Ethereal-dev: Re: [Ethereal-dev] about aodv and udp?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>
Date: Wed, 16 Apr 2003 23:14:05 +1000
Ah, but this is a feature and not a bug. It really is and it shows why
the filtering capabilities in ethereal is superior to anything else.


You want only packets  where the ip layer has the protocol field specified
as 0x11   UDP.
Ethereal will filter the packet list and display every single packet that
contains an ip header where the
protocol field is 0x11.

If you look into the ICMP packet that ethereal "failed" to filter, you will
see that it contains
an IP header with protcol field == UDP.

I.e. your packet looks like :
Ethernet
IP   (protocol field == ICMP)
ICMP
IP   (protocol field == UDP/0x11)
UDP header
   and dependign on the implementation of the host that generated the packet
you may get even other headers here.


Same thing with filters like "nfs"
It will find all occurences of the NFS protocol in the capture field,
regardless of whether
NFS is transported over UPD/ TCP or encapsulated inside a ICMP packet.


Other sniffers may not detect that your ICMP packet contains IP.PROTO==0x11
(since they
often, to be fast enough to almost be able to do filtering in realtime)
They will be very nice and silentlr translate the IP.PROTOCOL==UDP filter
into something like
"IF The two bytes at position xx in the frame has the value 0x0011  THEN
Match"

This makes filtering fast.
It also makes filtering NOT being able to pick up the packets above in your
capture.
Big Deal?
Well it also makes that kind of filtering fail to detect NFS packets if for
some reason one of the
hosts suddenly starts adding optional headers in say the ip or tcp header,
like if it would add timestamp headers or sack something.
That shortcut makes them "miss" packets that really are NFS but just happens
to have a slightly different
offset to where the nfs header starts due to lower layer headers changing
size.
Those sniffers often can never find NFS packetsd transported inside tunneled
ip protocols either for
the very same reason.
BIG DEAL!


Myself never use the filtering functions on non-ethereal sniffers any more
due to this reason.
If you can not trust filtering to only filter those packets you asked it to,
then it is pointless to filter at all.


the aodv6 question i can not help you with since i am not familiar with that
protocol.


best regards
    ronnie sahlberg

----- Original Message -----
From: "Johnny Choque"
Sent: Wednesday, April 16, 2003 10:46 PM
Subject: [Ethereal-dev] about aodv and udp?


> Hello, I am using ethereal 0.9.9 with libpcap 0.7.1, when I try to
> filter UDP packet using the following filter:
>
> ip.proto==0x11 or another same
>
> I get as result both UDP and ICMP packets. Why are not ICMP packets
> filtered?
>
> In the other hand, when I capture AODV traffic based-on IPv4 and I
> disable AODV6 dissector, the ethereal show AODV packets as UDP packets
> and, of course, the UDP data is not dissected. What happen with AODV
> dissector (not AODV6)?
>
> Johnny
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev