Ethereal-users: Re: [Ethereal-users] ethereal 0.9.4

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 5 Jun 2002 11:49:17 -0700
On Tue, Jun 04, 2002 at 10:22:43PM -0800, Wilson_Ariyawansa@xxxxxxxxxx wrote:
> I have downloaded the above version to my w2k notebook and the TCP stream
> analysis does not work.

What does it do instead of working?

> Also how can I get samples on setting filters.

Some samples can be found in the tcpdump/WinPcap man pages; as you're
running on Windows, you'd want the WinDump man page:

	http://windump.polito.it/docs/manual.htm

Look for the part that begins with

	EXAMPLES

	    To print all packets arriving at or departing from sundown: 

> Can you set ethereal to analyse traffic between two machines on the same
> network where the machine running ethereal connected.

Yes, *IF*

	1) the network is a "broadcast" LAN (such as Ethernet, FDDI,
	   Token Ring, or IEEE 802.11);

	2) the network is not switched, or it is switched but you can do
	   "port mirroring" to the port into which the machine running
	   Ethereal is running so that it can see traffic not intended
	   for it;

	3) if the network uses a dual-speed hub, the two other machines
	   *and* the machine running Ethereal are all running at the
	   same speed;

	4) the network interface on the machine running Ethereal, and
	   the driver for it, supports "promiscuous mode" when using
	   whatever underlying packet capture mechanism libpcap/WinPcap
	   uses.

Note that a network using a "hub" could be switched - some switches are
called "switched hubs", but a switched hub is not a "dumb" hub, it's a
switch.

See

	http://www.ethereal.com/faq.html#q4.1

> Suppose machines A,B
> and C are on the same LAN and if A runs ethereal can it analyse traffic
> between B and C.

If all of the above are true, yes.  (I infer from "on the same LAN" that
it's probably a broadcast LAN, so 1) is probably true.)

> I used the following filter on A.  host B and host C
> but nothing produced.

I don't see any filter in your mail message.

> The IP addresses of B and C were used.   I found
> that always host A and host B  worked.  Also host A host C worked.

It sounds as if one of 2), 3), and 4) are *not* true, in which case it's
not a question of the filter expression, it's a question of whether the
packets between hosts B and C are even delivered *at all* to the network
interface on machine A, or whether the driver puts the network interface
into a mode in which it accepts packets not intended for it.