Mailing List Archive

ethereal-users£¬£¡
i use the sniffer(ver is 4.70.04) to capture packages from two ip access gateway. and use ethereal to watch it.
but i only see the protocol fro Q931. why not see the rtp/rtcp, h323, h245 and so. if i want to see these protocol. how can i do .
thank you very much.


¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡lionwang
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡wangzm@centnet.com.cn
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡1999-03-25

Hi,
I tried to download necessary stuff to my pc (win95) in order to run
ethereal.
But I couldn't make it work. I followed the instructions from your
website. Could
you enlighten me what else I need to do to make it work?
I downloaded the following packages:
Packet95.exe
ethereal-0.8.12-capture.zip
gtk-libs-20000805.zip
gimp-dev-20001023.zip
gimp-setup-20001023.zip

Looking forward to your reply. Thanks!


Tong, Min

> I tried to download necessary stuff to my pc (win95) in order to run
> ethereal.
> But I couldn't make it work. I followed the instructions from your
> website. Could
> you enlighten me what else I need to do to make it work?

One thing you need to do is to tell us what it does instead of working.
:-)

I.e., there are probably many different ways in which it could fail to
work, and the cause of the problem and the fix for the problem will be
different for the different ways in which it's failing.

> I downloaded the following packages:
> Packet95.exe

The instructions for that are on the WinPcap Web site; you first have to
run the "Packet95.exe" file, as per

http://netgroup-serv.polito.it/winpcap/install/Default.htm

which says it's an auto-decompressing file. It will pop up a dialog box
to let you specify into which the files are to be unzipped; remember the
pathname of the directory it displays (or choose another directory and
remember that pathname). Then click "Unzip"; it should say it's
unzipped 3 files, then click "OK" on the "3 file(s) unzipped
successfully" dialog box, and click "Close" on the main dialog box.

The subsequent instructions can be found at

http://netgroup-serv.polito.it/winpcap/install/help/95.htm

Follow those instructions; in step 4, you will specify the name of the
directory into which the files were extracted, from above.

NOTE: apparently you must use "old-style" 8.3 file names, not long file
names, here; when I ran the "Packet95.exe" on Windows 2000, the pathname
was an 8.3 file name, not the real long name for the directory in
question - always use the 8.3 name.

Step 6, at the end, says "At this point select OK and reboot the
machine.", with "reboot the machine" in boldface; rebooting the machine
is an important step, as the packet capture driver will *NOT* be
available to applications such as Ethereal until the machine is
rebooted!

> ethereal-0.8.12-capture.zip
> gtk-libs-20000805.zip
> gimp-dev-20001023.zip
> gimp-setup-20001023.zip

There's not much in the way of instructions on the Ethereal Web site
page at

http://www.ethereal.com/distribution/win32/

The page at

http://www.gimp.org/~tml/gimp/win32//downloads-20001023.html

gives instructions on how to install the GIMP - and its libraries -
using the "gimp-setup-20001023.zip" file. It's a Zip archive, so you'll
need an unzip program; it contains only one file, which you run, and
which will install GIMP.

The "gimp-dev-20001023.zip" stuff is, as far as I know, necessary only
if you plan to develop GIMP plugins, or other software using GTK+ and
GLib, e.g. if you plan to add new code to Ethereal. If you only want to
*run* Ethereal or the GIMP, I don't think it's necessary.

However, I don't know whether Ethereal works with the newer versions
(2000-10-23) of the GTK+/GLib libraries; you might want to consider
installing the 2000-08-05 versions instead, as Ethereal is built with
those versions.

To do that, I would suggest making a directory "Ethereal" under
"C:\Program Files", and unzipping the "ethereal-0.8.12-capture.zip" and
"gtk-libs-20000805.zip" files into that directory. This will create an
"ethereal-0.8.12-capture" directory in the "Ethereal" directory; move
all the files from that directory to the "Ethereal" directory, and
remove the "ethereal-0.8.12-capture" directory.

You should now be able to run Ethereal from the "Program Files\Ethereal"
directory; creating a desktop shortcut that runs
"C:\Program Files\Ethereal\ethereal.exe" will let you launch Ethereal
from your desktop.

>> Hi,
>>
>> Nice free disto.
>>
>> Quick question, I am running The Ethereal Network Analyzer
>> Version 0.8.13 on
>> Widows NT. I can't save filters. The dialog box seems to be inoperable,
>> please let me know if this is the case.
>>
>
>I also find the interface a bit counter-intuitive.
>
>To get it to work I do the following:
>
>1. Edit the filter name as required.
>2. Edit the filter string as required.
>3. Click New.

4. And then click Save

Why am I so quick on the Send button ?

Graham

> Question on ethereal:
>
> Everytime I try to save a filter file, it tells me something like "cannot
> save file as ethereal.exe already exists" as if were trying to overwrite
> ethereal.exe or something. Hence, I cannot save a filter file. Do you know
> why this is? A.

Probably because there's something wrong with the pathname construction
code, at least on Windows.

I didn't have that precise problem; I fired up Ethereal once, added a
new display filter, and it saved it OK, but I then fired it up again,
deleted the new display filter, and when I tried to save it the dialog
box was

Could not save to your display filter file "": File exists.

I also had problems saving capture files.

> Probably because there's something wrong with the pathname construction
> code, at least on Windows.
>
> I didn't have that precise problem; I fired up Ethereal once, added a
> new display filter, and it saved it OK, but I then fired it up again,
> deleted the new display filter, and when I tried to save it the dialog
> box was
>
> Could not save to your display filter file "": File exists.

...which may be the result of a bug in the "save_filter_list()" routine,
wherein it stores through a pointer argument a pointer to the pathname
of the filter file it was trying to save, and then frees the pathname
string, so its caller, when it tries to use that pathname in an error
message, may get junk from it.

That wouldn't explain the error, but it would explain the bogus file
name in the dialog box.

On Tue, Mar 13, 2001 at 01:17:45PM -0800, Guy Harris wrote:
> > Probably because there's something wrong with the pathname construction
> > code, at least on Windows.
> >
> > I didn't have that precise problem; I fired up Ethereal once, added a
> > new display filter, and it saved it OK, but I then fired it up again,
> > deleted the new display filter, and when I tried to save it the dialog
> > box was
> >
> > Could not save to your display filter file "": File exists.
>
> ...which may be the result of a bug in the "save_filter_list()" routine,
> wherein it stores through a pointer argument a pointer to the pathname
> of the filter file it was trying to save, and then frees the pathname
> string, so its caller, when it tries to use that pathname in an error
> message, may get junk from it.
>
> That wouldn't explain the error, but it would explain the bogus file
> name in the dialog box.

The "File exists" problem is a result of Win32 apparently not having a
UNIX-style atomic rename operation, and "rename()", instead, using
"MoveFile()", which fails, rather than removing the target, if the
target exists.

I've checked in a change that should fix this; it'll show up in the next
release.

> Jessé A Amâncio
>
> BRASIL: Uma distribuição de renda justa para um país melhor.
>
> BRAZIL: A fair wealth distribution to make a better country.

I'm having problems with this as well.

Ethereal will not parse the fragment above,
and I can't figure out how to capture filters
to avoid seeing more frames like this.

- jeff parker
- axiowave.com

From: Ketan P Pancholi [mailto:pancholi@us.ibm.com]
Sent: Friday, July 20, 2001 4:13 PM

> I downloaded the binary files for ethereal,gtk+,glib
> and libpcap from the aix web site. I installed them
> using smit.The ethereal is now installed but
> I do not know how do I start using ethereal,
> what commands I should use ?I have on three files for ethereal,
> ethereal-0.8.11.0.bff
> ethereal-0.8.11.0.bff.asc
> and
> ethereal-0.8.11.0.exe
>
>Can anyone please help ?

That version is very old. I suggest that you go to
www.ethereal.com/distribution/win32 to download the
wind32-README.txt and ethereal-setup-0.8.19.exe.
This executable will do the install for you. Be sure
to read win32-README.txt because you will have to
install WinPcap to capture traffic on you network.

Jeff Foster
jfoste@woodward.com

***
The information in this e-mail is confidential and intended solely for the
individual or entity to whom it is addressed. If you have received this
e-mail in error please notify the sender by return e-mail, delete this
e-mail, and refrain from any disclosure or action based on the information.
****

> That version is very old. I suggest that you go to
> www.ethereal.com/distribution/win32

Don't be fooled by the ".exe" - for some reason, either IBM or the folks
maintaining the archive of binary packages for AIX stick ".exe" at the
end of the file name of UNIX-by-God executables. (Well, AIX
executables, anyway.)

I.e., he's running AIX, not Windows, as per

> I downloaded the binary files for ethereal,gtk+,glib
> and libpcap from the aix web site.

and

> I installed them using smit.
^^^^
I vaguely remember seeing some indication on that site that the ".exe"
files are binaries you run to install the software (speaking of "shades
of Windows"...); I assume from

> The ethereal is now installed

that he's already run the file and gotten Ethereal installed. (If not,
he should read the directions on the site, which presumably tell you
what to do with the ".exe" file).

After that, well, he should go to

http://www.ns.aus.com/ethereal/user-guide/book1.html

and start reading (it's even for 0.8.11...).

I don't know if any more recent versions of Ethereal are available in
binary form for AIX; if not, if he wants to run a newer version, he'll
have to get the source and compile it.

(Richard, should we put a link to the User's Guide on the Ethereal site,
or would that end up /.-ing your site? Should we put the user's guide on
the Ethereal site itself at some point, now that its source appears to
be in the ethereal-doc CVS tree?)

Download and install:

http://www.microsoft.com/windows/downloads/bin/W95ws2setup.exe

Regards,



Schmidt Wolfgang a écrit :

> Hello,
>
> i want to install the newest Ethereal software under Windows95
>
> The system always tell me that ist cannot found the ws2_32.dll
>
> What can i do
>
> +-------------------------------------+
> Wolfgang Schmidt
> Siemens AG, I&S MPEC, Erlangen, Germany
> Voice: +49-9131/7-44020, Fax: /8835 44020
> eMail: Wolfgang.Schmidt@erl9.siemens.de
> LFE Mailadresse: Wolfgang.ws.Schmidt@siemens.com
> +-------------------------------------+
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users

> Hi, I can't seem to get a copy of the packet capture driver as the link
> this refers to cannot connect to netgroup-serv.polito.it. Is there a
> different place I can get a copy of the packet capture driver?

The WinPcap Web site is mirrored at

http://www.wiretapped.net/security/packet-capture/winpcap/default.htm

> all pages and directories under bammalammadingalong are
> written in English but are jibberish.

Not at all what I would expect under bammalammadingalong.

Were it bammalammadingdong, it would be understandable

> When using the Ethereal Capture screen the default entry is able to
> provide stats on the network, I want to specify an interface but cannot
> seem to submit a proper entry.
>
> What is the structure of a valid entry for this field?

It's a string.

What the valid strings are depends on the OS on which you're running.

On most UNIXes, "ifconfig -a" should show you the list of interfaces,
although not all of those interfaces will necessarily support packet
capture (e.g., you can't capture on loopback devices such as "lo0" on
SunOS 5.x).

The "Interface" field is a combo box; selecting the arrow-pointing-down
widget next to the text box should drop down a list of all the
interfaces that Ethereal knows about and that it can open for capturing.

There are many good books on TCP/IP, and I'm sure people will suggest their
own favorites, but the RFCs have everything you really need to know and
they're free.
Do a web search for:
RFC791.txt for IP
RFC768.txt for UDP
RFC793.txt for TCP

I found them at http://ns.utcru.sk/pub/doc/rfc/
<http://ns.utcru.sk/pub/doc/rfc/>

For a useful-looking introduction try
ftp://rtfm.mit.edu/pub/net/internet.text
<ftp://rtfm.mit.edu/pub/net/internet.text>


-----Original Message-----
From: Douglas R. Pilot [mailto:dpilot@svsu.org]
Sent: Monday, March 11, 2002 8:24 PM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


I have another question. I have looked through the user guide. It tells
you all the stuff you can do but no basics on how to interpret the data that
is captured. Where can I find a step by step tutorial on how to interpret
everything I see in each pane? Some are easy like IP address etc but some
are more difficult. I read an article about IDS signatures and it talked
about the SYN and FIN flags. I have no idea where to look for these.

thanks


Douglas R. Pilot
Computer Instructor,
Shaftsbury Elementary School
dpilot@svsu.org <mailto:dpilot@svsu.org>






_____

This message has been 'sanitized'. This means that potentially dangerous
content has been rewritten or removed. The following log describes which
actions were taken.





Sanitizer (start="1015877165"):

Part (pos="1182"):

SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):

Match (rule="2"):

Enforced policy: accept



Part (pos="1850"):

SanitizeFile (filename="unnamed.html", mimetype="text/html"):

Match (rule="default"):

Enforced policy: accept



Rewrote HTML tag: >>_META http-equiv=Content-Type content="text/html;
charset=iso-8859-1"_<<

as: >>_MANGLED_ON_PURPOSE_META http-equiv=Content-Type
content="text/html; charset=iso-8859-1"_<<

Rewrote HTML tag: >>_META content="MSHTML 6.00.2713.1100"
name=GENERATOR_<<

as: >>_MANGLED_ON_PURPOSE_META content="MSHTML
6.00.2713.1100" name=GENERATOR_<<

Total modifications so far: 2







Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre
Exp $



________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________




________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

Rick, Guy,

Sorry. I have no router. My box is directly connected
to the cablemodem. Before, I was only trying to imply
that I was the only user connected to a hub, which was
connected to a router to which another hub was
connected to which other users were connected,
something like this:

MyBox->Cablemodem->tvCable->Hub->Router
...and from that same Router:
Router->Hub->tvCable->OtherCableModemsInMySubnet
...so, if it is true that I am the only one in my area
(on the local cablemodem "hub", wherever it is), and
that hub was connected to a Router, which was
connected to other hubs, each of which was connected
to zero or more Cablemodems, would that explain the
results I sent in my original email?

John



--- Rick Farina <farinard@muohio.edu> wrote:
> Okay, here is how it breaks down...all of those
> addresses on your subnet
> look different to me. What that tells me is that
> there is no router between
> you and the rest of the people on your subnet.
> However what you said in your first email implies
> that you have a router.
> I'm with Guy, do you have a router in your house?
> What is the EXACT
> internal network configuration?
>
> Cablemodem -> Cisco XXX router -> RH7.2 box?
>
> Second of all, type this right now.
>
> "rpm -ev `rpm -qa | grep ethereal`"
>
> Then go to www.ethereal.com
> and download the newest version (rpm if you
> like...I'd acctually suggest it)
>
> Then try this all again....could be a bug in the
> ANCIENT ethereal you are
> running.
>
> -Rick Farina
>
>
>
> ----- Original Message -----
> From: "John E. Mayorga" <jmayorga5@yahoo.com>
> To: "Rick Farina" <farinard@muohio.edu>
> Cc: <ethereal-users@ethereal.com>
> Sent: Sunday, April 21, 2002 18:58
> Subject: Re: [Ethereal-users] (no subject)
>
>
> Rick,
>
> I installed arping and created a little script to
> run
> through the subnet. Here is the output:
>
> ARPING 24.127.52.1 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.1 [00:B0:8E:F7:3C:54]
> 8.803ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.2 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.2 [00:D0:09:61:D7:2F]
> 9.601ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.3 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.3 [00:04:5A:41:2C:F3]
> 51.540ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.4 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.4 [00:02:E3:03:C4:E0]
> 9.096ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.5 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.5 [00:10:4C:12:30:1E]
> 9.515ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.6 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.6 [00:03:47:DB:D7:13]
> 31.087ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.7 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.7 [00:00:C5:3C:9A:32]
> 12.555ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.8 from 24.127.52.10 eth0
> Sent 1 probes (1 broadcast(s))
> Received 0 response(s)
>
> ...
>
> These MACs are different than the ones reported
> before
> by hunt and ethereal. Is it that all my traffic is
> coming through the router, even that of the other
> members of my subnet, so other programs are
> reporting
> the router's MAC?
>
> John
>
>
> --- Rick Farina <farinard@muohio.edu> wrote:
> > A good way to properly search for MAC's is
> "arping"
> > http://freshmeat.net/projects/arping/?topic_id=150
> > I suggest you use that to find MAC's.....however,
> an
> > important fact is that
> > anything outside of your router will have the MAC
> > address of your router
> > (ARP is not routed). Are all of those addresses
> on
> > your side of the router?
> > or are they on the other side. That is the most
> > obvious conclusion that I
> > have (besides foul play). Let me know if that's
> > it....otherwise, we can try
> > to diagnose possible foul play. ;-)
> >
> > -Rick Farina
> > ----- Original Message -----
> > From: "John E. Mayorga" <jmayorga5@yahoo.com>
> > To: <ethereal-users@ethereal.com>
> > Sent: Sunday, April 21, 2002 16:35
> > Subject: [Ethereal-users] (no subject)
> >
> >
> > I'm on at&t @home service, and I've noticed some
> > strangeness in my subnet that I can't explain. I'm
> > sure someone here will know an obvious reason, so
> > here
> > it goes.
> >
> > I'm running on Red Hat 7.2 with an updated kernal
> > from
> > Red Hat. Here is the output from "uname -a":
> >
> > Linux ldap.athlon.com 2.4.9-31 #1 Tue Feb 26
> > 06:23:51
> > EST 2002 i686 unknown
> >
> > The results were gathered from three tools:
> > hunt 1.5 - for gathering MAC addresses
> > nmap V. 2.54BETA22 - for getting a response from
> > members of my subnet
> > ethereal 0.8.18 - general sniffing
> >
> > OK, so here's the "thing" - everybody on my subnet
> > has
> > the same MAC address, including my router. Yow!
> > Something I'm doing wrong, right? Well, let's see:
> >
> > First, I fire up hunt and tell it to collect MAC
> > addresses. While hunt is doing its job, I run "
> > nmap -sP 24.127.52.*". Hunt reports the following
> > while running:
> >
> > ARP: MAC src != ARP src for host 24.127.52.3
> > ARP: MAC src != ARP src for host 24.127.52.4
> > ARP: MAC src != ARP src for host 24.127.52.5
> > ARP: MAC src != ARP src for host 24.127.52.6
> > ARP: MAC src != ARP src for host 24.127.52.7
> > ARP: MAC src != ARP src for host 24.127.52.8
> > ARP: MAC src != ARP src for host 24.127.52.9
> > ARP: MAC src != ARP src for host 24.127.52.11
> > ARP: MAC src != ARP src for host 24.127.52.12
> > ARP: MAC src != ARP src for host 24.127.52.16
> > ARP: MAC src != ARP src for host 24.127.52.17
> > ARP: MAC src != ARP src for host 24.127.52.20
> > ARP: MAC src != ARP src for host 24.127.52.21
> > ARP: MAC src != ARP src for host 24.127.52.22
> > ARP: MAC src != ARP src for host 24.127.52.23
> > ARP: MAC src != ARP src for host 24.127.52.24
> > ARP: MAC src != ARP src for host 24.127.52.26
> > ARP: MAC src != ARP src for host 24.127.52.29
> > ARP: MAC src != ARP src for host 24.127.52.47
> > ARP: MAC src != ARP src for host 24.127.52.48
> > ARP: MAC src != ARP src for host 24.127.52.49
> > ARP: MAC src != ARP src for host 24.127.52.51
> > ARP: MAC src != ARP src for host 24.127.52.52
> > ARP: MAC src != ARP src for host 24.127.52.53
> > ARP: MAC src != ARP src for host 24.127.52.55
> > ARP: MAC src != ARP src for host 24.127.52.57
> > ARP: MAC src != ARP src for host 24.127.52.58
> > ARP: MAC src != ARP src for host 24.127.52.60
> > ARP: MAC src != ARP src for host 24.127.52.61
> > ARP: MAC src != ARP src for host 24.127.52.62
> > ARP: MAC src != ARP src for host 24.127.52.64
> > ARP: MAC src != ARP src for host 24.127.52.65
> > ARP: MAC src != ARP src for host 24.127.52.31
> > ARP: MAC src != ARP src for host 24.127.52.33
> > ARP: MAC src != ARP src for host 24.127.52.37
> > ARP: MAC src != ARP src for host 24.127.52.38
> > ARP: MAC src != ARP src for host 24.127.52.39
> > ARP: MAC src != ARP src for host 24.127.52.67
> > ARP: MAC src != ARP src for host 24.127.52.68
> > ARP: MAC src != ARP src for host 24.127.52.69
> > ARP: MAC src != ARP src for host 24.127.52.70
> > ARP: MAC src != ARP src for host 24.127.52.72
> > ARP: MAC src != ARP src for host 24.127.52.74
> > ARP: MAC src != ARP src for host 24.127.52.75
> > ARP: MAC src != ARP src for host 24.127.52.78
> > ARP: MAC src != ARP src for host 24.127.52.41
> > ARP: MAC src != ARP src for host 24.127.52.42
> > ARP: MAC src != ARP src for host 24.127.52.44
> > ARP: MAC src != ARP src for host 24.127.52.80
> > ARP: MAC src != ARP src for host 24.127.52.82
> > ARP: MAC src != ARP src for host 24.127.52.85
> > ARP: MAC src != ARP src for host 24.127.52.86
> > ARP: MAC src != ARP src for host 24.127.52.87
> > ARP: MAC src != ARP src for host 24.127.52.88
> > ARP: MAC src != ARP src for host 24.127.52.89
> > ARP: MAC src != ARP src for host 24.127.52.90
> > ARP: MAC src != ARP src for host 24.127.52.91
> > ARP: MAC src != ARP src for host 24.127.52.92
> > ARP: MAC src != ARP src for host 24.127.52.93
> > ARP: MAC src != ARP src for host 24.127.52.95
> > ARP: MAC src != ARP src for host 24.127.52.97
> > ARP: MAC src != ARP src for host 24.127.52.98
> > ARP: MAC src != ARP src for host 24.127.52.99
> > ARP: MAC src != ARP src for host 24.127.52.100
> > ARP: MAC src != ARP src for host 24.127.52.101
> > ARP: MAC src != ARP src for host 24.127.52.103
> > ARP: MAC src != ARP src for host 24.127.52.105
> > ARP: MAC src != ARP src for host 24.127.52.107
> > ARP: MAC src != ARP src for host 24.127.52.108
> > ARP: MAC src != ARP src for host 24.127.52.109
> > ARP: MAC src != ARP src for host 24.127.52.110
> > ARP: MAC src != ARP src for host 24.127.52.111
> > ARP: MAC src != ARP src for host 24.127.52.114
> > ARP: MAC src != ARP src for host 24.127.52.115
> > ARP: MAC src != ARP src for host 24.127.52.116
> > ARP: MAC src != ARP src for host 24.127.52.117
> > ARP: MAC src != ARP src for host 24.127.52.118
> > ARP: MAC src != ARP src for host 24.127.52.119
> > ARP: MAC src != ARP src for host 24.127.52.120
> > ARP: MAC src != ARP src for host 24.127.52.121
> > ARP: MAC src != ARP src for host 24.127.52.122
> > ARP: MAC src != ARP src for host 24.127.52.123
> > ARP: MAC src != ARP src for host 24.127.52.124
> > ARP: MAC src != ARP src for host 24.127.52.125
> > ARP: MAC src != ARP src for host 24.127.52.126
> > ARP: MAC src != ARP src for host 24.127.52.130
> > ARP: MAC src != ARP src for host 24.127.52.131
> > ARP: MAC src != ARP src for host 24.127.52.133
> > ARP: MAC src != ARP src for host 24.127.52.134
> > ARP: MAC src != ARP src for host 24.127.52.136
> > ARP: MAC src != ARP src for host 24.127.52.142
> > ARP: MAC src != ARP src for host 24.127.52.146
> > ARP: MAC src != ARP src for host 24.127.52.149
> > ARP: MAC src != ARP src for host 24.127.52.151
> > ARP: MAC src != ARP src for host 24.127.52.155
> > ARP: MAC src != ARP src for host 24.127.52.156
> > ARP: MAC src != ARP src for host 24.127.52.157
> > ARP: MAC src != ARP src for host 24.127.52.158
> > ARP: MAC src != ARP src for host 24.127.52.159
> > ARP: MAC src != ARP src for host 24.127.52.160
> > ARP: MAC src != ARP src for host 24.127.52.161
> > ARP: MAC src != ARP src for host 24.127.52.163
> > ARP: MAC src != ARP src for host 24.127.52.165
> > ARP: MAC src != ARP src for host 24.127.52.166
> > ARP: MAC src != ARP src for host 24.127.52.167
> > ARP: MAC src != ARP src for host 24.127.52.168
> > ARP: MAC src != ARP src for host 24.127.52.172
> > ARP: MAC src != ARP src for host 24.127.52.173
> > ARP: MAC src != ARP src for host 24.127.52.176
> > ARP: MAC src != ARP src for host 24.127.52.177
> > ARP: MAC src != ARP src for host 24.127.52.178
> > ARP: MAC src != ARP src for host 24.127.52.179
> > ARP: MAC src != ARP src for host 24.127.52.180
> > ARP: MAC src != ARP src for host 24.127.52.181
> > ARP: MAC src != ARP src for host 24.127.52.182
> > ARP: MAC src != ARP src for host 24.127.52.183
> > ARP: MAC src != ARP src for host 24.127.52.184
> > ARP: MAC src != ARP src for host 24.127.52.185
> > ARP: MAC src != ARP src for host 24.127.52.186
> > ARP: MAC src != ARP src for host 24.127.52.187
> > ARP: MAC src != ARP src for host 24.127.52.189
> > ARP: MAC src != ARP src for host 24.127.52.190
> > ARP: MAC src != ARP src for host 24.127.52.191
> > ARP: MAC src != ARP src for host 24.127.52.192
> > ARP: MAC src != ARP src for host 24.127.52.193
> > ARP: MAC src != ARP src for host 24.127.52.196
> > ARP: MAC src != ARP src for host 24.127.52.197
> > ARP: MAC src != ARP src for host 24.127.52.199
> > ARP: MAC src != ARP src for host 24.127.52.200
> > ARP: MAC src != ARP src for host 24.127.52.203
> > ARP: MAC src != ARP src for host 24.127.52.204
> > ARP: MAC src != ARP src for host 24.127.52.205
> > ARP: MAC src != ARP src for host 24.127.52.206
> > ARP: MAC src != ARP src for host 24.127.52.208
> > ARP: MAC src != ARP src for host 24.127.52.209
> > ARP: MAC src != ARP src for host 24.127.52.211
> > ARP: MAC src != ARP src for host 24.127.52.212
> > ARP: MAC src != ARP src for host 24.127.52.215
> > ARP: MAC src != ARP src for host 24.127.52.216
> > ARP: MAC src != ARP src for host 24.127.52.217
> > ARP: MAC src != ARP src for host 24.127.52.218
> > ARP: MAC src != ARP src for host 24.127.52.219
> > ARP: MAC src != ARP src for host 24.127.52.221
> > ARP: MAC src != ARP src for host 24.127.52.224
> > ARP: MAC src != ARP src for host 24.127.52.228
> > ARP: MAC src != ARP src for host 24.127.52.232
> > ARP: MAC src != ARP src for host 24.127.52.235
> > ARP: MAC src != ARP src for host 24.127.52.236
> > ARP: MAC src != ARP src for host 24.127.52.237
> > ARP: MAC src != ARP src for host 24.127.52.239
> > ARP: MAC src != ARP src for host 24.127.52.240
> > ARP: MAC src != ARP src for host 24.127.52.241
> > ARP: MAC src != ARP src for host 24.127.52.242
> > ARP: MAC src != ARP src for host 24.127.52.249
> > ARP: MAC src != ARP src for host 24.127.52.250
> > ARP: MAC src != ARP src for host 24.127.52.252
> > ARP: MAC src != ARP src for host 24.127.52.254
> > ARP: MAC src != ARP src for host 24.127.52.255
> >
> > I then tell hunt to report the collected MAC
> > addresses:
> >
> > --- mac table ---
> > 10.127.52.1 00:B0:8E:F7:3C:54
> > 24.127.52.1 00:B0:8E:F7:3C:54
> > 24.127.52.10 00:01:02:84:77:E2
> >
> > If I then poke through ethereal, any responses
> > (mostly
> > http responses) give the "Ethernet II" source MAC
> of
> > the router (and it resolves to the router's IP on
> > the
> > same line), and gives the "Internet Protocol"
> > Source:
> > as the responding machine.
> >
> > Helpful hints: It was explained to me during the
> > installation that I was the only one on my
> segment,
> > which is believable, considering my location. My
> > network mask is: 255.255.254.0
> >
> > The answer is sure to be staring me in the face,
> so
> > any slaps upside the head will be welcome. Can
> > anyone
> > tell me how to properly collect MAC addresses?
> >
> > Thanx,
> >
> > John
> >
> >
> >
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Games - play chess, backgammon, pool and
> more
> > http://games.yahoo.com/
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@ethereal.com
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@ethereal.com
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
> http://games.yahoo.com/
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

tushar nerurkar wrote:

>> In short, is there any cli command equivalent to the File--> Print (
>> to a file and summary output--plain text format) of the GUI version.
>
> I am working in windows environment.

Look at tethereal's '-V' option.

Regards,

Marco.

On Tue, May 28, 2002 at 01:00:53PM -0000, tushar nerurkar wrote:
> In short, is there any cli command equivalent to the File-->
> Print ( to a file and summary output--plain text format) of the
> GUI version.

The command is

tethereal -r {capture file name} >{text file name}

where "{capture file name}" is the name of the capture file you're
reading, and "{text file name}" is the name of the file to which you
want the text output to be written.

That will write the summary output (one line per packet). If you want
the detailed output, then, as noted by another poster, use the "-V"
flag:

tethereal -V -r {capture file name} >{text file name}

On Fri, Jul 26, 2002 at 07:19:11PM -0600, Muguira, Maritza R wrote:
> I'm using version 0.9.5 and trying to decode with iscsi but I don't see it
> in the list of protocols to choose from. Shouldn't iscsi be there?

No, because its dissector is a "heuristic" dissector - i.e., Ethereal
doesn't recognize iSCSI traffic based on the port number, it recognizes
it based on whether the iSCSI dissector thinks a packet contains iSCSI
traffic or not.

> Is there some way to decode with iscsi?

Yes - get a capture that contains iSCSI traffic that the iSCSI dissector
recognizes as such.

If you have a capture with iSCSI traffic that's *not* being dissected as
iSCSI, you'd have to send us the capture (or send Mark Burton, the
author of the iSCSI dissector, the capture) so we (or he) can figure out
why the iSCSI dissector isn't recognizing the traffic as iSCSI.

>On Fri, Jul 26, 2002 at 07:19:11PM -0600, Muguira, Maritza R wrote:
>> I'm using version 0.9.5 and trying to decode with iscsi but I don't see
it
>> in the list of protocols to choose from. Shouldn't iscsi be there?

>No, because its dissector is a "heuristic" dissector - i.e., Ethereal
>doesn't recognize iSCSI traffic based on the port number, it recognizes
>it based on whether the iSCSI dissector thinks a packet contains iSCSI
>traffic or not.

I understand that it doesn't recognize it as iSCSI when I first read in the
capture file because we are using a different port number. However, I
thought I could force it to "Decode As" whatever protocol I wanted. But,
iSCSI does not appear in my "Decode As" list.

Thank you for assistance,
Maritza Muguira

Ade,

> Is there a way to configure filters to support trigger
> operation i.e. capturing only interesting packets? I know
> etherreal does not have a native trigger function but perhaps
> there is a way to modify filters to act as triggers.

I'm not quite sure what you mean by "trigger".
* If your "interesting" trigger can be descibed using a capture filter
(using the TCPdump syntax). Then yes. Read the tcpdump man page for more on
capture filters.


* If your "interesting" trigger can be described using a display filter,
then when you set up your trace select the best capture filter you can. Also
select "update packet list in real time". When the trace begins enter your
display filter and click apply. Ethereal will then only display your
interesting traffic. Read the ethereal documentation for more on display
filters.

* If your capture filter is too broad for Ethereal to keep up with holding
all this in memory. You can try using tethereal with the -R flag to do
pretty much the same thing, except you can only look at the trace
afterwards.
tethereal -f "ip host 1.2.3.4" -R "icmp" -w splat.trc
If you want to check the data without stopping the trace. Then use the "Use
Ring Buffer" option with a suitable capture file rotation speed. Then run
the above command on the traces that

* If your "interesting" trigger can't be described using a display filter,
your still not shot. With a bit of Perl you can scan the output of tetheral
-V or tetheral -x, and then decide which frames are "interesting". Then use
EditCap to select only those frames.

HTH

Alistair

PS A subject heading would have been nice.


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.

On Wed, Aug 14, 2002 at 10:35:28PM +0100, Alistair.McGlinchy@marks-and-spencer.com wrote:
> I'm not quite sure what you mean by "trigger".

I assume by "trigger" he means what it means (from what I remember) in
some other packet analyzers, namely a Boolean expression that tests the
contents of packets, and that causes packets to start to be saved when a
packet for which the expression is true is seen.

That would be used in a case where "interesting" traffic is defined as
"traffic following a packet of a particular type".

Guy, Ade et al,

> -----Original Message-----
> From: Guy Harris [mailto:guy@netapp.com]
> On Wed, Aug 14, 2002 at 10:35:28PM +0100,
> Alistair.McGlinchy@marks-and-spencer.com wrote:
> > I'm not quite sure what you mean by "trigger".
>
> I assume by "trigger" he means what it means (from what I
> remember) in some other packet analyzers, namely a Boolean
> expression that tests the contents of packets, and that
> causes packets to start to be saved when a packet for which
> the expression is true is seen.

Ah..., I see the problem. Although I've never wanted this in the past I can
see it has it's uses. Being the tethereal/perl fan that I am, I've worked up
a skeleton script which can parse tethereal -x and provide a hook into
almost any boolean expression you'd like.

Suppose you wanted to find which user opened a certain file on an NT file
server. You set up a trace of all traffic to the server using a ring buffer.
When each ring buffer file is complete you parse the output of tethereal -x
on the file to see if the text "weird_application.exe" was in a SMB frame.
If found, then you editcap out the good stuff.

Not exactly elegant. But it solves the problem without resorting to
kilo-dollar software :-)


Alistair,
# Thoroughly under-tested and unsupported code follows






use strict;
# Usage Tethereal -x -r <infile> | perl find_trigger.pl
# Returns the corrent editcap to extract the required traffic
# Intended for illustrative purposes only


$/="\n\n"; # Use two hard returns as record delimeter

my $trigger_found=0;

while (<>) {
my ($frame_no) =split / +/;
$_=<>;
my $all_bytes =pack 'C*', map {hex} /\b([0-9a-f]{2})\b/gm;
my $printable_ascii=join"", map {substr($_,56)} split /\n/;

if (!$trigger_found and
# I can find a sub string
$printable_ascii =~ /what I am looking for/
#or
# the second 100 bytes are all 1's
# substr($bytes,100,100) == 0x255 x 100 ) {
) {
$trigger_found= $frame_no;
} elsif ($printable_ascii =~ /All is cool now/) {
print "Run: Editcap -r <infile> <outfile>
$trigger_found-$frame_no\n";
exit 0;
}
}
if ($trigger_found) {
print "Run: Editcap <infile> <outfile> 1-$trigger_found\n";
} else {
die "Error: Start criteria not found\n";
}


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.

A quick way is to use the Display Filter to only display the packets you
are interested in. Then choose Protocol Hierarchy Statistics from the
Tools menu. It will total up all the packets in the display under the
Frame category



Martin Visser
Network Consultant - Global Services
COMPAQ, part of the new HP

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513
Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com




-----Original Message-----
From: Eugene Korolev [mailto:korolev@lastbit.com]
Sent: Friday, 30 August 2002 3:01 PM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


Hi, All!

I write an application that uses low-level NetBIOS packets. When
I send NetBIOS Session Message Packet Request (NBS request), I receive
NetBIOS Session Message Packet Response (NBS response). The NBS response
consists of several parts (the first response packet + NBS Continual
Message Packets). It seems that Ethereal detects all NBS packets
correctly. What is a method to detect the total amount of NBS Continual
Message Packets or the total size (in bytes) of these packets?

NetBIOS Session Service
Message Type: Session message
Flags: 0x00
Length: 2920
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 20
Time from request: 0.452407000 seconds
SMB Command: Transaction (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x98
Flags2: 0x0003
Reserved: 000000000000000000000000
Tree ID: 36866
Process ID: 1300
User ID: 61441
Multiplex ID: 0
Transaction Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 12
Total Data Count: 6560
Reserved: 0000
Parameter Count: 12
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 2852
Data Offset: 68
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 2865
Padding: 00
SMB Pipe Protocol
Microsoft Windows Lanman Remote API Protocol
Function Code: NetUserEnum2 (131)
Status: Success (0)
Convert: 58944
Doubleword Param: 724647 (0x000B0EA7)
Entry Count: 83
Word Param: 83 (0x0053)
Entries
.....................
[Unreassembled Packet: LANMAN]

Eugene Korolev.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users