Mailing List Archive

> I want to compile ethereal-0.8.18

Actually, you want to compile ethereal 0.8.20, as that's the current
version...

> ../../libtool: test: argument expected

...and the release tarball for 0.8.20, unlike the tarball for 0.8.18,
was built with an older version of libtool, so it doesn't run into that
annoying libtool bug, introduced in libtool 1.4.

> Can you help me ?

Throw away 0.8.18, download 0.8.20, and try that.

Hi. I am wondering how I can use the filter option in Ethereal for
Win2k.



What do I type to filter out all but a singel protocol f.ex.?
Or want to select only one computer or select anyone except one
computer..?



Regards



Morten

Thank you very much
Rodrigo

Guy Harris <guy@netapp.com> wrote:

>> I want to compile ethereal-0.8.18
>
>Actually, you want to compile ethereal 0.8.20, as that's the current
>version...
>
>> ../../libtool: test: argument expected
>
>...and the release tarball for 0.8.20, unlike the tarball for 0.8.18,
>was built with an older version of libtool, so it doesn't run into that
>annoying libtool bug, introduced in libtool 1.4.
>
>> Can you help me ?
>
>Throw away 0.8.18, download 0.8.20, and try that.
>


__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

> Hi. I am wondering how I can use the filter option in Ethereal for
> Win2k.

Capture filters, or display filters?

In either case, you use them the same way you use them in Ethereal for
any other platform (modulo differences in the capture filters that the
version of libpcap being used on that platform accepts).

> What do I type to filter out all but a singel protocol f.ex.?

For capture filters, check out the tcpdump man page, or, on Windows, the
WinDump man page:

http://netgroup-serv.polito.it/windump/docs/manual.htm

for a description of the syntax. Only some protocols can be tested;
some of them let you filter by name (e.g., "ip", "tcp", "udp"), some
others would require you to check the numerical value of some field
(e.g., "ip proto 132" for SCTP), and some others can't be filter out at
all (e.g., HTTP, or NFS, or SMB, or ONC or DCE RPC - you can, at best,
filter based on port numbers, which would work for SMB, and for all but
a probably-negligible amount of NFS traffic, and for most HTTP traffic,
but not for other ONC RPC traffic other than the portmapper or DCE RPC
traffic other than whatever stuff it runs at a fixed port number).

For display filters - which don't control what traffic gets captured,
they control only what traffic is currently being displayed - see the
Ethereal man page for a complete list of protocols that can be filtered.

> Or want to select only one computer

For capture filters:

host {hostname or IP address}

should work to select only traffic to or from that host. (That'll
probably get only IP traffic - not, for example, ARP traffic - unless
the host name happens to map to a MAC address in the ethers file or NIS
database for that file.)

For display filters, you can check the source and destination IP
addresses of packets with

ip.addr == {hostname or IP address}

and there's a similar field for IPv6, as well as fields for link-layer
and other addresses.

> or select anyone except one computer..?

Precede the filter expression with "not" (it shouldn't require that you
surround the filter expression with parentheses, as the above are simple
expressions).

On Tue, Nov 05, 2002 at 11:17:03AM -0800, Michele Bustos wrote:
> regardless of the fact that my checksum is bad, shouldn't I see an address
> next to source and destination for the ipv6 header?

Yes, you should. When I read your capture file, I do - in the "Source"
and "Destination" columns in the packet list (topmost) pane, there are
IPv6 addresses, and they also appear in the detail (middle) pane in the
"Source address" and "Destination address" fields.

If, however, you are running on Windows, a bug - fixed in the current
CVS tree, so it'll be fixed in the next release - causes the "Source"
and "Destination" columns in the topmost pane to be blank for IPv6
addresses.

yep, win2k!
thanks!
/m

-----Original Message-----
From: Guy Harris [mailto:gharris@sonic.net]
Sent: Tuesday, November 05, 2002 11:54 AM
To: Michele Bustos
Cc: 'ethereal-users@ethereal.com'
Subject: Re: [Ethereal-users] question


On Tue, Nov 05, 2002 at 11:17:03AM -0800, Michele Bustos wrote:
> regardless of the fact that my checksum is bad, shouldn't I see an address
> next to source and destination for the ipv6 header?

Yes, you should. When I read your capture file, I do - in the "Source"
and "Destination" columns in the packet list (topmost) pane, there are
IPv6 addresses, and they also appear in the detail (middle) pane in the
"Source address" and "Destination address" fields.

If, however, you are running on Windows, a bug - fixed in the current
CVS tree, so it'll be fixed in the next release - causes the "Source"
and "Destination" columns in the topmost pane to be blank for IPv6
addresses.

Sorry,

Hi, I from caracas-venezuela.

I installed ethereal, and I test CAPTURE process, but I didn´t see any paquets.

My configuration PC is:

Intel pentium IV

128 MB ram

One network card (VIA 10/100 Fast Ethernet)

Windows ME

I need any thing else?








Francis E. Ferrer Z. Caracas - Venezuela

---

Charla con tus amigos en línea mediante MSN Messenger: http://g.msn.com/8HMKES/2728??PS="]Haz clic aquí

On Tue, May 20, 2003 at 06:08:36PM +0000, Fr@ncis FERRER wrote (in HTML;
not everybody's mail software handles HTML mail well, so please use
plain-text mail if you can):

>I installed ethereal, and I test CAPTURE process, but I didn´t see
>any paquets.
>My configuration PC is:
>Intel pentium IV
>128 MB ram
>One network card (VIA 10/100 Fast Ethernet)
>Windows ME

Are you trying to capture packets being sent by the machine running
Ethereal and packets being sent to that machine, or are you trying to
capture packets being sent between two *other* machines?

If you're trying to capture packets being sent between two other
machines, see:

http://www.ethereal.com/faq.html#q5.1

If you're trying to capture packets being sent by the machine running
Ethereal and packets being sent to the machine running Ethereal, you
should try capturing with WinDump:

http://windump.polito.it/

If you still don't see any packets, this is a problem with WinPcap; you
should report it to the developers of WinPcap - see the page at

http://winpcap.polito.it/contact.htm

for instructions on how to do so.

I don't know, myself, but I have a nice big archive of the mailing list
here. So here are a few previous messages that you might find helpful.

http://www.ethereal.com/lists/ethereal-users/200304/msg00183.html:
FWIW From my testing so far:
- Ethereal can capture on a loopback address at speeds up to 2.8GBit/s
on a
2x1.5GHzP4 IBM Intellistation running Linux.
- Ethereal can capture on 100Mbit/s Ethernet in both directions on
crappy
old Pentium II with 64MB RAM without dropping a frame when running
Linux.
- I have yet to be able to capture more than 50-60Mbit/s on a Win32
machine
without significant (>10%) packet loss. Ethereal on Win32 can't
capture from
the loopback.

See also
http://www.ethereal.com/lists/ethereal-users/200212/msg00068.html

http://www.ethereal.com/lists/ethereal-users/200203/msg00144.html

http://www.ethereal.com/lists/ethereal-users/200203/msg00149.html

--
Richard Urwin, Software Design Engineer
Schenck Test Automation
Braemar Court, 1311b Melton Road, Syston, UK.
rurwin@schenck.co.uk


-----Original Message-----
From: Jannet Vanessa Carrera Herrera [mailto:jvch@itesm.mx]
Sent: 13 June 2003 17:30
To: ethereal-users@ethereal.com
Subject: [Ethereal-users] question
Importance: High


Hi !
I´m a ethereal user, I think it helps me a lot but, I have a doubt
I would like to know what is the ethereal sensing speed. I would like to
be pretty sure about, -i have getting all my video traffic, which I´m
anlyzing.

greetings!


Vanessa Carrera

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

Frantisek Bretti,
> can you help me with my problem, please? I am not able to capture frame
> smaller then 60B. Is it in order? Thank you.
>

An Ethernet frame is at least 64 bytes (60 bytes+4 bytes CRC) when sent over the wire.

The Ethernet CRC is often not visible in Ethereal.

Please note that packets that are sent from the computer where you are doing the capture
may appear as being less than 60 bytes, but will be padded before sent out on the wire.

A *must have* if you are serious.
www.google.com is pretty good too :-)

TCP/IP Illustrated, Volume 1: The Protocols, 2/E


W. Richard Stevens

ISBN: 0-201-63346-9
Publisher: Addison Wesley Professional
Copyright: 1994
Format: Cloth; 600 pp
Published: 12/31/1993


----- Original Message -----
From: Jim Horwath <jim.horwath@rcn.com>
Date: Tuesday, November 30, 2004 2:18 pm
Subject: [Ethereal-users] Question

> Hi,
>
> I hope this question doesn't offend anyone, so here goes. I
> have been reading this list for several weeks. I really
> want to learn how to read packets with Ethereal. I am going
> to take a SANS class in a few weeks on packet analysis. Are
> there any good resources available to help me get a jump
> start and to help me learn more about what I am capturing.
> Being able to decipher traffic will help me in my job, plus
> I think it is pretty cool. Thanks in advance.
>
> Jim
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>

Another one that I use is:

Internetworking with TCP/IP
Principles, Protocols and Architectures
Fourth Edition
Douglas E. Comer
ISBN 0-13-018380-6

While I really like the Stevens book, in some areas it is quite out of date

At 11:41 AM 11/30/2004, jrhendri@maine.rr.com wrote:
>A *must have* if you are serious.
>www.google.com is pretty good too :-)
>
>TCP/IP Illustrated, Volume 1: The Protocols, 2/E
>
>
>W. Richard Stevens
>
>ISBN: 0-201-63346-9
>Publisher: Addison Wesley Professional
>Copyright: 1994
>Format: Cloth; 600 pp
>Published: 12/31/1993
>
>
>----- Original Message -----
>From: Jim Horwath <jim.horwath@rcn.com>
>Date: Tuesday, November 30, 2004 2:18 pm
>Subject: [Ethereal-users] Question
>
> > Hi,
> >
> > I hope this question doesn't offend anyone, so here goes. I
> > have been reading this list for several weeks. I really
> > want to learn how to read packets with Ethereal. I am going
> > to take a SANS class in a few weeks on packet analysis. Are
> > there any good resources available to help me get a jump
> > start and to help me learn more about what I am capturing.
> > Being able to decipher traffic will help me in my job, plus
> > I think it is pretty cool. Thanks in advance.

Mark Slinger wrote:

> Do you plan to implement protocol decode support for TCP Optimisation
> tools such as that of www.FlashNetworks.com
> <http://www.flashnetworks.com/> ?

http://www.ethereal.com/faq#q1.6

We, collectively, don't have any plans to add any protocol support of
any sort; protocol dissection support is up to individuals.

> It is my understanding that if someone collects IP trace data from a
> network node which is using a compression tool then currently Ethereal
> would not be capable of decoding the TCP and following service protocols
> as they would be in a proprietary compression format.

If it's proprietary *and* secret, it would require reverse-engineering
of the compression scheme. Otherwise, it'd require a spec of some sort.

In both cases, it'd require somebody with the time to implement it and
an interest in implementing it; as per the FAQ item cited above, that's
what's required for *any* protocol to be handled.

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

Pici, Louis wrote:
> -------------------
> The Ethereal project is being continued at a new site. Please go to
> http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
> Don't forget to unsubscribe from this list at
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -------------------
>
>
>
> ------------------------------------------------------------------------
>
> Not sure what I'm missing here, but every time I go to export to csv
> file and name the file it says "the path to the file "" doesn't exist"

As indicated by the text above, which was added to your message by the
software for the Ethereal mailing lists; no Ethereal development is
being done any more; development has moved to the Wireshark project, at

http://www.wireshark.org/

The bug you describe (bug 894 in the bug database) is fixed in the
current version of Wireshark; as I remember, that's a Windows-only bug,
so you're presumably running on Windows, in which case you should
download the Windows installer for Wireshark 0.99.3 from the page at

http://www.wireshark.org/download.html

and run the installer.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users