Wireshark query
in [UK Linux]
|
Prev: Tor problem
Next: RPM Query
From: Martin Gregorie on 26 Nov 2009 21:27 I've just been tearing my hair out trying to decode a winmail.dat file with Wireshark. 'file' confirms that the file is in TNEF format. Wireshark does understand TNEF: its in the supported protocols list and enabled. My problem is in getting wireshark or tshark to read the file. The closest I've got was by running: mkfifo mypipe cat winmail.dat >mypipe& tshark -i mypipe This causes tshark to suck the pipe dry and then report that its a broken pipe without outputting anything or generating a capture file, though I must admit that I didn't specify a capture file. When I tried the same trick with wireshark it showed an error message saying it was using the wrong libpopen. I'm using Fedora 10 and have just installed the wireshark and wireshark-gnome packages from the Fedora 10 repository. Evidently I've missed something, quite possibly something obvious. Has anybody managed to get wireshark to accept a file as input so it can be be captured and analysed? If so, how? -- martin@ | Martin Gregorie gregorie. | Essex, UK org |
From: Nix on 27 Nov 2009 01:52 On 27 Nov 2009, Martin Gregorie outgrape: > I've just been tearing my hair out trying to decode a winmail.dat file > with Wireshark. 'file' confirms that the file is in TNEF format. > Wireshark does understand TNEF: its in the supported protocols list and > enabled. > > My problem is in getting wireshark or tshark to read the file. The > closest I've got was by running: > > mkfifo mypipe > cat winmail.dat >mypipe& > tshark -i mypipe > > This causes tshark to suck the pipe dry and then report that its a broken > pipe without outputting anything or generating a capture file, though I Not surprising. tshark expects its interfaces to be, well, network interfaces: while it can work with named pipes, it still expects the data streaming over that pipe to be network packets. You don't often see a winmail.dat flowing over the network with no TCP or IP framing! > Evidently I've missed something, quite possibly something obvious. Has > anybody managed to get wireshark to accept a file as input so it can be > be captured and analysed? If so, how? I always do it by kicking up a netcat server throwing its output at /dev/null and send the data to it using netcat; spy on the result with wireshark. i.e., send it over the network.
From: Nigel Wade on 27 Nov 2009 04:27 On Fri, 27 Nov 2009 02:27:33 +0000, Martin Gregorie wrote: > I've just been tearing my hair out trying to decode a winmail.dat file > with Wireshark. 'file' confirms that the file is in TNEF format. > Wireshark does understand TNEF: its in the supported protocols list and > enabled. > The supported protocols are protocols which Wireshark can understand and decode as traffic when it's sent over the wire. It doesn't mean that it can read the contents a of a file containing data of that format. Wireshark either reads packets directly off the wire, of files containing captured packets in specific formats for packet data capture. Perhaps this might help: http://sourceforge.net/projects/tnef/ -- Nigel Wade
From: Chris Davies on 27 Nov 2009 08:46 Martin Gregorie <martin(a)address-in-sig.invalid> wrote: > I've just been tearing my hair out trying to decode a winmail.dat file > with Wireshark. Are you really sure? > Wireshark does understand TNEF: its in the supported protocols list and > enabled. Ok, if you say so. But it still feels a little like having a knife-opener bolted onto the side of, say, a DVD player, so you can open the package in which you've received a DVD. > My problem is in getting wireshark or tshark to read the file. tshark -r winmail.dat Or is that too obvious? Chris
From: Martin Gregorie on 27 Nov 2009 11:53
On Fri, 27 Nov 2009 09:27:08 +0000, Nigel Wade wrote: > On Fri, 27 Nov 2009 02:27:33 +0000, Martin Gregorie wrote: > >> I've just been tearing my hair out trying to decode a winmail.dat file >> with Wireshark. 'file' confirms that the file is in TNEF format. >> Wireshark does understand TNEF: its in the supported protocols list and >> enabled. >> >> > The supported protocols are protocols which Wireshark can understand and > decode as traffic when it's sent over the wire. It doesn't mean that it > can read the contents a of a file containing data of that format. > Wireshark either reads packets directly off the wire, of files > containing captured packets in specific formats for packet data capture. > > Perhaps this might help: > > http://sourceforge.net/projects/tnef/ Thanks to both of you for your help. Nix: I should have thought of the netcat trick, which I'll certainly play with as part of learning about Wireshark. Nigel: I've downloaded and installed tnef, which does exactly what I wanted. -- martin@ | Martin Gregorie gregorie. | Essex, UK org | |