Mailing List Archive

ethereal-users£¬£¡
i use the sniffer(ver is 4.70.04) to capture packages from two ip access gateway. and use ethereal to watch it.
but i only see the protocol fro Q931. why not see the rtp/rtcp, h323, h245 and so. if i want to see these protocol. how can i do .
thank you very much.


¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡lionwang
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡wangzm@centnet.com.cn
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡1999-03-25

Hi,
I tried to download necessary stuff to my pc (win95) in order to run
ethereal.
But I couldn't make it work. I followed the instructions from your
website. Could
you enlighten me what else I need to do to make it work?
I downloaded the following packages:
Packet95.exe
ethereal-0.8.12-capture.zip
gtk-libs-20000805.zip
gimp-dev-20001023.zip
gimp-setup-20001023.zip

Looking forward to your reply. Thanks!


Tong, Min

> I tried to download necessary stuff to my pc (win95) in order to run
> ethereal.
> But I couldn't make it work. I followed the instructions from your
> website. Could
> you enlighten me what else I need to do to make it work?

One thing you need to do is to tell us what it does instead of working.
:-)

I.e., there are probably many different ways in which it could fail to
work, and the cause of the problem and the fix for the problem will be
different for the different ways in which it's failing.

> I downloaded the following packages:
> Packet95.exe

The instructions for that are on the WinPcap Web site; you first have to
run the "Packet95.exe" file, as per

http://netgroup-serv.polito.it/winpcap/install/Default.htm

which says it's an auto-decompressing file. It will pop up a dialog box
to let you specify into which the files are to be unzipped; remember the
pathname of the directory it displays (or choose another directory and
remember that pathname). Then click "Unzip"; it should say it's
unzipped 3 files, then click "OK" on the "3 file(s) unzipped
successfully" dialog box, and click "Close" on the main dialog box.

The subsequent instructions can be found at

http://netgroup-serv.polito.it/winpcap/install/help/95.htm

Follow those instructions; in step 4, you will specify the name of the
directory into which the files were extracted, from above.

NOTE: apparently you must use "old-style" 8.3 file names, not long file
names, here; when I ran the "Packet95.exe" on Windows 2000, the pathname
was an 8.3 file name, not the real long name for the directory in
question - always use the 8.3 name.

Step 6, at the end, says "At this point select OK and reboot the
machine.", with "reboot the machine" in boldface; rebooting the machine
is an important step, as the packet capture driver will *NOT* be
available to applications such as Ethereal until the machine is
rebooted!

> ethereal-0.8.12-capture.zip
> gtk-libs-20000805.zip
> gimp-dev-20001023.zip
> gimp-setup-20001023.zip

There's not much in the way of instructions on the Ethereal Web site
page at

http://www.ethereal.com/distribution/win32/

The page at

http://www.gimp.org/~tml/gimp/win32//downloads-20001023.html

gives instructions on how to install the GIMP - and its libraries -
using the "gimp-setup-20001023.zip" file. It's a Zip archive, so you'll
need an unzip program; it contains only one file, which you run, and
which will install GIMP.

The "gimp-dev-20001023.zip" stuff is, as far as I know, necessary only
if you plan to develop GIMP plugins, or other software using GTK+ and
GLib, e.g. if you plan to add new code to Ethereal. If you only want to
*run* Ethereal or the GIMP, I don't think it's necessary.

However, I don't know whether Ethereal works with the newer versions
(2000-10-23) of the GTK+/GLib libraries; you might want to consider
installing the 2000-08-05 versions instead, as Ethereal is built with
those versions.

To do that, I would suggest making a directory "Ethereal" under
"C:\Program Files", and unzipping the "ethereal-0.8.12-capture.zip" and
"gtk-libs-20000805.zip" files into that directory. This will create an
"ethereal-0.8.12-capture" directory in the "Ethereal" directory; move
all the files from that directory to the "Ethereal" directory, and
remove the "ethereal-0.8.12-capture" directory.

You should now be able to run Ethereal from the "Program Files\Ethereal"
directory; creating a desktop shortcut that runs
"C:\Program Files\Ethereal\ethereal.exe" will let you launch Ethereal
from your desktop.

>> Hi,
>>
>> Nice free disto.
>>
>> Quick question, I am running The Ethereal Network Analyzer
>> Version 0.8.13 on
>> Widows NT. I can't save filters. The dialog box seems to be inoperable,
>> please let me know if this is the case.
>>
>
>I also find the interface a bit counter-intuitive.
>
>To get it to work I do the following:
>
>1. Edit the filter name as required.
>2. Edit the filter string as required.
>3. Click New.

4. And then click Save

Why am I so quick on the Send button ?

Graham

> Question on ethereal:
>
> Everytime I try to save a filter file, it tells me something like "cannot
> save file as ethereal.exe already exists" as if were trying to overwrite
> ethereal.exe or something. Hence, I cannot save a filter file. Do you know
> why this is? A.

Probably because there's something wrong with the pathname construction
code, at least on Windows.

I didn't have that precise problem; I fired up Ethereal once, added a
new display filter, and it saved it OK, but I then fired it up again,
deleted the new display filter, and when I tried to save it the dialog
box was

Could not save to your display filter file "": File exists.

I also had problems saving capture files.

> Probably because there's something wrong with the pathname construction
> code, at least on Windows.
>
> I didn't have that precise problem; I fired up Ethereal once, added a
> new display filter, and it saved it OK, but I then fired it up again,
> deleted the new display filter, and when I tried to save it the dialog
> box was
>
> Could not save to your display filter file "": File exists.

...which may be the result of a bug in the "save_filter_list()" routine,
wherein it stores through a pointer argument a pointer to the pathname
of the filter file it was trying to save, and then frees the pathname
string, so its caller, when it tries to use that pathname in an error
message, may get junk from it.

That wouldn't explain the error, but it would explain the bogus file
name in the dialog box.

On Tue, Mar 13, 2001 at 01:17:45PM -0800, Guy Harris wrote:
> > Probably because there's something wrong with the pathname construction
> > code, at least on Windows.
> >
> > I didn't have that precise problem; I fired up Ethereal once, added a
> > new display filter, and it saved it OK, but I then fired it up again,
> > deleted the new display filter, and when I tried to save it the dialog
> > box was
> >
> > Could not save to your display filter file "": File exists.
>
> ...which may be the result of a bug in the "save_filter_list()" routine,
> wherein it stores through a pointer argument a pointer to the pathname
> of the filter file it was trying to save, and then frees the pathname
> string, so its caller, when it tries to use that pathname in an error
> message, may get junk from it.
>
> That wouldn't explain the error, but it would explain the bogus file
> name in the dialog box.

The "File exists" problem is a result of Win32 apparently not having a
UNIX-style atomic rename operation, and "rename()", instead, using
"MoveFile()", which fails, rather than removing the target, if the
target exists.

I've checked in a change that should fix this; it'll show up in the next
release.

> Jessé A Amâncio
>
> BRASIL: Uma distribuição de renda justa para um país melhor.
>
> BRAZIL: A fair wealth distribution to make a better country.

I'm having problems with this as well.

Ethereal will not parse the fragment above,
and I can't figure out how to capture filters
to avoid seeing more frames like this.

- jeff parker
- axiowave.com

From: Ketan P Pancholi [mailto:pancholi@us.ibm.com]
Sent: Friday, July 20, 2001 4:13 PM

> I downloaded the binary files for ethereal,gtk+,glib
> and libpcap from the aix web site. I installed them
> using smit.The ethereal is now installed but
> I do not know how do I start using ethereal,
> what commands I should use ?I have on three files for ethereal,
> ethereal-0.8.11.0.bff
> ethereal-0.8.11.0.bff.asc
> and
> ethereal-0.8.11.0.exe
>
>Can anyone please help ?

That version is very old. I suggest that you go to
www.ethereal.com/distribution/win32 to download the
wind32-README.txt and ethereal-setup-0.8.19.exe.
This executable will do the install for you. Be sure
to read win32-README.txt because you will have to
install WinPcap to capture traffic on you network.

Jeff Foster
jfoste@woodward.com

***
The information in this e-mail is confidential and intended solely for the
individual or entity to whom it is addressed. If you have received this
e-mail in error please notify the sender by return e-mail, delete this
e-mail, and refrain from any disclosure or action based on the information.
****

> That version is very old. I suggest that you go to
> www.ethereal.com/distribution/win32

Don't be fooled by the ".exe" - for some reason, either IBM or the folks
maintaining the archive of binary packages for AIX stick ".exe" at the
end of the file name of UNIX-by-God executables. (Well, AIX
executables, anyway.)

I.e., he's running AIX, not Windows, as per

> I downloaded the binary files for ethereal,gtk+,glib
> and libpcap from the aix web site.

and

> I installed them using smit.
^^^^
I vaguely remember seeing some indication on that site that the ".exe"
files are binaries you run to install the software (speaking of "shades
of Windows"...); I assume from

> The ethereal is now installed

that he's already run the file and gotten Ethereal installed. (If not,
he should read the directions on the site, which presumably tell you
what to do with the ".exe" file).

After that, well, he should go to

http://www.ns.aus.com/ethereal/user-guide/book1.html

and start reading (it's even for 0.8.11...).

I don't know if any more recent versions of Ethereal are available in
binary form for AIX; if not, if he wants to run a newer version, he'll
have to get the source and compile it.

(Richard, should we put a link to the User's Guide on the Ethereal site,
or would that end up /.-ing your site? Should we put the user's guide on
the Ethereal site itself at some point, now that its source appears to
be in the ethereal-doc CVS tree?)

Download and install:

http://www.microsoft.com/windows/downloads/bin/W95ws2setup.exe

Regards,



Schmidt Wolfgang a écrit :

> Hello,
>
> i want to install the newest Ethereal software under Windows95
>
> The system always tell me that ist cannot found the ws2_32.dll
>
> What can i do
>
> +-------------------------------------+
> Wolfgang Schmidt
> Siemens AG, I&S MPEC, Erlangen, Germany
> Voice: +49-9131/7-44020, Fax: /8835 44020
> eMail: Wolfgang.Schmidt@erl9.siemens.de
> LFE Mailadresse: Wolfgang.ws.Schmidt@siemens.com
> +-------------------------------------+
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users

> Hi, I can't seem to get a copy of the packet capture driver as the link
> this refers to cannot connect to netgroup-serv.polito.it. Is there a
> different place I can get a copy of the packet capture driver?

The WinPcap Web site is mirrored at

http://www.wiretapped.net/security/packet-capture/winpcap/default.htm

> all pages and directories under bammalammadingalong are
> written in English but are jibberish.

Not at all what I would expect under bammalammadingalong.

Were it bammalammadingdong, it would be understandable

> When using the Ethereal Capture screen the default entry is able to
> provide stats on the network, I want to specify an interface but cannot
> seem to submit a proper entry.
>
> What is the structure of a valid entry for this field?

It's a string.

What the valid strings are depends on the OS on which you're running.

On most UNIXes, "ifconfig -a" should show you the list of interfaces,
although not all of those interfaces will necessarily support packet
capture (e.g., you can't capture on loopback devices such as "lo0" on
SunOS 5.x).

The "Interface" field is a combo box; selecting the arrow-pointing-down
widget next to the text box should drop down a list of all the
interfaces that Ethereal knows about and that it can open for capturing.

There are many good books on TCP/IP, and I'm sure people will suggest their
own favorites, but the RFCs have everything you really need to know and
they're free.
Do a web search for:
RFC791.txt for IP
RFC768.txt for UDP
RFC793.txt for TCP

I found them at http://ns.utcru.sk/pub/doc/rfc/
<http://ns.utcru.sk/pub/doc/rfc/>

For a useful-looking introduction try
ftp://rtfm.mit.edu/pub/net/internet.text
<ftp://rtfm.mit.edu/pub/net/internet.text>


-----Original Message-----
From: Douglas R. Pilot [mailto:dpilot@svsu.org]
Sent: Monday, March 11, 2002 8:24 PM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


I have another question. I have looked through the user guide. It tells
you all the stuff you can do but no basics on how to interpret the data that
is captured. Where can I find a step by step tutorial on how to interpret
everything I see in each pane? Some are easy like IP address etc but some
are more difficult. I read an article about IDS signatures and it talked
about the SYN and FIN flags. I have no idea where to look for these.

thanks


Douglas R. Pilot
Computer Instructor,
Shaftsbury Elementary School
dpilot@svsu.org <mailto:dpilot@svsu.org>






_____

This message has been 'sanitized'. This means that potentially dangerous
content has been rewritten or removed. The following log describes which
actions were taken.





Sanitizer (start="1015877165"):

Part (pos="1182"):

SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):

Match (rule="2"):

Enforced policy: accept



Part (pos="1850"):

SanitizeFile (filename="unnamed.html", mimetype="text/html"):

Match (rule="default"):

Enforced policy: accept



Rewrote HTML tag: >>_META http-equiv=Content-Type content="text/html;
charset=iso-8859-1"_<<

as: >>_MANGLED_ON_PURPOSE_META http-equiv=Content-Type
content="text/html; charset=iso-8859-1"_<<

Rewrote HTML tag: >>_META content="MSHTML 6.00.2713.1100"
name=GENERATOR_<<

as: >>_MANGLED_ON_PURPOSE_META content="MSHTML
6.00.2713.1100" name=GENERATOR_<<

Total modifications so far: 2







Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre
Exp $



________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________




________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

Rick, Guy,

Sorry. I have no router. My box is directly connected
to the cablemodem. Before, I was only trying to imply
that I was the only user connected to a hub, which was
connected to a router to which another hub was
connected to which other users were connected,
something like this:

MyBox->Cablemodem->tvCable->Hub->Router
...and from that same Router:
Router->Hub->tvCable->OtherCableModemsInMySubnet
...so, if it is true that I am the only one in my area
(on the local cablemodem "hub", wherever it is), and
that hub was connected to a Router, which was
connected to other hubs, each of which was connected
to zero or more Cablemodems, would that explain the
results I sent in my original email?

John



--- Rick Farina <farinard@muohio.edu> wrote:
> Okay, here is how it breaks down...all of those
> addresses on your subnet
> look different to me. What that tells me is that
> there is no router between
> you and the rest of the people on your subnet.
> However what you said in your first email implies
> that you have a router.
> I'm with Guy, do you have a router in your house?
> What is the EXACT
> internal network configuration?
>
> Cablemodem -> Cisco XXX router -> RH7.2 box?
>
> Second of all, type this right now.
>
> "rpm -ev `rpm -qa | grep ethereal`"
>
> Then go to www.ethereal.com
> and download the newest version (rpm if you
> like...I'd acctually suggest it)
>
> Then try this all again....could be a bug in the
> ANCIENT ethereal you are
> running.
>
> -Rick Farina
>
>
>
> ----- Original Message -----
> From: "John E. Mayorga" <jmayorga5@yahoo.com>
> To: "Rick Farina" <farinard@muohio.edu>
> Cc: <ethereal-users@ethereal.com>
> Sent: Sunday, April 21, 2002 18:58
> Subject: Re: [Ethereal-users] (no subject)
>
>
> Rick,
>
> I installed arping and created a little script to
> run
> through the subnet. Here is the output:
>
> ARPING 24.127.52.1 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.1 [00:B0:8E:F7:3C:54]
> 8.803ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.2 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.2 [00:D0:09:61:D7:2F]
> 9.601ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.3 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.3 [00:04:5A:41:2C:F3]
> 51.540ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.4 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.4 [00:02:E3:03:C4:E0]
> 9.096ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.5 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.5 [00:10:4C:12:30:1E]
> 9.515ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.6 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.6 [00:03:47:DB:D7:13]
> 31.087ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.7 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.7 [00:00:C5:3C:9A:32]
> 12.555ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.8 from 24.127.52.10 eth0
> Sent 1 probes (1 broadcast(s))
> Received 0 response(s)
>
> ...
>
> These MACs are different than the ones reported
> before
> by hunt and ethereal. Is it that all my traffic is
> coming through the router, even that of the other
> members of my subnet, so other programs are
> reporting
> the router's MAC?
>
> John
>
>
> --- Rick Farina <farinard@muohio.edu> wrote:
> > A good way to properly search for MAC's is
> "arping"
> > http://freshmeat.net/projects/arping/?topic_id=150
> > I suggest you use that to find MAC's.....however,
> an
> > important fact is that
> > anything outside of your router will have the MAC
> > address of your router
> > (ARP is not routed). Are all of those addresses
> on
> > your side of the router?
> > or are they on the other side. That is the most
> > obvious conclusion that I
> > have (besides foul play). Let me know if that's
> > it....otherwise, we can try
> > to diagnose possible foul play. ;-)
> >
> > -Rick Farina
> > ----- Original Message -----
> > From: "John E. Mayorga" <jmayorga5@yahoo.com>
> > To: <ethereal-users@ethereal.com>
> > Sent: Sunday, April 21, 2002 16:35
> > Subject: [Ethereal-users] (no subject)
> >
> >
> > I'm on at&t @home service, and I've noticed some
> > strangeness in my subnet that I can't explain. I'm
> > sure someone here will know an obvious reason, so
> > here
> > it goes.
> >
> > I'm running on Red Hat 7.2 with an updated kernal
> > from
> > Red Hat. Here is the output from "uname -a":
> >
> > Linux ldap.athlon.com 2.4.9-31 #1 Tue Feb 26
> > 06:23:51
> > EST 2002 i686 unknown
> >
> > The results were gathered from three tools:
> > hunt 1.5 - for gathering MAC addresses
> > nmap V. 2.54BETA22 - for getting a response from
> > members of my subnet
> > ethereal 0.8.18 - general sniffing
> >
> > OK, so here's the "thing" - everybody on my subnet
> > has
> > the same MAC address, including my router. Yow!
> > Something I'm doing wrong, right? Well, let's see:
> >
> > First, I fire up hunt and tell it to collect MAC
> > addresses. While hunt is doing its job, I run "
> > nmap -sP 24.127.52.*". Hunt reports the following
> > while running:
> >
> > ARP: MAC src != ARP src for host 24.127.52.3
> > ARP: MAC src != ARP src for host 24.127.52.4
> > ARP: MAC src != ARP src for host 24.127.52.5
> > ARP: MAC src != ARP src for host 24.127.52.6
> > ARP: MAC src != ARP src for host 24.127.52.7
> > ARP: MAC src != ARP src for host 24.127.52.8
> > ARP: MAC src != ARP src for host 24.127.52.9
> > ARP: MAC src != ARP src for host 24.127.52.11
> > ARP: MAC src != ARP src for host 24.127.52.12
> > ARP: MAC src != ARP src for host 24.127.52.16
> > ARP: MAC src != ARP src for host 24.127.52.17
> > ARP: MAC src != ARP src for host 24.127.52.20
> > ARP: MAC src != ARP src for host 24.127.52.21
> > ARP: MAC src != ARP src for host 24.127.52.22
> > ARP: MAC src != ARP src for host 24.127.52.23
> > ARP: MAC src != ARP src for host 24.127.52.24
> > ARP: MAC src != ARP src for host 24.127.52.26
> > ARP: MAC src != ARP src for host 24.127.52.29
> > ARP: MAC src != ARP src for host 24.127.52.47
> > ARP: MAC src != ARP src for host 24.127.52.48
> > ARP: MAC src != ARP src for host 24.127.52.49
> > ARP: MAC src != ARP src for host 24.127.52.51
> > ARP: MAC src != ARP src for host 24.127.52.52
> > ARP: MAC src != ARP src for host 24.127.52.53
> > ARP: MAC src != ARP src for host 24.127.52.55
> > ARP: MAC src != ARP src for host 24.127.52.57
> > ARP: MAC src != ARP src for host 24.127.52.58
> > ARP: MAC src != ARP src for host 24.127.52.60
> > ARP: MAC src != ARP src for host 24.127.52.61
> > ARP: MAC src != ARP src for host 24.127.52.62
> > ARP: MAC src != ARP src for host 24.127.52.64
> > ARP: MAC src != ARP src for host 24.127.52.65
> > ARP: MAC src != ARP src for host 24.127.52.31
> > ARP: MAC src != ARP src for host 24.127.52.33
> > ARP: MAC src != ARP src for host 24.127.52.37
> > ARP: MAC src != ARP src for host 24.127.52.38
> > ARP: MAC src != ARP src for host 24.127.52.39
> > ARP: MAC src != ARP src for host 24.127.52.67
> > ARP: MAC src != ARP src for host 24.127.52.68
> > ARP: MAC src != ARP src for host 24.127.52.69
> > ARP: MAC src != ARP src for host 24.127.52.70
> > ARP: MAC src != ARP src for host 24.127.52.72
> > ARP: MAC src != ARP src for host 24.127.52.74
> > ARP: MAC src != ARP src for host 24.127.52.75
> > ARP: MAC src != ARP src for host 24.127.52.78
> > ARP: MAC src != ARP src for host 24.127.52.41
> > ARP: MAC src != ARP src for host 24.127.52.42
> > ARP: MAC src != ARP src for host 24.127.52.44
> > ARP: MAC src != ARP src for host 24.127.52.80
> > ARP: MAC src != ARP src for host 24.127.52.82
> > ARP: MAC src != ARP src for host 24.127.52.85
> > ARP: MAC src != ARP src for host 24.127.52.86
> > ARP: MAC src != ARP src for host 24.127.52.87
> > ARP: MAC src != ARP src for host 24.127.52.88
> > ARP: MAC src != ARP src for host 24.127.52.89
> > ARP: MAC src != ARP src for host 24.127.52.90
> > ARP: MAC src != ARP src for host 24.127.52.91
> > ARP: MAC src != ARP src for host 24.127.52.92
> > ARP: MAC src != ARP src for host 24.127.52.93
> > ARP: MAC src != ARP src for host 24.127.52.95
> > ARP: MAC src != ARP src for host 24.127.52.97
> > ARP: MAC src != ARP src for host 24.127.52.98
> > ARP: MAC src != ARP src for host 24.127.52.99
> > ARP: MAC src != ARP src for host 24.127.52.100
> > ARP: MAC src != ARP src for host 24.127.52.101
> > ARP: MAC src != ARP src for host 24.127.52.103
> > ARP: MAC src != ARP src for host 24.127.52.105
> > ARP: MAC src != ARP src for host 24.127.52.107
> > ARP: MAC src != ARP src for host 24.127.52.108
> > ARP: MAC src != ARP src for host 24.127.52.109
> > ARP: MAC src != ARP src for host 24.127.52.110
> > ARP: MAC src != ARP src for host 24.127.52.111
> > ARP: MAC src != ARP src for host 24.127.52.114
> > ARP: MAC src != ARP src for host 24.127.52.115
> > ARP: MAC src != ARP src for host 24.127.52.116
> > ARP: MAC src != ARP src for host 24.127.52.117
> > ARP: MAC src != ARP src for host 24.127.52.118
> > ARP: MAC src != ARP src for host 24.127.52.119
> > ARP: MAC src != ARP src for host 24.127.52.120
> > ARP: MAC src != ARP src for host 24.127.52.121
> > ARP: MAC src != ARP src for host 24.127.52.122
> > ARP: MAC src != ARP src for host 24.127.52.123
> > ARP: MAC src != ARP src for host 24.127.52.124
> > ARP: MAC src != ARP src for host 24.127.52.125
> > ARP: MAC src != ARP src for host 24.127.52.126
> > ARP: MAC src != ARP src for host 24.127.52.130
> > ARP: MAC src != ARP src for host 24.127.52.131
> > ARP: MAC src != ARP src for host 24.127.52.133
> > ARP: MAC src != ARP src for host 24.127.52.134
> > ARP: MAC src != ARP src for host 24.127.52.136
> > ARP: MAC src != ARP src for host 24.127.52.142
> > ARP: MAC src != ARP src for host 24.127.52.146
> > ARP: MAC src != ARP src for host 24.127.52.149
> > ARP: MAC src != ARP src for host 24.127.52.151
> > ARP: MAC src != ARP src for host 24.127.52.155
> > ARP: MAC src != ARP src for host 24.127.52.156
> > ARP: MAC src != ARP src for host 24.127.52.157
> > ARP: MAC src != ARP src for host 24.127.52.158
> > ARP: MAC src != ARP src for host 24.127.52.159
> > ARP: MAC src != ARP src for host 24.127.52.160
> > ARP: MAC src != ARP src for host 24.127.52.161
> > ARP: MAC src != ARP src for host 24.127.52.163
> > ARP: MAC src != ARP src for host 24.127.52.165
> > ARP: MAC src != ARP src for host 24.127.52.166
> > ARP: MAC src != ARP src for host 24.127.52.167
> > ARP: MAC src != ARP src for host 24.127.52.168
> > ARP: MAC src != ARP src for host 24.127.52.172
> > ARP: MAC src != ARP src for host 24.127.52.173
> > ARP: MAC src != ARP src for host 24.127.52.176
> > ARP: MAC src != ARP src for host 24.127.52.177
> > ARP: MAC src != ARP src for host 24.127.52.178
> > ARP: MAC src != ARP src for host 24.127.52.179
> > ARP: MAC src != ARP src for host 24.127.52.180
> > ARP: MAC src != ARP src for host 24.127.52.181
> > ARP: MAC src != ARP src for host 24.127.52.182
> > ARP: MAC src != ARP src for host 24.127.52.183
> > ARP: MAC src != ARP src for host 24.127.52.184
> > ARP: MAC src != ARP src for host 24.127.52.185
> > ARP: MAC src != ARP src for host 24.127.52.186
> > ARP: MAC src != ARP src for host 24.127.52.187
> > ARP: MAC src != ARP src for host 24.127.52.189
> > ARP: MAC src != ARP src for host 24.127.52.190
> > ARP: MAC src != ARP src for host 24.127.52.191
> > ARP: MAC src != ARP src for host 24.127.52.192
> > ARP: MAC src != ARP src for host 24.127.52.193
> > ARP: MAC src != ARP src for host 24.127.52.196
> > ARP: MAC src != ARP src for host 24.127.52.197
> > ARP: MAC src != ARP src for host 24.127.52.199
> > ARP: MAC src != ARP src for host 24.127.52.200
> > ARP: MAC src != ARP src for host 24.127.52.203
> > ARP: MAC src != ARP src for host 24.127.52.204
> > ARP: MAC src != ARP src for host 24.127.52.205
> > ARP: MAC src != ARP src for host 24.127.52.206
> > ARP: MAC src != ARP src for host 24.127.52.208
> > ARP: MAC src != ARP src for host 24.127.52.209
> > ARP: MAC src != ARP src for host 24.127.52.211
> > ARP: MAC src != ARP src for host 24.127.52.212
> > ARP: MAC src != ARP src for host 24.127.52.215
> > ARP: MAC src != ARP src for host 24.127.52.216
> > ARP: MAC src != ARP src for host 24.127.52.217
> > ARP: MAC src != ARP src for host 24.127.52.218
> > ARP: MAC src != ARP src for host 24.127.52.219
> > ARP: MAC src != ARP src for host 24.127.52.221
> > ARP: MAC src != ARP src for host 24.127.52.224
> > ARP: MAC src != ARP src for host 24.127.52.228
> > ARP: MAC src != ARP src for host 24.127.52.232
> > ARP: MAC src != ARP src for host 24.127.52.235
> > ARP: MAC src != ARP src for host 24.127.52.236
> > ARP: MAC src != ARP src for host 24.127.52.237
> > ARP: MAC src != ARP src for host 24.127.52.239
> > ARP: MAC src != ARP src for host 24.127.52.240
> > ARP: MAC src != ARP src for host 24.127.52.241
> > ARP: MAC src != ARP src for host 24.127.52.242
> > ARP: MAC src != ARP src for host 24.127.52.249
> > ARP: MAC src != ARP src for host 24.127.52.250
> > ARP: MAC src != ARP src for host 24.127.52.252
> > ARP: MAC src != ARP src for host 24.127.52.254
> > ARP: MAC src != ARP src for host 24.127.52.255
> >
> > I then tell hunt to report the collected MAC
> > addresses:
> >
> > --- mac table ---
> > 10.127.52.1 00:B0:8E:F7:3C:54
> > 24.127.52.1 00:B0:8E:F7:3C:54
> > 24.127.52.10 00:01:02:84:77:E2
> >
> > If I then poke through ethereal, any responses
> > (mostly
> > http responses) give the "Ethernet II" source MAC
> of
> > the router (and it resolves to the router's IP on
> > the
> > same line), and gives the "Internet Protocol"
> > Source:
> > as the responding machine.
> >
> > Helpful hints: It was explained to me during the
> > installation that I was the only one on my
> segment,
> > which is believable, considering my location. My
> > network mask is: 255.255.254.0
> >
> > The answer is sure to be staring me in the face,
> so
> > any slaps upside the head will be welcome. Can
> > anyone
> > tell me how to properly collect MAC addresses?
> >
> > Thanx,
> >
> > John
> >
> >
> >
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Games - play chess, backgammon, pool and
> more
> > http://games.yahoo.com/
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@ethereal.com
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@ethereal.com
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
> http://games.yahoo.com/
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

tushar nerurkar wrote:

>> In short, is there any cli command equivalent to the File--> Print (
>> to a file and summary output--plain text format) of the GUI version.
>
> I am working in windows environment.

Look at tethereal's '-V' option.

Regards,

Marco.

On Tue, May 28, 2002 at 01:00:53PM -0000, tushar nerurkar wrote:
> In short, is there any cli command equivalent to the File-->
> Print ( to a file and summary output--plain text format) of the
> GUI version.

The command is

tethereal -r {capture file name} >{text file name}

where "{capture file name}" is the name of the capture file you're
reading, and "{text file name}" is the name of the file to which you
want the text output to be written.

That will write the summary output (one line per packet). If you want
the detailed output, then, as noted by another poster, use the "-V"
flag:

tethereal -V -r {capture file name} >{text file name}

On Fri, Jul 26, 2002 at 07:19:11PM -0600, Muguira, Maritza R wrote:
> I'm using version 0.9.5 and trying to decode with iscsi but I don't see it
> in the list of protocols to choose from. Shouldn't iscsi be there?

No, because its dissector is a "heuristic" dissector - i.e., Ethereal
doesn't recognize iSCSI traffic based on the port number, it recognizes
it based on whether the iSCSI dissector thinks a packet contains iSCSI
traffic or not.

> Is there some way to decode with iscsi?

Yes - get a capture that contains iSCSI traffic that the iSCSI dissector
recognizes as such.

If you have a capture with iSCSI traffic that's *not* being dissected as
iSCSI, you'd have to send us the capture (or send Mark Burton, the
author of the iSCSI dissector, the capture) so we (or he) can figure out
why the iSCSI dissector isn't recognizing the traffic as iSCSI.

>On Fri, Jul 26, 2002 at 07:19:11PM -0600, Muguira, Maritza R wrote:
>> I'm using version 0.9.5 and trying to decode with iscsi but I don't see
it
>> in the list of protocols to choose from. Shouldn't iscsi be there?

>No, because its dissector is a "heuristic" dissector - i.e., Ethereal
>doesn't recognize iSCSI traffic based on the port number, it recognizes
>it based on whether the iSCSI dissector thinks a packet contains iSCSI
>traffic or not.

I understand that it doesn't recognize it as iSCSI when I first read in the
capture file because we are using a different port number. However, I
thought I could force it to "Decode As" whatever protocol I wanted. But,
iSCSI does not appear in my "Decode As" list.

Thank you for assistance,
Maritza Muguira

Ade,

> Is there a way to configure filters to support trigger
> operation i.e. capturing only interesting packets? I know
> etherreal does not have a native trigger function but perhaps
> there is a way to modify filters to act as triggers.

I'm not quite sure what you mean by "trigger".
* If your "interesting" trigger can be descibed using a capture filter
(using the TCPdump syntax). Then yes. Read the tcpdump man page for more on
capture filters.


* If your "interesting" trigger can be described using a display filter,
then when you set up your trace select the best capture filter you can. Also
select "update packet list in real time". When the trace begins enter your
display filter and click apply. Ethereal will then only display your
interesting traffic. Read the ethereal documentation for more on display
filters.

* If your capture filter is too broad for Ethereal to keep up with holding
all this in memory. You can try using tethereal with the -R flag to do
pretty much the same thing, except you can only look at the trace
afterwards.
tethereal -f "ip host 1.2.3.4" -R "icmp" -w splat.trc
If you want to check the data without stopping the trace. Then use the "Use
Ring Buffer" option with a suitable capture file rotation speed. Then run
the above command on the traces that

* If your "interesting" trigger can't be described using a display filter,
your still not shot. With a bit of Perl you can scan the output of tetheral
-V or tetheral -x, and then decide which frames are "interesting". Then use
EditCap to select only those frames.

HTH

Alistair

PS A subject heading would have been nice.


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.

On Wed, Aug 14, 2002 at 10:35:28PM +0100, Alistair.McGlinchy@marks-and-spencer.com wrote:
> I'm not quite sure what you mean by "trigger".

I assume by "trigger" he means what it means (from what I remember) in
some other packet analyzers, namely a Boolean expression that tests the
contents of packets, and that causes packets to start to be saved when a
packet for which the expression is true is seen.

That would be used in a case where "interesting" traffic is defined as
"traffic following a packet of a particular type".

Guy, Ade et al,

> -----Original Message-----
> From: Guy Harris [mailto:guy@netapp.com]
> On Wed, Aug 14, 2002 at 10:35:28PM +0100,
> Alistair.McGlinchy@marks-and-spencer.com wrote:
> > I'm not quite sure what you mean by "trigger".
>
> I assume by "trigger" he means what it means (from what I
> remember) in some other packet analyzers, namely a Boolean
> expression that tests the contents of packets, and that
> causes packets to start to be saved when a packet for which
> the expression is true is seen.

Ah..., I see the problem. Although I've never wanted this in the past I can
see it has it's uses. Being the tethereal/perl fan that I am, I've worked up
a skeleton script which can parse tethereal -x and provide a hook into
almost any boolean expression you'd like.

Suppose you wanted to find which user opened a certain file on an NT file
server. You set up a trace of all traffic to the server using a ring buffer.
When each ring buffer file is complete you parse the output of tethereal -x
on the file to see if the text "weird_application.exe" was in a SMB frame.
If found, then you editcap out the good stuff.

Not exactly elegant. But it solves the problem without resorting to
kilo-dollar software :-)


Alistair,
# Thoroughly under-tested and unsupported code follows






use strict;
# Usage Tethereal -x -r <infile> | perl find_trigger.pl
# Returns the corrent editcap to extract the required traffic
# Intended for illustrative purposes only


$/="\n\n"; # Use two hard returns as record delimeter

my $trigger_found=0;

while (<>) {
my ($frame_no) =split / +/;
$_=<>;
my $all_bytes =pack 'C*', map {hex} /\b([0-9a-f]{2})\b/gm;
my $printable_ascii=join"", map {substr($_,56)} split /\n/;

if (!$trigger_found and
# I can find a sub string
$printable_ascii =~ /what I am looking for/
#or
# the second 100 bytes are all 1's
# substr($bytes,100,100) == 0x255 x 100 ) {
) {
$trigger_found= $frame_no;
} elsif ($printable_ascii =~ /All is cool now/) {
print "Run: Editcap -r <infile> <outfile>
$trigger_found-$frame_no\n";
exit 0;
}
}
if ($trigger_found) {
print "Run: Editcap <infile> <outfile> 1-$trigger_found\n";
} else {
die "Error: Start criteria not found\n";
}


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.

A quick way is to use the Display Filter to only display the packets you
are interested in. Then choose Protocol Hierarchy Statistics from the
Tools menu. It will total up all the packets in the display under the
Frame category



Martin Visser
Network Consultant - Global Services
COMPAQ, part of the new HP

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513
Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com




-----Original Message-----
From: Eugene Korolev [mailto:korolev@lastbit.com]
Sent: Friday, 30 August 2002 3:01 PM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


Hi, All!

I write an application that uses low-level NetBIOS packets. When
I send NetBIOS Session Message Packet Request (NBS request), I receive
NetBIOS Session Message Packet Response (NBS response). The NBS response
consists of several parts (the first response packet + NBS Continual
Message Packets). It seems that Ethereal detects all NBS packets
correctly. What is a method to detect the total amount of NBS Continual
Message Packets or the total size (in bytes) of these packets?

NetBIOS Session Service
Message Type: Session message
Flags: 0x00
Length: 2920
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 20
Time from request: 0.452407000 seconds
SMB Command: Transaction (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x98
Flags2: 0x0003
Reserved: 000000000000000000000000
Tree ID: 36866
Process ID: 1300
User ID: 61441
Multiplex ID: 0
Transaction Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 12
Total Data Count: 6560
Reserved: 0000
Parameter Count: 12
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 2852
Data Offset: 68
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 2865
Padding: 00
SMB Pipe Protocol
Microsoft Windows Lanman Remote API Protocol
Function Code: NetUserEnum2 (131)
Status: Success (0)
Convert: 58944
Doubleword Param: 724647 (0x000B0EA7)
Entry Count: 83
Word Param: 83 (0x0053)
Entries
.....................
[Unreassembled Packet: LANMAN]

Eugene Korolev.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

Hi, Martin Visser!

Thank you very much for your reply. But I develop my own application
with NetBIOS low-level packets. I use Ethereal as a tool for analyze
captured packets. My question is not about using Ethereal as user. I want to
know technical details about how Ethereal detects NetBIOS Session Message
packets are unreassambled?

Eugene Korolev.

----- Original Message -----
From: "Visser, Martin (Sydney)" <Martin.Visser@hp.com>
To: "Eugene Korolev" <korolev@lastbit.com>; <ethereal-users@ethereal.com>
Sent: Friday, August 30, 2002 10:13 AM
Subject: RE: [Ethereal-users] (no subject)



A quick way is to use the Display Filter to only display the packets you
are interested in. Then choose Protocol Hierarchy Statistics from the
Tools menu. It will total up all the packets in the display under the
Frame category



Martin Visser
Network Consultant - Global Services
COMPAQ, part of the new HP

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513
Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com




-----Original Message-----
From: Eugene Korolev [mailto:korolev@lastbit.com]
Sent: Friday, 30 August 2002 3:01 PM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


Hi, All!

I write an application that uses low-level NetBIOS packets. When
I send NetBIOS Session Message Packet Request (NBS request), I receive
NetBIOS Session Message Packet Response (NBS response). The NBS response
consists of several parts (the first response packet + NBS Continual
Message Packets). It seems that Ethereal detects all NBS packets
correctly. What is a method to detect the total amount of NBS Continual
Message Packets or the total size (in bytes) of these packets?

NetBIOS Session Service
Message Type: Session message
Flags: 0x00
Length: 2920
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 20
Time from request: 0.452407000 seconds
SMB Command: Transaction (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x98
Flags2: 0x0003
Reserved: 000000000000000000000000
Tree ID: 36866
Process ID: 1300
User ID: 61441
Multiplex ID: 0
Transaction Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 12
Total Data Count: 6560
Reserved: 0000
Parameter Count: 12
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 2852
Data Offset: 68
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 2865
Padding: 00
SMB Pipe Protocol
Microsoft Windows Lanman Remote API Protocol
Function Code: NetUserEnum2 (131)
Status: Success (0)
Convert: 58944
Doubleword Param: 724647 (0x000B0EA7)
Entry Count: 83
Word Param: 83 (0x0053)
Entries
.....................
[Unreassembled Packet: LANMAN]

Eugene Korolev.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users
-

On Fri, Aug 30, 2002 at 11:47:14AM +0400, Eugene Korolev wrote:
> Thank you very much for your reply. But I develop my own application
> with NetBIOS low-level packets. I use Ethereal as a tool for analyze
> captured packets. My question is not about using Ethereal as user. I want to
> know technical details about how Ethereal detects NetBIOS Session Message
> packets are unreassambled?

It detects it by

1) having a mechanism that catches attempts by a dissector to
fetch data past the end of a packet;

2) in some cases, reporting that as an unreassembled packet;

3) naively assuming that NetBIOS session messages fit entirely
within one frame. :-)

(I.e., there's no code specific to the NetBIOS dissector to detect
that.)

Hello, Guy Harris!

Should I wait for other packets if NetBIOS Session Message was
reassembled with truncated end? Do you know another methods to detect the
total number of NetBIOS Session Message Response packets? What method is
used by Windows?


Eugene

----- Original Message -----
From: "Guy Harris" <gharris@sonic.net>
To: "Eugene Korolev" <korolev@lastbit.com>
Cc: "ethereal users" <ethereal-users@ethereal.com>; "Visser, Martin
(Sydney)" <Martin.Visser@hp.com>
Sent: Friday, August 30, 2002 1:25 PM
Subject: Re: [Ethereal-users] (no subject)


> On Fri, Aug 30, 2002 at 11:47:14AM +0400, Eugene Korolev wrote:
> > Thank you very much for your reply. But I develop my own
application
> > with NetBIOS low-level packets. I use Ethereal as a tool for analyze
> > captured packets. My question is not about using Ethereal as user. I
want to
> > know technical details about how Ethereal detects NetBIOS Session
Message
> > packets are unreassambled?
>
> It detects it by
>
> 1) having a mechanism that catches attempts by a dissector to
> fetch data past the end of a packet;
>
> 2) in some cases, reporting that as an unreassembled packet;
>
> 3) naively assuming that NetBIOS session messages fit entirely
> within one frame. :-)
>
> (I.e., there's no code specific to the NetBIOS dissector to detect
> that.)
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -
>
>

On Fri, Aug 30, 2002 at 02:25:46AM -0700, Guy Harris wrote:
> (I.e., there's no code specific to the NetBIOS dissector to detect
> that.)

...except that the "NetBIOS" dissector, in the sense of the NetBIOS
frame protocol dissector, isn't what's being used here; this
is NetBIOS-over-TCP.

The answer is similar in this case, except that 3) is

3) not having TCP desegmentation enabled.

If you enable TCP desegmentation by selecting the "Preferences" item
from the "Edit" menu, opening the "Protocols" item on the left-hand side
of the dialog box, selecting "TCP", turning "Allow subdissector to
desegment TCP streams", and clicking "OK", the session message packets
should be reassembled for you by Ethereal.

If you want to do that in *your* application, you need to write code to
read the NetBIOS-over-TCP session service header (and don't assume that
you will get all of the data in the header in one read call; TCP doesn't
guarantee that), extract the message length from the header, and then
read that many bytes (again, don't assume you'll get all that data in
one read call).

My application reads Netbios header and builds a full netbios packet from
fragmented parts. However NBSS Continual packet is not included into the
Netbios Session Messages packet. I attached a file dump for ethereal to the
email. Please see frames 22,23,24. Netbios packet at the 22nd frame consists
of the single part according to the lebgth indicated in its header, but it
seems that following packets 23,24 contain additional data for the 22nd
frame.

----- Original Message -----
From: "Guy Harris" <gharris@sonic.net>
To: "Eugene Korolev" <korolev@lastbit.com>
Cc: "ethereal users" <ethereal-users@ethereal.com>; "Visser, Martin
(Sydney)" <Martin.Visser@hp.com>
Sent: Friday, August 30, 2002 2:26 PM
Subject: Re: [Ethereal-users] (no subject)


> On Fri, Aug 30, 2002 at 02:25:46AM -0700, Guy Harris wrote:
> > (I.e., there's no code specific to the NetBIOS dissector to detect
> > that.)
>
> ...except that the "NetBIOS" dissector, in the sense of the NetBIOS
> frame protocol dissector, isn't what's being used here; this
> is NetBIOS-over-TCP.
>
> The answer is similar in this case, except that 3) is
>
> 3) not having TCP desegmentation enabled.
>
> If you enable TCP desegmentation by selecting the "Preferences" item
> from the "Edit" menu, opening the "Protocols" item on the left-hand side
> of the dialog box, selecting "TCP", turning "Allow subdissector to
> desegment TCP streams", and clicking "OK", the session message packets
> should be reassembled for you by Ethereal.
>
> If you want to do that in *your* application, you need to write code to
> read the NetBIOS-over-TCP session service header (and don't assume that
> you will get all of the data in the header in one read call; TCP doesn't
> guarantee that), extract the message length from the header, and then
> read that many bytes (again, don't assume you'll get all that data in
> one read call).

> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -

On Fri, Aug 30, 2002 at 03:25:14PM +0400, Eugene Korolev wrote:
> My application reads Netbios header and builds a full netbios packet from
> fragmented parts. However NBSS Continual packet is not included into the
> Netbios Session Messages packet. I attached a file dump for ethereal to the
> email. Please see frames 22,23,24. Netbios packet at the 22nd frame consists
> of the single part according to the lebgth indicated in its header,

Actually, when I run Ethereal on it, the header is displayed for frame
24, not frame 22.

That's because I have TCP desegmentation enabled.

The length in the header is 2920 bytes, which means that frame 22, which
has a total of 1514 bytes - which includes the Ethernet header (14
bytes), IP header (20 bytes), and the TCP header (20 bytes) - cannot
possibly be the entire NetBIOS Session Service session message packet.

And, in fact, it isn't; if you enable TCP desegmentation (as I did in my
Ethereal settings, and as I recommended you do in my previous message),
Ethereal shows frames 22 and 23 as "Desegmented TCP" and frame 24 as an
SMB Transaction Response (as it's the last frame of said response).

On Fri, Sep 13, 2002 at 07:50:55AM -0700, Greg Tomkins wrote:
> i hate to ask what has to be the worlds most moronic question, but i read
> the menu for an hour and i'm stumped. i just want to use Display Filters to
> limit the display to a specific IP. i added a filter
> 'ip.addr==10.10.98.152', saved, etc. when i try to use it, i get 'Unexpected
> end of filter string'.

If you try putting the expression

ip.addr == 10.10.98.152

into the filter box, that should work.

If you save the filer with a name like "myfilter", and try putting

myfilter

into the filter box, that will *NOT* work.

The way you use a filter is to put the filter expression into the filter
box. The *ONLY* reason to save a filter is if you want to use it again
in the future; the way you use a saved filter is to click the "Filter:"
button, select the filter in the dialog box that pops up, and click
"OK", *NOT* to type the name of the filter into the filter box
(supporting names of filters in that box runs the risk of filters that
could either be interpreted as filter expressions or filter names, with
no way for Ethereal to determine which is the right interpretation).

> i use the sniffer(ver is 4.70.04) to capture packages from two ip
access gateway. and use ethereal to watch it.
> but i only see the protocol fro Q931. why not see the rtp/rtcp, h323,
h245 and so. if i want to see these protocol. how can i do .
> thank you very much.

Why don't you write an email to me personally (address on site
for H.323 plugin)?

Anyway, did you follow the instructions in the readme.txt which
you also should be able to find in the zip file you downloaded?

--
Andreas Sikkema
andreas.sikkema@philips.com
"While you're waiting, read the free novel we sent you.
It's a Spanish story about a guy named `Manual'" - Dilbert

> In the beginning ethereal uses almost no CPU power (0%).
> Then, after a
> couple of hours, ethereal starts to consume more and more of the CPU
> power, 5%, 10% or even sometimes up to 100 %.

I can confirm that it happens with Ethereal 9.7 on WinXP SP1 with 1.5Ghz
Xeon. That's no help to you though.

Alistair


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.

Martin Bolino wrote:
<Can anyone tell me if I can use h.323 plugin for version 0.9.6 in the latest version 0.9.8 ?

The plugin for 0.9.6 doesn't work with Ethereal 0.9.7 or 0.9.8, I think. You'll get something like:
assertion failed: <hfinfo->type == FT_STRING>, and Ethereal terminating with a "Runtime Error!"

It seems that the plugin for 0.9.7 maybe also works with 0.9.8 (I have just tested a little with it so I'm not completely sure):
http://prdownloads.sourceforge.net/ethereal-h323-p/ethereal-h323-plugin-dll-097-004.zip?download

Regards,
Martin

> Martin Bolino wrote:
> > Can anyone tell me if I can use h.323 plugin for version 0.9.6
> > in the latest version 0.9.8 ?

> The plugin for 0.9.6 doesn't work with Ethereal 0.9.7 or 0.9.8,
> I think. You'll get something like: assertion failed: <hfinfo->type
> == FT_STRING>, and Ethereal terminating with a "Runtime Error!"

> It seems that the plugin for 0.9.7 maybe also works with 0.9.8
> (I have just tested a little with it so I'm not completely sure):
> http://prdownloads.sourceforge.net/ethereal-h323-p/ethereal-h323-plugin-dll-097-004.zip?download

Don't count on it working correctly. I had a version, i think it was from
0.9.4 to 0.9.5, work for me for a couple of days flawlessly until I
reached
a certain kind of message and it would crash. Rebuilding the plugin fixed
that.

Unfortunately I am having some problems building the plugin for 0.9.8,
it seems that the changes to the plugin interface created an include
problem for one of the plugin api interface header files. I'm really
stumped at the moment, other plugins seem to do the sdame include magic...

--
Andreas

On Thu, 23 Jan 2003, Leahy, Kevin wrote:

> I'm just looking at the Ethereal website and I have a question. I'm
> basically a junior java programmer and this low-level network technology is
> going to take me some time to wade through. I want to accomplish a
> particular task and if I can do it with EtherReal, I will put the time in.
> But I would prefer to know in advance if I'm barking up the right tree.
>
> I have a web application running within JBoss on a Linux box. The
> application uses Glue to publish a webservice. I want to snoop the
> webservice and be able to read the soap requests for a short period ( maybe
> 10 minutes ) to resolve a particular issue.

Ethereal doesn't (yet) handle SOAP data explicitly; the transactions would
show up as HTTP. You can still use the Follow TCP Stream feature to view
the SOAP requests as they appear on the wire.

BTW, Westbridge Technology has a modified version of Ethereal that does
handle SOAP explicitly:

http://www.westbridgetech.com/soapmonitordownload.html

I exchanged email with them a while back about merging their changes into
the main distribution.

From: Aharon Shpigel [mailto:aharons@mysticom.com]
> Is there a way to see a errors at Ethernet capture packets.

Only if the packets are not dropped by the network card or the operating
system driver. It is very unlikely that you will see runt packets or
packets with a bad Ethernet CRC. You probably will see packets with a
bad tcp checksum. There are (operating system dependent) ways to get
statistical data on some other types of error, but they do not involve
Ethereal.

> Is there a way to save the capture packets to file via command line?

Look at tethereal.html in your binaries directory (...\Program
Files\Ethereal on Windows.)

----------------
-w

Write packet data to savefile or to the standard output if savefile is
``-''.
----------------

--
Richard Urwin, Private
"No 9000 series computer has ever made a mitsake or corrubiteddatatato."


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

You can¡¯t! This is a limitation of Windows and not of Ethereal or WinPcap.

http://winpcap.polito.it/misc/faq.htm#Q-13

-fs

-----Original Message-----
From: gyzhang [mailto:zhangguoying@mail.ritt.com.cn]
Sent: Thursday, April 03, 2003 08:05
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)

Dear Sir,
I am now runing Ethereal on windows 2000. There problem is that I can't capture frames on loopback interface. Can you tell me how I can do that?
Thank you.

Guoying Zhang
Research Institute of
Telecommunication Transmission
Tel:68094272
Email: gyzhang@sina.com;zhangguoying@mail.ritt.com.cn
Address:Beijing Yue Tan South Street No 11
Post Code:100045

On Tue, Apr 22, 2003 at 09:56:42AM -0400, wsladen@synergentcorp.com wrote:
> Below is a screenshot that I get when I display a capture. I am trying to
> locate an issue during the timeframe of this capture and the capture
> displays fine, however, I get this every time I open it. This may be the
> smoking gun I have been looking for but I don't know how to interpret it.
> Can someone please explain why this would be happening?

It could be happending because you are getting traffic to or from TCP
port 1812 that's not Diameter protocol traffic; Ethereal's Diameter
dissector registers for TCP port 1812, so TCP traffic to port 1812 is
dissected by that dissector. That dissector reports some errors in the
packets to the console window; if the traffic isn't Diameter traffic at
all, then the dissector will find lots of stuff it considers to be
errors.

Guy Harris wrote:

>On Tue, Apr 22, 2003 at 09:56:42AM -0400, wsladen@synergentcorp.com wrote:
>> Below is a screenshot that I get when I display a capture. I am trying to
>> locate an issue during the timeframe of this capture and the capture
>> displays fine, however, I get this every time I open it. This may be the
>> smoking gun I have been looking for but I don't know how to interpret it.
>> Can someone please explain why this would be happening?
>
>It could be happending because you are getting traffic to or from TCP
>port 1812 that's not Diameter protocol traffic; Ethereal's Diameter
>dissector registers for TCP port 1812, so TCP traffic to port 1812 is
>dissected by that dissector. That dissector reports some errors in the
>packets to the console window; if the traffic isn't Diameter traffic at
>all, then the dissector will find lots of stuff it considers to be
>errors.
>


You can change the TCP port number from Edit/Preferences.../Protocols/Diameter.

You could set the port number to 0 and then "Save" and "OK" if you are not interesting in Diameter protocol (www.diameter.org).

http://www.ethereal.com/lists/ethereal-users/200108/msg00146.html

On Sun, Nov 09, 2003 at 04:30:36PM +0200, Gil Yaacoby wrote:
> Cellcom ISRAEL ltd. employees are interested in using " Ethereal " and "
> Winpcap 3.x " software .
> Please confirm by E-mail that this software can be used by our
> organization's workers for free.

See the "COPYING" file in the Ethereal source:

http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/COPYING?rev=HEAD&content-type=text/vnd.viewcvs-markup

(i.e., it's GPLed, so the answer is "yes").

On Dec 8, 2003, at 9:27 AM, Leonard A Provid wrote:

> Does Ethereal support decoding USB packets???

There's currently no capture file format we can read that supports USB
packets.

Even for something such as USB-over-IP, nobody's contributed a
dissector.

So there's no USB support in Ethereal.

From: Cyberjeff2003@aol.com

|I just installed Ethereal on my Toshiba 1555 cds Laptop.
|The Laptop is running Windows 2000 and the Lan PDC is NT 4.0.
|When I attempt to run Ethereal I receive the following errors
|in a dos screen:
|<ethereal.exe:684>: Gdk-warning **: gdk_win32_pix
| Map_nnew:depth 16 doesn't match display depth 15.
|This message repeats itself 15 times in the dos screen before
|Ethereal loads. also is I close the dos screen Ethereal
|closes as well.

This warning is from the Win32 GTK+ GDK interface Ethereal uses. Those
warnings seem to pop up every now and then; although they are annoying, they
are harmless. You are probably running Windows in 15-bit colors, which seems
*not* to be supported (at least not without warnings showing up all the
time) by the GDK of the graphical GTK+ interface used by Ethereal.

Regards,

Olivier

Not sure exactly what you want - but if you really are starting from ground level on network protocols you really need to get into books such as listed here http://vig.prenhall.com/catalog/academic/course/0,4095,720,00.html .

Of course there are the RFCs which define internet protocols (www.ietf.org), and online and hardcopy publications from vendors such as Cisco, IBM, Microsoft and even HP!

Of course you could start by turning ethereal on, start capturing, ping your neighbour, fire up your web browser or mail applications and see what ethereal makes of it. Nothing learning by observation.

Hope that helps, Martin


Martin Visser ,CISSP
Network and Security Consultant
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia

Phone: +61-2-9022-1670
Mobile: +61-411-254-513
Fax: +61-2-9022-1800
E-mail: martin.visserAThp.com





________________________________

From: ethereal-users-bounces@ethereal.com [mailto:ethereal-users-bounces@ethereal.com] On Behalf Of jlmachado@ses.se.gov.br
Sent: Tuesday, 6 April 2004 6:10 AM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)



I´m new with ethereal and with protocols.

I would like to have some sites to understand more the protocols in the context of ethereal.

Some hints it will be wellcome.

Thanks in advance

Lyra Machado

On Apr 5, 2004, at 16:16, Visser, Martin wrote:

> Not sure exactly what you want - but if you really are starting from
> ground level on network protocols you really need to get into books
> such as listed here
> http://vig.prenhall.com/catalog/academic/course/0,4095,720,00.html .
>  
> Of course there are the RFCs which define internet protocols
> (www.ietf.org), and online and hardcopy publications from vendors such
> as Cisco, IBM, Microsoft and even HP!
>  
> Of course you could start by turning ethereal on, start
> capturing, ping your neighbour, fire up your web browser or mail
> applications and see what ethereal makes of it. Nothing learning by
> observation.
[snip]

> From: ethereal-users-bounces@ethereal.com
> [mailto:ethereal-users-bounces@ethereal.com] On Behalf Of
> jlmachado@ses.se.gov.br
> Sent: Tuesday, 6 April 2004 6:10 AM
> To: ethereal-users@ethereal.com
> Subject: [Ethereal-users] (no subject)
>
>
> I´m new with ethereal and with protocols.
>
> I would like to have some sites to understand more the protocols in
> the context of ethereal.

A good place for an overview of how protocols fit together is
<http://www.protocols.com>. It's provided by a commercial operation,
and a number of links lead to their product site, but the information
seems good.

Regards,

Justin

--
Justin C. Walker, Curmudgeon-At-Large *
Institute for General Semantics | Men are from Earth.
| Women are from Earth.
| Deal with it.
*--------------------------------------*-------------------------------*

That is a WinPCAP bug. Try uninstalling the current WinPCAP (probably 3.0)
and then installing the WinPCAP 3.1 beta or beta-2 (prefer the latter).

WinPCAP can be downloaded from http://winpcap.polito.it/

Regards,

Olivier

-----Original Message-----
From: Jerome Corradin


When going into capture is get the following error

"Can't get list of interfaces: PacketGetAdaperNames: Not enough storage is
available to process this command"

What's the cause of this error and how do I fix it?

On Wed, Jul 21, 2004 at 12:11:13AM -0500, John Niecikowski wrote:
> I am using Ethereal on Windows XP Professional. When the application
> starts, the following message is displayed in the Cmd.exe window:
>
> (ethereal.exe:3496): Gtk-CRITICAL **: file gtkwindow.c: line 3107
> (gtk_window_resize): assertion `height > 0' failed

There's now a FAQ for this:

http://www.ethereal.com/faq#q5.17

As far as I understand winpcap is invoked when you run the 'capture' command from within ethereal. I don't know if there's another way to capture packets withou using ethereal.

Nick

-----Original Message-----
From: ethereal-users-bounces@ethereal.com [mailto:ethereal-users-bounces@ethereal.com] On Behalf Of layfieldr@bellsouth.net
Sent: 16 November 2004 17:14
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


I have recently downloaded and executed WinPcap_3_0.exe but I cannot find anything to launch. I am trying to run Ethereal network analyzer. Did you guys change the name to winpcap? Last time I did this (over a year ago) it was very simple and straight forward. I cannot find anything to launch on my start/programs or running ethereal from command line....

What am I doing wrong?

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com http://www.ethereal.com/mailman/listinfo/ethereal-users

Looks like you are doing the same thing I did originally. I pulled down
WinPCap thinking it was Ethereal, but there is another installation after
the WinPCap.

Go to this link http://www.ethereal.com/distribution/win32/ and you will see
the Ethereal 0.10.7.exe file. Here is the direct link:
http://www.ethereal.com/distribution/win32/ethereal-setup-0.10.7.exe.

Unless I am misunderstanding your problem you did the same thing I did.

Hope this helps.

-----Original Message-----
From: Cresswell Nick-CRSN001 [mailto:CRSN001@motorola.com]
Sent: Tuesday, November 16, 2004 12:31 PM
To: 'Ethereal user support'
Subject: RE: [Ethereal-users] (no subject)

As far as I understand winpcap is invoked when you run the 'capture' command
from within ethereal. I don't know if there's another way to capture
packets withou using ethereal.

Nick

-----Original Message-----
From: ethereal-users-bounces@ethereal.com
[mailto:ethereal-users-bounces@ethereal.com] On Behalf Of
layfieldr@bellsouth.net
Sent: 16 November 2004 17:14
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


I have recently downloaded and executed WinPcap_3_0.exe but I cannot find
anything to launch. I am trying to run Ethereal network analyzer. Did you
guys change the name to winpcap? Last time I did this (over a year ago) it
was very simple and straight forward. I cannot find anything to launch on
my start/programs or running ethereal from command line....

What am I doing wrong?

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

On Tue, 2004-11-16 at 12:14 -0500, layfieldr@bellsouth.net wrote:
> I have recently downloaded and executed WinPcap_3_0.exe but I cannot
> find anything to launch. I am trying to run Ethereal network
> analyzer. Did you guys change the name to winpcap? Last time I did
> this (over a year ago) it was very simple and straight forward. I
> cannot find anything to launch on my start/programs or running
> ethereal from command line....
>
> What am I doing wrong?

You haven't installed ethereal. You did the right thing -- Winpcap is
needed to run ethereal. Now you just need to download and install
ethereal itself.

http://ethereal.com/download.html

Breen

--
Breen Mullins 408-435-8401x123
SQA Engineer 0xde05499b
Asante Technologies, Inc.

Cresswell Nick-CRSN001 wrote:
> As far as I understand winpcap is invoked when you run the 'capture' command
> from within ethereal.

WinPcap is a library, so it's not invoked in the sense of being run as a
program. It's used by Ethereal...

> I don't know if there's another way to capture packets withou using ethereal.

...and by other programs, such as WinDump:

http://windump.polito.it/

and Analyzer:

http://analyzer.polito.it/

and a variety of other programs, some ported from UN*X (WinPcap is a
port of libpcap - the library used by many UN*X programs that capture
packets, including Ethereal - including a driver that's needed to
capture packets) and some written for Windows.

Muhammad Samy wrote:

> Does any one why doesn't the interface appear in the ethereal interfaces
> for a GPRS connection using TEMS investigation S/W.

If TEMS Investigation works by connecting a handset to a serial or USB
or other port on a PC, and having the handset supply information such as
captured GPRS traffic to an application such as TEMS Investigation on
the host, it's because neither libpcap nor WinPcap know anything about
that. Ericsson would have to contribute libpcap and/or WinPcap code,
and possibly driver code, to support that.

Daniel,

Your question is a bit too generic. Do you know which virus it is and
want to analyse it? Or do you just want to protect your network
against a large number of the viruses?

It sounds to me that you are after the later option. In which case you
actually want something slightly (very?) different from Ethereal. You
want an Intrusion Detection System.
You can find a popular one at http://www.snort.org/. There are others as well.

If you meant something different, perhaps you can explain it in
greater details. You could give a situation that you are trying to
solve, how did you expect Ethereal to help you with it and which exact
step/procedure you are having problems with.

Hope it helps,
Alex.

On Apr 12, 2005 7:12 AM, Daniel Smith <Daniel.Smith@yestelco.com> wrote:
>
> Dear Sir/Madam
>
> I am using the latest version of ethereal. I am trying to use it to find
> out where a virus is coming from can you tell me of any types of packets
> that viruses come in.
>

Are the preferences set the same way on both machines? Specifically
the ones related to packet reassembly and maybe heuristics?

Just a thought,
Alex.

On 4/26/05, w.sell@comcast.net <w.sell@comcast.net> wrote:
> I captured packets on one machine to analyze on another. The first machine indicates the protocols correctly. The second machine indicates that the protocol is unknown (in this case I am looking for TCP and MODBUS). Any idea what is missing from the 2nd box to not recognize the protocols? I download WinPCap and 0.10.10 loads...
>

Thanks Alex,
I checked the 'enabled protocols' with just the ones I needed. This does not work. I selected all protocols and now the packet data is present. Go figure...

/Bill


> Are the preferences set the same way on both machines? Specifically
> the ones related to packet reassembly and maybe heuristics?
>
> Just a thought,
> Alex.
>
> On 4/26/05, w.sell@comcast.net <w.sell@comcast.net> wrote:
> > I captured packets on one machine to analyze on another. The first machine
> indicates the protocols correctly. The second machine indicates that the
> protocol is unknown (in this case I am looking for TCP and MODBUS). Any idea
> what is missing from the 2nd box to not recognize the protocols? I download
> WinPCap and 0.10.10 loads...
> >
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users

Filter on IP dest&&src combo?


Hansang Bae wrote:

>On 10:22 PM 5/7/2005, Dennis Singh wrote:
>
>
>>Hi,
>>
>>I am doing multiple captures of http traffic and i
>>have numerious workstation sending and receiving.
>>
>>Is there an easy way to seperately list all
>>conversations and the duration of it.
>>
>>So basically i am looking for a tool to decode packets
>>by the start of the conversation to the end of it.
>>
>>Any help is appreciated.
>>
>>

tom gallacher wrote:

> Is there any way to send packs from ethereal using a windows based
> machine?
>
No.

Ethereal won't send any packets regardless of the operating system.

I don't know such a tool myself, you might find one at:
http://wiki.ethereal.com/Tools

Regards, ULFL

tom gallacher wrote:
> Is there any way to send packs from ethereal using a windows based machine?

No. Ethereal doesn't have a "transmit packet" function.

ToSsA H. wrote:
> hi.. where can i find the source code for ethereal for windows(XP)?

From the "Source code" links on

http://www.ethereal.com/download.html

Note that this is a gzipped tar file, *NOT* a zip file, so you'd need
the appropriate program to unpack it. If you're going to build Ethereal
on Windows, you'll probably want to install Cygwin anyway, and Cygwin
should come with gzcat and tar.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

Ethereal user support <ethereal-users@ethereal.com> schrieb am 28.10.05 15:10:21:
> I have a weird situation. I'm writing an NDIS-WDM driver and when I try to use ethereal with it, the packets all show up in the capture, but the application I'm using to originate and send my packets can't receive packets destined to it. It can send fine, but the receive packets only show up in ethereal, and not in my app. I've tried winpcap 3.0, and 3.1b4, and ethereal 0.10.12. Any ideas? When I close the capturing mode of ethereal, things work fine again with my app. Thanks for your help, Jess Howe
>

I don't know and I don't think it's an Ethereal related problem.

You may ask the WinPcap developers about this, they might be able to help ...

Regards, ULFL
__________________________________________________________________________
Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach!
Mehr Infos unter http://freemail.web.de/home/landingpad/?mc=021131

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

Tom Aubrey wrote:
> Do you have a protocol disector for ATM AAL5?

Yes, but Ethereal has to know that a packet is an AAL5 packet in order
to call it.

> I used Pcap on a Nortel router to do the capture,

I.e., the Nortel router *itself* has a processor that can run
libpcap-based applications? If so, what was the DLT_ value for the packets?

If it was your own program that did the capture, it should've used
DLT_SUNATM, with each packet's raw data ("raw data" in the sense of the
data beginning with 0xaa 0xaa 0x03) preceded by a "struct sunatm_hdr"
structure (see wiretap/libpcap.c), containing:

flags = 0x02 (LLC multiplexed traffic)
vpi = the VPI for the connection;
vci = the VCI for the connection.

That would then be readable by Ethereal.

If it was captured by tcpdump supplied by Nortel as part of the router
software, try compiling the attached program and running on the capture,
and then having Ethereal read it; that should convert it to something
Ethereal can read.

> and then converted it to a .atc file.
> The packet contents start with the LLC snap header “aaaa03…”
> but I can’t get Ethereal to decode the packets.

How did you convert it?

If it's .atc file - i.e., a DOS Sniffer file:

the network type should be 10 (for ATM);

each packet should begin with a FRAME4 record (record type 8);

the record header should include a "struct frame4_rec" record header
(see wiretap/ngsniffer.c), and the ATMSaveInfo structure in that header
should have an AppTrafType value of 0x13 (for ATT_HL_LLCMX|ATT_AAL5,
indicating that the packets are AAL5 packets containing LLC-multiplexed
packets).

But if you can convert it with the attached program, so much the better.

Hi,
You can find some traces on the wiki:
http://wiki.ethereal.com/SampleCaptures#head-6c6fb4051dfbe9b992057ea1533
eb8dc85c9a13a

Brg
Anders

-----Original Message-----
From: ethereal-users-bounces@ethereal.com
[mailto:ethereal-users-bounces@ethereal.com] On Behalf Of Nt10
Sent: den 8 maj 2006 15:14
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)

Please!!! Please!!!
Can you send traces BICC, SIP-T, sigtran for Ethereal?
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

EDWARD HILL wrote:

> I am using compuware application vantage to read my captures. Vantage
> needs to see the files as a .enc or cap file. When I set up ethereal to
> write to file, I need to save it as an enc or cap. It does not give me
> the option to save type.

Is this a capture that you did with Ethereal?

What type of network device did you capture on? (Ethernet, 802.11, etc.)
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users