Hi. You said: I probably need help with your script, which will probably help me a lot. Available interfaces are listed with their CLSID. How can I know which one is Ethernet and which one is wireless ? Both are only labelled "Microsoft" NA: when I run that bit of the script I see: 1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture) 2. \Device\NPF_{DCDD6FFD-A1A6-45BB-A1E7-28E91804DC2F} (VMware Virtual Ethernet Adapter) 3. \Device\NPF_{29F028D8-6F50-45FA-BE0E-308199558878} (VMware Virtual Ethernet Adapter) 4. \Device\NPF_{65D5E1C9-805D-427C-B4E2-3FE41F72635B} (Broadcom NetXtreme Gigabit Ethernet Driver) 5. \Device\NPF_{D981580C-AFBF-47C4-AB51-69A985DBAF4E} (Intel(R) 82567LM-3 Gigabit Network Connection) If you look at interface 4 above you can see after its guid "Broadcom NetXtreme Gigabit Ethernet Driver)" This relates to the card for the connection. If you go to network connections in the control panel and highlight the connection you want to sniff take a look at the status bar and it'll tell you which card its using. So for me, to sniff "local area connection" I can see its device 4 in the list from the script. You said: I've tried, as a test, to catch HTTP traffic. The produced file has strange symbols at the beginning of each request. What are they ? And it seems that I have only the beginning of each request, that is, only headers or a truncated body, is it normal ? NA: below is a run of my script and the output which shows normal http traffic. Note the settings from the script. Also I've only selected to show a summary of the http requests, an option in the script will let you see the complete packet. I've also removed the options I've not set, makes it easier to see what I'm doing. H:\>runTshark.bat running tshark. - the network packet capture tool This interactive script can be used to set up the command line for a tshark session. this script prompts for all command line flags. if you don't want to set this flag just hit enter. layer type Specify that if the layer type in question (for example, tcp.port or udp.port for a TCP or UDP port number) has the specified selector value, packets should be dissected as the specified protocol. Example: -d tcp.port==8888,http will decode any traffic running over TCP port 8 888 as HTTP. Layer type... [-d] option.tcp.port==80,http capture interface Set the name of the network interface or pipe to use for live packet capture. the folowing numbers can be used. NOTE: you should run 'diskperf -y' to enable the disk statistics Could not open file: 'eap.xml', error: No such file or directory 1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture) 2. \Device\NPF_{DCDD6FFD-A1A6-45BB-A1E7-28E91804DC2F} (VMware Virtual Ethernet Adapter) 3. \Device\NPF_{29F028D8-6F50-45FA-BE0E-308199558878} (VMware Virtual Ethernet Adapter) 4. \Device\NPF_{65D5E1C9-805D-427C-B4E2-3FE41F72635B} (Broadcom NetXtreme Gigabit Ethernet Driver) 5. \Device\NPF_{D981580C-AFBF-47C4-AB51-69A985DBAF4E} (Intel(R) 82567LM-3 Gigabit Network Connection) Capture Interface... [-i] option.5 read (display) filter Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file; packets not matching the filter are discarded rather than being printed or written. Read filter... [-R] option.http command line configured. running: tshark.exe "-d" "tcp.port==80,http" "-i" "5" "-l" "-R" "http" "-S" Press any key to continue . . . running... NOTE: you should run 'diskperf -y' to enable the disk statistics Could not open file: 'eap.xml', error: No such file or directory Capturing on Intel(R) 82567LM-3 Gigabit Network Connection 8.883223 10.43.65.27 -> 172.16.1.65 HTTP GET /pacs/proxy.pac HTTP/1.1 8.965981 172.16.1.65 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (application/x-ns- proxy-autoconfig) 8.990223 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.com/ HTTP/1.1 9.053010 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 302 Found (text/html) 9.055447 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.co.uk/ HTTP/1 .1 9.233022 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (text/html) 9.457590 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.co.uk/images/ mgyhp_sm.png HTTP/1.1 9.479623 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.co.uk/images/ srpr/nav_logo14.png HTTP/1.1 9.573690 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (PNG) 9.576064 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.co.uk/intl/en _com/images/srpr/logo1w.png HTTP/1.1 9.629280 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (PNG) 9.706108 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (PNG) 9.751212 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.co.uk/extern_ js/f/CgJlbhICdWsrMEU4ACwrMFo4ACwrMA44ACwrMBc4ACwrMCc4ACwrMDw4ACwrMFE4ACw rMBY4ACw rMBk4ACwrMCU4z4gBLCswNTgALCswQDgALCswQTgALCswTjgGLCswVDgALCswGDgALCswJjg ALIACF5A CHw/qae3N6A9FiM.js HTTP/1.1 9.904762 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (text/javascript) 9.995244 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.co.uk/csi?v=3 &s=webhp&action=&e=17259,17311,26613,26629&ei=wCO0TImrEIn94gaKpdjRCg&exp i=17259, 17311,26613,26629&imc=1&imn=1&imp=1&rt=prt.140,xjsls.312,ol.437,iml.343, xjses.50 0,xjsee.531,xjs.562 HTTP/1.1 10.088419 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 204 No Content 10.250742 10.43.17.13 -> 10.43.65.27 HTTP [TCP Retransmission] HTTP/1.1 204 N o Content 13.219454 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.yourdolphin.com/news .xml HTTP/1.1 13.391117 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 407 Proxy Authentication R equired (text/html) 13.517116 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.yourdolphin.com/news .xml HTTP/1.1 , NTLMSSP_NEGOTIATE 13.519852 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 407 Proxy Authentication R equired (text/html) 13.520613 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.yourdolphin.com/news .xml HTTP/1.1 , NTLMSSP_AUTH, User: U\G 13.530892 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 304 Not Modified 13.532409 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.boost.org/feed/downl oads.rss HTTP/1.1 13.534560 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 304 Not Modified 13.702056 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.mod.uk/DefenceIntern et/DefenceNews/rss.aspx?feed=recentdefencenews HTTP/1.1 13.943667 10.43.17.13 -> 10.43.65.27 HTTP/XML HTTP/1.1 200 OK 14.072418 10.43.65.27 -> 10.43.17.13 HTTP GET http://feeds.feedburner.com/cms madesimple/blog?format=xml HTTP/1.1 14.241316 10.43.17.13 -> 10.43.65.27 HTTP/XML HTTP/1.1 200 OK 29 packets captured Terminate batch job (Y/N)? y H:\> HTH. Nick. -----Original Message----- From: programmingblind-bounce@xxxxxxxxxxxxx [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of QuentinC Sent: 11 October 2010 18:14 To: programmingblind@xxxxxxxxxxxxx Subject: Re: Looking for network sniffing program Hello, I probably need help with your script, which will probably help me a lot. AVailable interfaces are listed with their CLSID. How can I know which one is ethernet and which one is wireless ? Both are only labelled "microsoft" I've tried, as a test, to catch HTTP traffic. The produced file has strange symbols at the beginning of each request. What are they ? And it seems that I have only the beginning of each request, that is, only headers or a truncated body, is it normal ? Thank you for your script. Information for other people who would be interested: the windows version of wireshark is probably not totally unaccessible. It is possible to read the window with the jaws cursor... but of course it is not very practical. __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind