Ethereal-dev: Re: [Ethereal-dev] Remote filtering with ethereal ???

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Alexander W. Janssen" <alexander.janssen@xxxxxx>
Date: Tue, 29 Jun 2004 06:17:58 +0200
On Mon, Jun 28, 2004 at 09:45:35PM +0200, Pierre JUHEN wrote:
> I would like to use ethereal in the following configuration :
> 
> I have a remote site with a high volume. On this site, I would like to put
> a PC to capture and filter the traffic to get only very few packets, using
> tethereal probably.
> 
> I would like the filtered packet to be sent real time to a central console
> and diplayed using ehteral.
>
> How could I do that ?

With recent versions of tethereal[1] and the help of netcat
(http://netcat.sourceforge.net/) you can do it as follows. hosta 
does the capturing, hostb is the host with does displaying:

hostb# nc -l -p 4711 | tethereal -n -l -i -
hosta# tethereal -l -F libpcap -i ppp0 -w - $filterexpression | nc hostb 4711

With the GUI version of ethereal you have to use a little trick, since it does
not seem to read from stdin; but it can read from pipes (correct me if
i'm wrong):

hostb# mkfifo mypipe
hostb# nc -l -p 4711 >> mypipe
hostb# ethereal &
  --> Capture -> Start
  --> Interface: $PATH/mypipe

hosta# tethereal -l -F libpcap -i ppp0 -w - $filterexpression | nc hostb 4711

Maybe there are better methods than this one, but this works for me. Using UDP
with netcat might be even a better idea, but i never used it (yet). If you are
very paranoid you could use openssl to encrypt the raw-data on the fly...

> Regards,
> 
> Pierre

HTH, Alex.

[1] 0.9.4 which is included with Debian Woody does not work. It does not like
to write to pipes. 0.10.4 works perfectly.


-- 
This is my signature. There are many of them, but this one is mine.

Attachment: pgpwxfeN463vL.pgp
Description: PGP signature