device, the output packet capture will include a Juniper ethernet header.
Example of such capture:


tcpdump -c1 -nvvr capture.pcap

reading from file JTAC.pcap, link-type JUNIPER_ETHER (Juniper Ethernet)

14:58:06.569634

 Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16

   Device Media Type Extension TLV #3, length 1, value Ethernet (1)

   Logical Interface Encapsulation Extension TLV #6, length 1, value Ethernet (14)

   Device Interface Index Extension TLV #1, length 2, value 149

   Logical Interface Index Extension TLV #4, length 4, value 872

 -----original packet-----

     ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.128.123.19 tell 10.128.123.254, length 28
To remove this header we need to chop the pcap [-C]  (in my case the first 22 bytes) , adjust the frame length [-L] and specify that the new frame type [-T] (ethernet in my case). I am using editcap version 1.12.1 and the default output type for the new pcap is pcapng. As I can see there's a problem when converting with this output type, so I am using libpcap as the output type.


editcap -C22 -L -F libpcap -T ether capture.pcap cap_libpcap.pcap

As you can see the Juniper ethernet header is  gone.


tcpdump -c1 -nvvr cap_libpcap.pcap

reading from file cap_libpcap.pcap, link-type EN10MB (Ethernet)

14:58:06.569634 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.128.123.19 tell 10.128.123.254, length 28
Read more »
Posted by No comments:
Labels: , , ,

How to identify top traffic speakers with wireshark conversations

Among other very useful and interesting things that wireshark can show in a packet capture, it can also display the top traffic conversations based on various criteria such as IP addresses, L2 ethernet addresses, IPv6 address or L4 information.

The conversation list is available from the Statistics -> Conversations menu.


Below an example taken showing the top bps rate (B->A direction) for the TCP protocol, where A and B are the endpoints identified by IP and TCP port number 
Read more »
Posted by No comments:
Labels: , ,
Subscribe to: Posts (Atom)