Wireshark · Ethereal-users: [ethereal-users] One strange thing about the MS Netmon 2.x capture file

Ethereal-users: [ethereal-users] One strange thing about the MS Netmon 2.x capture file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Fabrizio Ammollo <f.ammollo@xxxxxxxxxx>

Date: Thu, 23 Mar 2000 09:13:44 +0100

Hello,

while examining the capture file yesterday, I noted that Ethereal and MS Netmon
don't agree about the decoding of one particular frame (maybe it's not the only
one, but I saw it because it contains data about which I am interested) : for
the people who have the capture file itself, the frame is the number 564.

Displayed by Ethereal, it is shown the following way:

--- CUT ---

Frame 564 (317 on wire, 317 captured)
    Arrival Time: Mar 15, 2000 18:13:11.8650
    Time delta from previous packet: 0.003000 seconds
    Frame Number: 564
    Packet Length: 317 bytes
    Capture Length: 317 bytes
Ethernet II
    Destination: 00:e0:29:3c:97:40 (00:e0:29:3c:97:40)
    Source: 08:00:38:11:0c:f3 (Bull_11:0c:f3)
    Type: IP (0x0800)
Internet Protocol
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Currently Unused: 0
    Total Length: 303
    Identification: 0xfb27
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: TCP (0x06)
    Header checksum: 0x6e83 (correct)
    Source: 171.1.151.10 (171.1.151.10)
    Destination: 171.1.100.16 (171.1.100.16)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: 1054 (1054), Seq: 452351915, Ack: 35242
    Source port: telnet (23)
    Destination port: 1054 (1054)
    Sequence number: 452351915
    Acknowledgement number: 35242
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 4380
    Checksum: 0x08b9
Telnet
    Data: \026\030\026\030\026\026\033`\026

--- CUT ---

The strange thing is in the Telnet Data field, because, in reality, the field
is much longer, and MS Netmon (by clicking on the Telnet Data part) shows me
that it arrives at the last byte of the packet.
The dump of the packet done by MS Netmon is the following:

--- CUT ---

Frame    Time         Src MAC Addr    Dst MAC Addr    Protocol    Description                                       Src Other Addr     Dst Other Addr     Type Other Addr
564      349.782000   Bull  110CF3    00E0293C9740    TELNET      To Client With Port = 1054                        ONP0               VRU2               IP

  Frame: Base frame properties
      Frame: Time of capture = 15/03/00 18:13:11.865
      Frame: Time delta from previous physical frame: 3000 microseconds
      Frame: Frame number: 564
      Frame: Total frame length: 317 bytes
      Frame: Capture frame length: 317 bytes
      Frame: Frame data: Number of data bytes remaining = 317 (0x013D)
  ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
      ETHERNET: Destination address : 00E0293C9740
          ETHERNET: .......0 = Individual address
          ETHERNET: ......0. = Universally administered address
      ETHERNET: Source address : 080038110CF3
          ETHERNET: .......0 = No routing information present
          ETHERNET: ......0. = Universally administered address
      ETHERNET: Frame Length : 317 (0x013D)
      ETHERNET: Ethernet Type : 0x0800 (IP:  DOD Internet Protocol)
      ETHERNET: Ethernet Data: Number of data bytes remaining = 303 (0x012F)
  IP: ID = 0xFB27; Proto = TCP; Len: 303
      IP: Version = 4 (0x4)
      IP: Header Length = 20 (0x14)
      IP: Precedence = Routine
      IP: Type of Service = Normal Service
      IP: Total Length = 303 (0x12F)
      IP: Identification = 64295 (0xFB27)
      IP: Flags Summary = 0 (0x0)
          IP: .......0 = Last fragment in datagram
          IP: ......0. = May fragment datagram if necessary
      IP: Fragment Offset = 0 (0x0) bytes
      IP: Time to Live = 255 (0xFF)
      IP: Protocol = TCP - Transmission Control
      IP: Checksum = 0x6E83
      IP: Source Address = 171.1.151.10
      IP: Destination Address = 171.1.100.16
      IP: Data: Number of data bytes remaining = 283 (0x011B)
  TCP: .AP..., len:  263, seq: 452351915-452352178, ack:     35242, win: 4380, src:   23 (TELNET)  dst: 1054 
      TCP: Source Port = Telnet
      TCP: Destination Port = 0x041E
      TCP: Sequence Number = 452351915 (0x1AF657AB)
      TCP: Acknowledgement Number = 35242 (0x89AA)
      TCP: Data Offset = 20 (0x14)
      TCP: Reserved = 0 (0x0000)
      TCP: Flags = 0x18 : .AP...
          TCP: ..0..... = No urgent data
          TCP: ...1.... = Acknowledgement field significant
          TCP: ....1... = Push function
          TCP: .....0.. = No Reset
          TCP: ......0. = No Synchronize
          TCP: .......0 = No Fin
      TCP: Window = 4380 (0x111C)
      TCP: Checksum = 0x08B9
      TCP: Urgent Pointer = 0 (0x0)
      TCP: Data: Number of data bytes remaining = 263 (0x0107)
  TELNET: To Client With Port = 1054
      TELNET: Telnet Data

00000:  00 E0 29 3C 97 40 08 00 38 11 0C F3 08 00 45 00   ..)<[email protected].
00010:  01 2F FB 27 00 00 FF 06 6E 83 AB 01 97 0A AB 01   ./.'....n.......
00020:  64 10 00 17 04 1E 1A F6 57 AB 00 00 89 AA 50 18   d.......W.....P.
00030:  11 1C 08 B9 00 00 16 18 16 18 16 16 1B 60 16 00   .............`..
00040:  16 0D 16 0A 33 37 20 30 31 20 39 31 37 31 34 35   ....37 01 917145
00050:  39 30 20 30 20 20 20 31 35 2D 30 33 2D 30 30 20   90 0   15-03-00 
00060:  20 20 34 38 30 30 37 30 16 0D 16 0A 4C 55 43 41     480070....LUCA
00070:  20 43 49 52 4F 20 54 41 52 41 4E 54 49 4E 4F 20    CIRO TARANTINO 
00080:  45 20 4D 41 44 52 45 20 49 56 41 4E 41 16 0D 16   E MADRE IVANA...
00090:  0A 46 52 41 4E 43 45 53 43 41 20 5A 49 54 4F 16   .FRANCESCA ZITO.
000A0:  0D 16 0A 16 0D 16 0A 43 4F 4E 54 4F 20 20 44 49   .......CONTO  DI
000B0:  56 49 53 41 20 20 20 20 20 20 20 20 20 20 20 53   VISA           S
000C0:  41 4C 44 4F 20 4C 49 52 45 20 20 20 20 20 20 20   ALDO LIRE       
000D0:  53 41 4C 44 4F 20 45 55 52 4F 20 20 55 4C 54 2E   SALDO EURO  ULT.
000E0:  41 47 47 2E 20 4E 4F 54 45 16 0D 16 0A 16 0D 16   AGG. NOTE.......
000F0:  0A 33 37 2D 30 31 2D 30 20 49 54 4C 20 20 20 20   .37-01-0 ITL    
00100:  20 20 20 20 20 20 20 20 20 20 20 20 35 36 2E 36               56.6
00110:  35 34 4E 20 20 20 20 20 20 20 20 20 20 20 32 39   54N           29
00120:  2C 32 36 4E 20 20 31 33 2D 30 33 2D 30 30 16 0D   ,26N  13-03-00..
00130:  16 0A 2A 16 0D 16 0D 0A 0C 16 00 16 0A            ..*..........   

--- CUT ---

Ethereal stops before the '\0' on the line containing the " ` " character,  
instead, when I click on the Telnet Data field, Netmon shows in bold typeface
the whole part until the last byte of the packet (and it's correct).
It is to be noted that by choosing the "Follow TCP stream" the entire output of
the data flow is correct, so here I suspect some other problem (maybe related
to the GUI only ?).

It's certainly not a critical problem, but it's strange..

-- 
Bye,
	Fabrizio Ammollo.

Follow-Ups:
- Re: [ethereal-users] One strange thing about the MS Netmon 2.x capture file
  - From: Guy Harris

Prev by Date: Re: [ethereal-users] Token Ring Question
Next by Date: Re: [ethereal-users] One strange thing about the MS Netmon 2.x capture file
Previous by thread: Re: [ethereal-users] Help!
Next by thread: Re: [ethereal-users] One strange thing about the MS Netmon 2.x capture file
Index(es):
- Date
- Thread