Hi all, This one is probably for Ronnie :-)
I believe that tethereal -z "io,users,ip,..." has the stats in the wrong
direction for the frame and byte count. Comparing the dumps (for the
same capture file but with "ip" and "udpip" users being counted),
clearly the counts of frames should be going in the direction towards
the 255.255.255.255 broadcast address. "udpip" makes sense, "ip"
doesn't.
$ tethereal -r smb-read.pcap.gz -R "null" -z
"io,users,ip,ip.addr==16.172.41.74"
========================================================================
========
IO-USERS Statistics
Type:ip
Filter:ip.addr==16.172.41.74
| <- | |
-> | | Total |
| Frames Bytes | |
Frames Bytes | | Frames Bytes |
255.255.255.255 <-> 16.172.41.74 0 0 1
60 1 60
========================================================================
========
$ tethereal -r smb-read.pcap.gz -R "null" -z
"io,users,udpip,ip.addr==16.172.41.74"
========================================================================
========
IO-USERS Statistics
Type:udp
Filter:ip.addr==16.172.41.74
| <- | |
-> | | Total |
| Frames Bytes | |
Frames Bytes | | Frames Bytes |
255.255.255.255:2301 <-> 16.172.41.74:2301 1 60 0
0 1 60
========================================================================
========
I had a quick look at the code in "tap-iousers.c", but I can't confirm
where it is going wrong. I noticed some swapping/ordering going on that
looks a bit suss???
if(iph->ip_src>iph->ip_dst){
addr1=iph->ip_src;
addr2=iph->ip_dst;
} else {
addr2=iph->ip_src;
addr1=iph->ip_dst;
}
Martin
Martin Visser ,CISSP
Network and Security Consultant
Technology & Infrastructure - Consulting & Integration
HP Services
3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513
Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com