On Mon, Jul 08, 2002 at 03:13:09PM +0200, Karlheinz Mueller wrote:
> Maybe someone has a good idea how to solve the following request:
> I am searching for a way to trace network traffic (e.g. with
> ethereal) and if a certain packet arrives, an action should be performed
> automatically.
There's no mechanism built into Ethereal to do that.
However:
1) another program might be able to handle that (e.g., snort:
http://www.snort.org/
which, it appears from the documentation:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5
can be made to perform various actions when packets that
match particular rules are seen;
2) you could run Tethereal with a capture or read filter that
matches only the packets in which you're interested, and with
the "-l" flag but not the "-w" or "-V" flag, and pipe its output
to a program that will take some action whenever it gets a line
of input.
> for example:
> If any IPX frame is seen, a script/command should be executed
> automatically, e.g. to send a SMB message popup or a snmp trap.
Snort 1.6 can send SMB popups (see the Alert_smb plugin section of the
documentation URL), and there may be ways to use the output module
mechanism to send SNMP traps as well (if by "plugins" they mean you can
plug in your own mechanisms, you could perhaps write an Alert_snmp
mechanism; otherwise, you could, for example, try using Alert_unixsock
and have another program on the other end of the UNIX-domain socket that
sends the traps).
(NOTE: I'm not a Snort user, so don't ask me how to do any of the above,
ask on the "Snort Users" mailing list:
http://www.snort.org/lists.html
.)
Unfortunately, it looks as if Snort might not yet recognize IPX:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.2
"The next field in a rule is the protocol. There are four Protocols
that Snort currently analyzes for suspicious behavior - tcp, udp, icmp,
and ip. In the future there may be more, such as ARP, IGRP, GRE, OSPF,
RIP, IPX, etc."