Mailing List Archive

Hi, Martin Visser!

Thank you very much for your reply. But I develop my own application
with NetBIOS low-level packets. I use Ethereal as a tool for analyze
captured packets. My question is not about using Ethereal as user. I want to
know technical details about how Ethereal detects NetBIOS Session Message
packets are unreassambled?

Eugene Korolev.

----- Original Message -----
From: "Visser, Martin (Sydney)" <Martin.Visser@hp.com>
To: "Eugene Korolev" <korolev@lastbit.com>; <ethereal-users@ethereal.com>
Sent: Friday, August 30, 2002 10:13 AM
Subject: RE: [Ethereal-users] (no subject)



A quick way is to use the Display Filter to only display the packets you
are interested in. Then choose Protocol Hierarchy Statistics from the
Tools menu. It will total up all the packets in the display under the
Frame category



Martin Visser
Network Consultant - Global Services
COMPAQ, part of the new HP

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513
Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com




-----Original Message-----
From: Eugene Korolev [mailto:korolev@lastbit.com]
Sent: Friday, 30 August 2002 3:01 PM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


Hi, All!

I write an application that uses low-level NetBIOS packets. When
I send NetBIOS Session Message Packet Request (NBS request), I receive
NetBIOS Session Message Packet Response (NBS response). The NBS response
consists of several parts (the first response packet + NBS Continual
Message Packets). It seems that Ethereal detects all NBS packets
correctly. What is a method to detect the total amount of NBS Continual
Message Packets or the total size (in bytes) of these packets?

NetBIOS Session Service
Message Type: Session message
Flags: 0x00
Length: 2920
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 20
Time from request: 0.452407000 seconds
SMB Command: Transaction (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x98
Flags2: 0x0003
Reserved: 000000000000000000000000
Tree ID: 36866
Process ID: 1300
User ID: 61441
Multiplex ID: 0
Transaction Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 12
Total Data Count: 6560
Reserved: 0000
Parameter Count: 12
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 2852
Data Offset: 68
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 2865
Padding: 00
SMB Pipe Protocol
Microsoft Windows Lanman Remote API Protocol
Function Code: NetUserEnum2 (131)
Status: Success (0)
Convert: 58944
Doubleword Param: 724647 (0x000B0EA7)
Entry Count: 83
Word Param: 83 (0x0053)
Entries
.....................
[Unreassembled Packet: LANMAN]

Eugene Korolev.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users
-

On Fri, Aug 30, 2002 at 11:47:14AM +0400, Eugene Korolev wrote:
> Thank you very much for your reply. But I develop my own application
> with NetBIOS low-level packets. I use Ethereal as a tool for analyze
> captured packets. My question is not about using Ethereal as user. I want to
> know technical details about how Ethereal detects NetBIOS Session Message
> packets are unreassambled?

It detects it by

1) having a mechanism that catches attempts by a dissector to
fetch data past the end of a packet;

2) in some cases, reporting that as an unreassembled packet;

3) naively assuming that NetBIOS session messages fit entirely
within one frame. :-)

(I.e., there's no code specific to the NetBIOS dissector to detect
that.)

Hello, Guy Harris!

Should I wait for other packets if NetBIOS Session Message was
reassembled with truncated end? Do you know another methods to detect the
total number of NetBIOS Session Message Response packets? What method is
used by Windows?


Eugene

----- Original Message -----
From: "Guy Harris" <gharris@sonic.net>
To: "Eugene Korolev" <korolev@lastbit.com>
Cc: "ethereal users" <ethereal-users@ethereal.com>; "Visser, Martin
(Sydney)" <Martin.Visser@hp.com>
Sent: Friday, August 30, 2002 1:25 PM
Subject: Re: [Ethereal-users] (no subject)


> On Fri, Aug 30, 2002 at 11:47:14AM +0400, Eugene Korolev wrote:
> > Thank you very much for your reply. But I develop my own
application
> > with NetBIOS low-level packets. I use Ethereal as a tool for analyze
> > captured packets. My question is not about using Ethereal as user. I
want to
> > know technical details about how Ethereal detects NetBIOS Session
Message
> > packets are unreassambled?
>
> It detects it by
>
> 1) having a mechanism that catches attempts by a dissector to
> fetch data past the end of a packet;
>
> 2) in some cases, reporting that as an unreassembled packet;
>
> 3) naively assuming that NetBIOS session messages fit entirely
> within one frame. :-)
>
> (I.e., there's no code specific to the NetBIOS dissector to detect
> that.)
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -
>
>

On Fri, Aug 30, 2002 at 02:25:46AM -0700, Guy Harris wrote:
> (I.e., there's no code specific to the NetBIOS dissector to detect
> that.)

...except that the "NetBIOS" dissector, in the sense of the NetBIOS
frame protocol dissector, isn't what's being used here; this
is NetBIOS-over-TCP.

The answer is similar in this case, except that 3) is

3) not having TCP desegmentation enabled.

If you enable TCP desegmentation by selecting the "Preferences" item
from the "Edit" menu, opening the "Protocols" item on the left-hand side
of the dialog box, selecting "TCP", turning "Allow subdissector to
desegment TCP streams", and clicking "OK", the session message packets
should be reassembled for you by Ethereal.

If you want to do that in *your* application, you need to write code to
read the NetBIOS-over-TCP session service header (and don't assume that
you will get all of the data in the header in one read call; TCP doesn't
guarantee that), extract the message length from the header, and then
read that many bytes (again, don't assume you'll get all that data in
one read call).

My application reads Netbios header and builds a full netbios packet from
fragmented parts. However NBSS Continual packet is not included into the
Netbios Session Messages packet. I attached a file dump for ethereal to the
email. Please see frames 22,23,24. Netbios packet at the 22nd frame consists
of the single part according to the lebgth indicated in its header, but it
seems that following packets 23,24 contain additional data for the 22nd
frame.

----- Original Message -----
From: "Guy Harris" <gharris@sonic.net>
To: "Eugene Korolev" <korolev@lastbit.com>
Cc: "ethereal users" <ethereal-users@ethereal.com>; "Visser, Martin
(Sydney)" <Martin.Visser@hp.com>
Sent: Friday, August 30, 2002 2:26 PM
Subject: Re: [Ethereal-users] (no subject)


> On Fri, Aug 30, 2002 at 02:25:46AM -0700, Guy Harris wrote:
> > (I.e., there's no code specific to the NetBIOS dissector to detect
> > that.)
>
> ...except that the "NetBIOS" dissector, in the sense of the NetBIOS
> frame protocol dissector, isn't what's being used here; this
> is NetBIOS-over-TCP.
>
> The answer is similar in this case, except that 3) is
>
> 3) not having TCP desegmentation enabled.
>
> If you enable TCP desegmentation by selecting the "Preferences" item
> from the "Edit" menu, opening the "Protocols" item on the left-hand side
> of the dialog box, selecting "TCP", turning "Allow subdissector to
> desegment TCP streams", and clicking "OK", the session message packets
> should be reassembled for you by Ethereal.
>
> If you want to do that in *your* application, you need to write code to
> read the NetBIOS-over-TCP session service header (and don't assume that
> you will get all of the data in the header in one read call; TCP doesn't
> guarantee that), extract the message length from the header, and then
> read that many bytes (again, don't assume you'll get all that data in
> one read call).

> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -

On Fri, Aug 30, 2002 at 03:25:14PM +0400, Eugene Korolev wrote:
> My application reads Netbios header and builds a full netbios packet from
> fragmented parts. However NBSS Continual packet is not included into the
> Netbios Session Messages packet. I attached a file dump for ethereal to the
> email. Please see frames 22,23,24. Netbios packet at the 22nd frame consists
> of the single part according to the lebgth indicated in its header,

Actually, when I run Ethereal on it, the header is displayed for frame
24, not frame 22.

That's because I have TCP desegmentation enabled.

The length in the header is 2920 bytes, which means that frame 22, which
has a total of 1514 bytes - which includes the Ethernet header (14
bytes), IP header (20 bytes), and the TCP header (20 bytes) - cannot
possibly be the entire NetBIOS Session Service session message packet.

And, in fact, it isn't; if you enable TCP desegmentation (as I did in my
Ethereal settings, and as I recommended you do in my previous message),
Ethereal shows frames 22 and 23 as "Desegmented TCP" and frame 24 as an
SMB Transaction Response (as it's the last frame of said response).

On Fri, Sep 13, 2002 at 07:50:55AM -0700, Greg Tomkins wrote:
> i hate to ask what has to be the worlds most moronic question, but i read
> the menu for an hour and i'm stumped. i just want to use Display Filters to
> limit the display to a specific IP. i added a filter
> 'ip.addr==10.10.98.152', saved, etc. when i try to use it, i get 'Unexpected
> end of filter string'.

If you try putting the expression

ip.addr == 10.10.98.152

into the filter box, that should work.

If you save the filer with a name like "myfilter", and try putting

myfilter

into the filter box, that will *NOT* work.

The way you use a filter is to put the filter expression into the filter
box. The *ONLY* reason to save a filter is if you want to use it again
in the future; the way you use a saved filter is to click the "Filter:"
button, select the filter in the dialog box that pops up, and click
"OK", *NOT* to type the name of the filter into the filter box
(supporting names of filters in that box runs the risk of filters that
could either be interpreted as filter expressions or filter names, with
no way for Ethereal to determine which is the right interpretation).

> i use the sniffer(ver is 4.70.04) to capture packages from two ip
access gateway. and use ethereal to watch it.
> but i only see the protocol fro Q931. why not see the rtp/rtcp, h323,
h245 and so. if i want to see these protocol. how can i do .
> thank you very much.

Why don't you write an email to me personally (address on site
for H.323 plugin)?

Anyway, did you follow the instructions in the readme.txt which
you also should be able to find in the zip file you downloaded?

--
Andreas Sikkema
andreas.sikkema@philips.com
"While you're waiting, read the free novel we sent you.
It's a Spanish story about a guy named `Manual'" - Dilbert

> In the beginning ethereal uses almost no CPU power (0%).
> Then, after a
> couple of hours, ethereal starts to consume more and more of the CPU
> power, 5%, 10% or even sometimes up to 100 %.

I can confirm that it happens with Ethereal 9.7 on WinXP SP1 with 1.5Ghz
Xeon. That's no help to you though.

Alistair


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.

Martin Bolino wrote:
<Can anyone tell me if I can use h.323 plugin for version 0.9.6 in the latest version 0.9.8 ?

The plugin for 0.9.6 doesn't work with Ethereal 0.9.7 or 0.9.8, I think. You'll get something like:
assertion failed: <hfinfo->type == FT_STRING>, and Ethereal terminating with a "Runtime Error!"

It seems that the plugin for 0.9.7 maybe also works with 0.9.8 (I have just tested a little with it so I'm not completely sure):
http://prdownloads.sourceforge.net/ethereal-h323-p/ethereal-h323-plugin-dll-097-004.zip?download

Regards,
Martin

> Martin Bolino wrote:
> > Can anyone tell me if I can use h.323 plugin for version 0.9.6
> > in the latest version 0.9.8 ?

> The plugin for 0.9.6 doesn't work with Ethereal 0.9.7 or 0.9.8,
> I think. You'll get something like: assertion failed: <hfinfo->type
> == FT_STRING>, and Ethereal terminating with a "Runtime Error!"

> It seems that the plugin for 0.9.7 maybe also works with 0.9.8
> (I have just tested a little with it so I'm not completely sure):
> http://prdownloads.sourceforge.net/ethereal-h323-p/ethereal-h323-plugin-dll-097-004.zip?download

Don't count on it working correctly. I had a version, i think it was from
0.9.4 to 0.9.5, work for me for a couple of days flawlessly until I
reached
a certain kind of message and it would crash. Rebuilding the plugin fixed
that.

Unfortunately I am having some problems building the plugin for 0.9.8,
it seems that the changes to the plugin interface created an include
problem for one of the plugin api interface header files. I'm really
stumped at the moment, other plugins seem to do the sdame include magic...

--
Andreas

On Thu, 23 Jan 2003, Leahy, Kevin wrote:

> I'm just looking at the Ethereal website and I have a question. I'm
> basically a junior java programmer and this low-level network technology is
> going to take me some time to wade through. I want to accomplish a
> particular task and if I can do it with EtherReal, I will put the time in.
> But I would prefer to know in advance if I'm barking up the right tree.
>
> I have a web application running within JBoss on a Linux box. The
> application uses Glue to publish a webservice. I want to snoop the
> webservice and be able to read the soap requests for a short period ( maybe
> 10 minutes ) to resolve a particular issue.

Ethereal doesn't (yet) handle SOAP data explicitly; the transactions would
show up as HTTP. You can still use the Follow TCP Stream feature to view
the SOAP requests as they appear on the wire.

BTW, Westbridge Technology has a modified version of Ethereal that does
handle SOAP explicitly:

http://www.westbridgetech.com/soapmonitordownload.html

I exchanged email with them a while back about merging their changes into
the main distribution.

From: Aharon Shpigel [mailto:aharons@mysticom.com]
> Is there a way to see a errors at Ethernet capture packets.

Only if the packets are not dropped by the network card or the operating
system driver. It is very unlikely that you will see runt packets or
packets with a bad Ethernet CRC. You probably will see packets with a
bad tcp checksum. There are (operating system dependent) ways to get
statistical data on some other types of error, but they do not involve
Ethereal.

> Is there a way to save the capture packets to file via command line?

Look at tethereal.html in your binaries directory (...\Program
Files\Ethereal on Windows.)

----------------
-w

Write packet data to savefile or to the standard output if savefile is
``-''.
----------------

--
Richard Urwin, Private
"No 9000 series computer has ever made a mitsake or corrubiteddatatato."


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

You can¡¯t! This is a limitation of Windows and not of Ethereal or WinPcap.

http://winpcap.polito.it/misc/faq.htm#Q-13

-fs

-----Original Message-----
From: gyzhang [mailto:zhangguoying@mail.ritt.com.cn]
Sent: Thursday, April 03, 2003 08:05
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)

Dear Sir,
I am now runing Ethereal on windows 2000. There problem is that I can't capture frames on loopback interface. Can you tell me how I can do that?
Thank you.

Guoying Zhang
Research Institute of
Telecommunication Transmission
Tel:68094272
Email: gyzhang@sina.com;zhangguoying@mail.ritt.com.cn
Address:Beijing Yue Tan South Street No 11
Post Code:100045

On Tue, Apr 22, 2003 at 09:56:42AM -0400, wsladen@synergentcorp.com wrote:
> Below is a screenshot that I get when I display a capture. I am trying to
> locate an issue during the timeframe of this capture and the capture
> displays fine, however, I get this every time I open it. This may be the
> smoking gun I have been looking for but I don't know how to interpret it.
> Can someone please explain why this would be happening?

It could be happending because you are getting traffic to or from TCP
port 1812 that's not Diameter protocol traffic; Ethereal's Diameter
dissector registers for TCP port 1812, so TCP traffic to port 1812 is
dissected by that dissector. That dissector reports some errors in the
packets to the console window; if the traffic isn't Diameter traffic at
all, then the dissector will find lots of stuff it considers to be
errors.

Guy Harris wrote:

>On Tue, Apr 22, 2003 at 09:56:42AM -0400, wsladen@synergentcorp.com wrote:
>> Below is a screenshot that I get when I display a capture. I am trying to
>> locate an issue during the timeframe of this capture and the capture
>> displays fine, however, I get this every time I open it. This may be the
>> smoking gun I have been looking for but I don't know how to interpret it.
>> Can someone please explain why this would be happening?
>
>It could be happending because you are getting traffic to or from TCP
>port 1812 that's not Diameter protocol traffic; Ethereal's Diameter
>dissector registers for TCP port 1812, so TCP traffic to port 1812 is
>dissected by that dissector. That dissector reports some errors in the
>packets to the console window; if the traffic isn't Diameter traffic at
>all, then the dissector will find lots of stuff it considers to be
>errors.
>


You can change the TCP port number from Edit/Preferences.../Protocols/Diameter.

You could set the port number to 0 and then "Save" and "OK" if you are not interesting in Diameter protocol (www.diameter.org).

http://www.ethereal.com/lists/ethereal-users/200108/msg00146.html

On Sun, Nov 09, 2003 at 04:30:36PM +0200, Gil Yaacoby wrote:
> Cellcom ISRAEL ltd. employees are interested in using " Ethereal " and "
> Winpcap 3.x " software .
> Please confirm by E-mail that this software can be used by our
> organization's workers for free.

See the "COPYING" file in the Ethereal source:

http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/COPYING?rev=HEAD&content-type=text/vnd.viewcvs-markup

(i.e., it's GPLed, so the answer is "yes").

On Dec 8, 2003, at 9:27 AM, Leonard A Provid wrote:

> Does Ethereal support decoding USB packets???

There's currently no capture file format we can read that supports USB
packets.

Even for something such as USB-over-IP, nobody's contributed a
dissector.

So there's no USB support in Ethereal.

From: Cyberjeff2003@aol.com

|I just installed Ethereal on my Toshiba 1555 cds Laptop.
|The Laptop is running Windows 2000 and the Lan PDC is NT 4.0.
|When I attempt to run Ethereal I receive the following errors
|in a dos screen:
|<ethereal.exe:684>: Gdk-warning **: gdk_win32_pix
| Map_nnew:depth 16 doesn't match display depth 15.
|This message repeats itself 15 times in the dos screen before
|Ethereal loads. also is I close the dos screen Ethereal
|closes as well.

This warning is from the Win32 GTK+ GDK interface Ethereal uses. Those
warnings seem to pop up every now and then; although they are annoying, they
are harmless. You are probably running Windows in 15-bit colors, which seems
*not* to be supported (at least not without warnings showing up all the
time) by the GDK of the graphical GTK+ interface used by Ethereal.

Regards,

Olivier

Not sure exactly what you want - but if you really are starting from ground level on network protocols you really need to get into books such as listed here http://vig.prenhall.com/catalog/academic/course/0,4095,720,00.html .

Of course there are the RFCs which define internet protocols (www.ietf.org), and online and hardcopy publications from vendors such as Cisco, IBM, Microsoft and even HP!

Of course you could start by turning ethereal on, start capturing, ping your neighbour, fire up your web browser or mail applications and see what ethereal makes of it. Nothing learning by observation.

Hope that helps, Martin


Martin Visser ,CISSP
Network and Security Consultant
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia

Phone: +61-2-9022-1670
Mobile: +61-411-254-513
Fax: +61-2-9022-1800
E-mail: martin.visserAThp.com





________________________________

From: ethereal-users-bounces@ethereal.com [mailto:ethereal-users-bounces@ethereal.com] On Behalf Of jlmachado@ses.se.gov.br
Sent: Tuesday, 6 April 2004 6:10 AM
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)



I´m new with ethereal and with protocols.

I would like to have some sites to understand more the protocols in the context of ethereal.

Some hints it will be wellcome.

Thanks in advance

Lyra Machado

On Apr 5, 2004, at 16:16, Visser, Martin wrote:

> Not sure exactly what you want - but if you really are starting from
> ground level on network protocols you really need to get into books
> such as listed here
> http://vig.prenhall.com/catalog/academic/course/0,4095,720,00.html .
>  
> Of course there are the RFCs which define internet protocols
> (www.ietf.org), and online and hardcopy publications from vendors such
> as Cisco, IBM, Microsoft and even HP!
>  
> Of course you could start by turning ethereal on, start
> capturing, ping your neighbour, fire up your web browser or mail
> applications and see what ethereal makes of it. Nothing learning by
> observation.
[snip]

> From: ethereal-users-bounces@ethereal.com
> [mailto:ethereal-users-bounces@ethereal.com] On Behalf Of
> jlmachado@ses.se.gov.br
> Sent: Tuesday, 6 April 2004 6:10 AM
> To: ethereal-users@ethereal.com
> Subject: [Ethereal-users] (no subject)
>
>
> I´m new with ethereal and with protocols.
>
> I would like to have some sites to understand more the protocols in
> the context of ethereal.

A good place for an overview of how protocols fit together is
<http://www.protocols.com>. It's provided by a commercial operation,
and a number of links lead to their product site, but the information
seems good.

Regards,

Justin

--
Justin C. Walker, Curmudgeon-At-Large *
Institute for General Semantics | Men are from Earth.
| Women are from Earth.
| Deal with it.
*--------------------------------------*-------------------------------*

That is a WinPCAP bug. Try uninstalling the current WinPCAP (probably 3.0)
and then installing the WinPCAP 3.1 beta or beta-2 (prefer the latter).

WinPCAP can be downloaded from http://winpcap.polito.it/

Regards,

Olivier

-----Original Message-----
From: Jerome Corradin


When going into capture is get the following error

"Can't get list of interfaces: PacketGetAdaperNames: Not enough storage is
available to process this command"

What's the cause of this error and how do I fix it?

On Wed, Jul 21, 2004 at 12:11:13AM -0500, John Niecikowski wrote:
> I am using Ethereal on Windows XP Professional. When the application
> starts, the following message is displayed in the Cmd.exe window:
>
> (ethereal.exe:3496): Gtk-CRITICAL **: file gtkwindow.c: line 3107
> (gtk_window_resize): assertion `height > 0' failed

There's now a FAQ for this:

http://www.ethereal.com/faq#q5.17

As far as I understand winpcap is invoked when you run the 'capture' command from within ethereal. I don't know if there's another way to capture packets withou using ethereal.

Nick

-----Original Message-----
From: ethereal-users-bounces@ethereal.com [mailto:ethereal-users-bounces@ethereal.com] On Behalf Of layfieldr@bellsouth.net
Sent: 16 November 2004 17:14
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


I have recently downloaded and executed WinPcap_3_0.exe but I cannot find anything to launch. I am trying to run Ethereal network analyzer. Did you guys change the name to winpcap? Last time I did this (over a year ago) it was very simple and straight forward. I cannot find anything to launch on my start/programs or running ethereal from command line....

What am I doing wrong?

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com http://www.ethereal.com/mailman/listinfo/ethereal-users

Looks like you are doing the same thing I did originally. I pulled down
WinPCap thinking it was Ethereal, but there is another installation after
the WinPCap.

Go to this link http://www.ethereal.com/distribution/win32/ and you will see
the Ethereal 0.10.7.exe file. Here is the direct link:
http://www.ethereal.com/distribution/win32/ethereal-setup-0.10.7.exe.

Unless I am misunderstanding your problem you did the same thing I did.

Hope this helps.

-----Original Message-----
From: Cresswell Nick-CRSN001 [mailto:CRSN001@motorola.com]
Sent: Tuesday, November 16, 2004 12:31 PM
To: 'Ethereal user support'
Subject: RE: [Ethereal-users] (no subject)

As far as I understand winpcap is invoked when you run the 'capture' command
from within ethereal. I don't know if there's another way to capture
packets withou using ethereal.

Nick

-----Original Message-----
From: ethereal-users-bounces@ethereal.com
[mailto:ethereal-users-bounces@ethereal.com] On Behalf Of
layfieldr@bellsouth.net
Sent: 16 November 2004 17:14
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] (no subject)


I have recently downloaded and executed WinPcap_3_0.exe but I cannot find
anything to launch. I am trying to run Ethereal network analyzer. Did you
guys change the name to winpcap? Last time I did this (over a year ago) it
was very simple and straight forward. I cannot find anything to launch on
my start/programs or running ethereal from command line....

What am I doing wrong?

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users