The same packet will most likely appear several times, especially if it
passed the FW. FW monitor (until FW-1 NG FP3), would place 'fw monitor' in 4
locations:
1. Before the FW's virtual machine, inbound direction ('i')
2. After the FW's virtual machine, inbound direction ('I')
3. Before the FW's virtual machine, outbound direction ('o')
4. After the FW's virtual machine, outbound direction ('O').
Therefore, a packet that was not manipulated (encrypted, NAT, etc.), and was
accepted, will be seen multiple times.
In FP3 and above, the ability to place the monitoring anywhere in the chain
was added.
HTH,
Y.
-----Original Message-----
From: ethereal-dev-admin@xxxxxxxxxxxx
[mailto:ethereal-dev-admin@xxxxxxxxxxxx]On Behalf Of Guy Harris
Sent: Tuesday, December 10, 2002 2:21 AM
To: Alfred Koebler
Cc: ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Ethereal-dev] FW1 monitor dissector patch for additional
column
By the way, I infer from the comment at the beginning of "packet-fw1.c"
that the same packet can occur multiple times in the log file; is that
the case? If so, then note that many stateful dissectors in Ethereal
might be confused by this and, for example, report them as
retransmissions.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev