> What happens with the IPX traffic when you read that capture file with
> Ethereal (or Ethereal) - or with the Sniffer software for Windows -
> later?
It seems that no matter the packet size specified when using -s, the
full packet output is captured and decoded. I have tried multiple packet
sizes since I suspected I wasn't capturing enough of the packet as you
have calculated. There is nothing wrong with the tethereal utility - I
am just trying to cheat and only capture enough of the decoded output to
track the details of the file access and not the entire contents of the
file itself.
> ...if you want to know what file they were viewing, it needs
> to dissect
> *NCP* traffic - i.e., it has to dissect not just the IPX header, but
> enough of the NCP header to show information about the file.
Exactly. Sorry I should have been more specific about NCP.
> Unfortunately, to do *that*, it appears you need more than
> the 64 bytes
> you've requested with "-s 64" - at least in one capture, an NCP
> "Open/Create File or Subdirectory" has 62 bytes of *NCP*
> message in it,
> so that'd be 14+30+62 = 106 bytes, and a longer file name
> might require
> more data.
I will retry with multiple capture size variations but if I remember
correctly - it's as if tethereal wants to capture the entire packet to
decode it. Perhaps there is a way to then pass it through some form of
read filter before it is written to disk?
Thanks,
Justin.