Prev: Tor problem
Next: RPM Query
From: Martin Gregorie on
I've just been tearing my hair out trying to decode a winmail.dat file
with Wireshark. 'file' confirms that the file is in TNEF format.
Wireshark does understand TNEF: its in the supported protocols list and
enabled.

My problem is in getting wireshark or tshark to read the file. The
closest I've got was by running:

mkfifo mypipe
cat winmail.dat >mypipe&
tshark -i mypipe

This causes tshark to suck the pipe dry and then report that its a broken
pipe without outputting anything or generating a capture file, though I
must admit that I didn't specify a capture file. When I tried the same
trick with wireshark it showed an error message saying it was using the
wrong libpopen. I'm using Fedora 10 and have just installed the wireshark
and wireshark-gnome packages from the Fedora 10 repository.

Evidently I've missed something, quite possibly something obvious. Has
anybody managed to get wireshark to accept a file as input so it can be
be captured and analysed? If so, how?


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |
From: Nix on
On 27 Nov 2009, Martin Gregorie outgrape:

> I've just been tearing my hair out trying to decode a winmail.dat file
> with Wireshark. 'file' confirms that the file is in TNEF format.
> Wireshark does understand TNEF: its in the supported protocols list and
> enabled.
>
> My problem is in getting wireshark or tshark to read the file. The
> closest I've got was by running:
>
> mkfifo mypipe
> cat winmail.dat >mypipe&
> tshark -i mypipe
>
> This causes tshark to suck the pipe dry and then report that its a broken
> pipe without outputting anything or generating a capture file, though I

Not surprising. tshark expects its interfaces to be, well, network
interfaces: while it can work with named pipes, it still expects the
data streaming over that pipe to be network packets. You don't often
see a winmail.dat flowing over the network with no TCP or IP framing!

> Evidently I've missed something, quite possibly something obvious. Has
> anybody managed to get wireshark to accept a file as input so it can be
> be captured and analysed? If so, how?

I always do it by kicking up a netcat server throwing its output at
/dev/null and send the data to it using netcat; spy on the result with
wireshark.

i.e., send it over the network.
From: Nigel Wade on
On Fri, 27 Nov 2009 02:27:33 +0000, Martin Gregorie wrote:

> I've just been tearing my hair out trying to decode a winmail.dat file
> with Wireshark. 'file' confirms that the file is in TNEF format.
> Wireshark does understand TNEF: its in the supported protocols list and
> enabled.
>

The supported protocols are protocols which Wireshark can understand and
decode as traffic when it's sent over the wire. It doesn't mean that it
can read the contents a of a file containing data of that format.
Wireshark either reads packets directly off the wire, of files containing
captured packets in specific formats for packet data capture.

Perhaps this might help:

http://sourceforge.net/projects/tnef/

--
Nigel Wade
From: Chris Davies on
Martin Gregorie <martin(a)address-in-sig.invalid> wrote:
> I've just been tearing my hair out trying to decode a winmail.dat file
> with Wireshark.

Are you really sure?


> Wireshark does understand TNEF: its in the supported protocols list and
> enabled.

Ok, if you say so. But it still feels a little like having a knife-opener
bolted onto the side of, say, a DVD player, so you can open the package
in which you've received a DVD.


> My problem is in getting wireshark or tshark to read the file.

tshark -r winmail.dat

Or is that too obvious?
Chris
From: Martin Gregorie on
On Fri, 27 Nov 2009 09:27:08 +0000, Nigel Wade wrote:

> On Fri, 27 Nov 2009 02:27:33 +0000, Martin Gregorie wrote:
>
>> I've just been tearing my hair out trying to decode a winmail.dat file
>> with Wireshark. 'file' confirms that the file is in TNEF format.
>> Wireshark does understand TNEF: its in the supported protocols list and
>> enabled.
>>
>>
> The supported protocols are protocols which Wireshark can understand and
> decode as traffic when it's sent over the wire. It doesn't mean that it
> can read the contents a of a file containing data of that format.
> Wireshark either reads packets directly off the wire, of files
> containing captured packets in specific formats for packet data capture.
>
> Perhaps this might help:
>
> http://sourceforge.net/projects/tnef/

Thanks to both of you for your help.

Nix: I should have thought of the netcat trick, which I'll certainly
play with as part of learning about Wireshark.

Nigel: I've downloaded and installed tnef, which does exactly what I
wanted.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |
 |  Next  |  Last
Pages: 1 2
Prev: Tor problem
Next: RPM Query