Ethereal-users: RE: [Ethereal-users] yet another filter question
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
You're amazing, Guy. So let me share with you all what I was working on.
We had a misconfigured pc with the wrong ipx network number(should be network 101, not b0b0b0b0).
I turned on an ipx-capable network printer and observed how it learns it's ipx number.
It sends out an "IPX SAP Nearest Query" (offset 44, hex 0x0003) and expects back an
"IPX SAP Nearest Response" (offset 44, hex 0x0004). Thus by sniffing for b0b0b0b0 and 0004 I can
trap misconfigured pc's. Of course, since the traffic is directed and not a broadcast, I would have
to monitor by vlan on our closet switches.
For quick sniffs like this, I'll take Ethereal over Network General any day.
Tx. again and keep the good tips coming.
-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Thursday, January 24, 2002 1:49 PM
To: Guy Harris
Cc: Broggy, David; 'ethereal-users@xxxxxxxxxxxx'
Subject: Re: [Ethereal-users] yet another filter question
> > For example, take the following code:
> >
> > 0000 ff ff ff ff ff ff 00 40 68 1b 3d 26 00 60 ff ff .......@h.=&.`..
> > 0010 00 60 00 04 b0 b0 b0 b0 ff ff ff ff ff ff 04 52 .`.............R
> > 0020 b0 b0 b0 b0 00 40 68 1b 3d 26 04 52 00 02 03 63 .....@h.=&.R...c
> > 0030 45 53 49 31 37 38 35 31 32 36 00 00 00 00 00 00 ESI1785126......
> > 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 0060 00 00 00 00 00 40 68 1b 3d 26 40 0b 00 01 .....@h.=&@...
By the way, that looks like an 802.3 packet with:
destination address ff:ff:ff:ff:ff:ff (broadcast)
source address 00:40:68:1b:3d:26
packet length hex 0060 (96)
with a payload beginning with 0xffff, i.e. a NetWare Ethernet_802.3 IPX
packet. In fact, after text2pcapifying it, it's a Service Advertisement
Protocol packet, and the b0b0b0b0 at an offset of 20 is the destination
network field in the IPX header.
However, libpcap doesn't know enough IPX to let you check for that
conveniently.
You might, however, want to try the filter
ipx and link[26:4] = 0xb0b0b0b0
just to make sure it doesn't check non-IPX packets, if what you *really*
want is to capture IPX packets sent to b0b0b0b0 as the destination
network.
This message has been 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
Sanitizer (start="1011908123"): Part (pos="1553"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (rule="2"): Enforced policy: accept Part (pos="3892"): SanitizeFile (filename="unnamed.html", mimetype="text/html"): Match (rule="default"): Enforced policy: accept Rewrote HTML tag: >>_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<< as: >>_MANGLED_ON_PURPOSE_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<< Rewrote HTML tag: >>_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<< as: >>_MANGLED_ON_PURPOSE_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<< Total modifications so far: 2 Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $ |
- Prev by Date: Re: [Ethereal-users] Resolve MAC addresses
- Next by Date: [Ethereal-users] getting MAC addresses from ethereal
- Previous by thread: Re: [Ethereal-users] yet another filter question
- Next by thread: [Ethereal-users] getting MAC addresses from ethereal
- Index(es):