Ethereal-users: Re: [Ethereal-users] Capture filter syntax

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Pascal Chauffour" <CHAUFFOU@xxxxxxxxxx>
Date: Fri, 21 Mar 2003 10:57:09 +0100
My workstation is a Thinkpad connected to an unswitched 16 MB/s token-ring
LAN, the DNS server is running on a distinct machine on the same subnet and
I did run the nslookup on my Thinkpad.

My Token-Ring adapter is an "IBM Turbo 16/4 Token-Ring PC Card 2" with an
IBM driver dated 1/3/2000 version 12.23.3.50.
I did check for the parameters and found nothing apart of a special
advanced parameter named "ShallowMode Receive" which was set to "yes", I
did try setting it to "no" & it did only degrade the situation in the sense
that the filter "proto \udp" was not capturing any frame as it was
capturing SNMP & NTP frames (NO DNS) in the other case...

This is what I is shown up concerning my nslookup command when running
Tethereal without filter:
(I did replaced the DNS address in the trace by "x.yyy.dn.s")
      7.890322 00:60:94:6e:8b:5e -> ff:ff:ff:ff:ff:ff ARP Who has
x.yyy.dn.s?  Tell x.yyy.56.178
      ...
      7.894668 00:04:ac:63:48:99 -> 00:60:94:6e:8b:5e ARP x.yyy.dn.s is at
00:04:ac:63:48:99
      7.894732 x.yyy.56.178 -> x.yyy.dn.s   DNS Standard query PTR
5.40.100.9.in-addr.arpa
      7.898062   x.yyy.dn.s -> x.yyy.56.178 DNS Standard query response PTR
dnslge.lagaude.ibm.com
      ...
      7.905527 x.yyy.56.178 -> x.yyy.dn.s   DNS Standard query PTR
183.23.100.9.in-addr.arpa
      ...
      7.909004   x.yyy.dn.s -> x.yyy.56.178 DNS Standard query response PTR
mymachine.lagaude.ibm.com

In summary, the status of the different trials:
|------------------------+------------------------+------------------------|
|Commands                |Thinkpad Win2000 with   |Thinkpad Win2000 with   |
|                        |IBM Turbo 16/4 TR PC    |IBM Turbo 16/4 TR PC    |
|                        |Card 2 (ShallowMode     |Card 2 (ShallowMode     |
|                        |Receive="yes")          |Receive="no")           |
|------------------------+------------------------+------------------------|
|tethereal               |OK                      |OK                      |
|------------------------+------------------------+------------------------|
|tethereal -f "proto     |only SMTP & NTP packets |No packets              |
|\udp"                   |(no DNS)                |                        |
|------------------------+------------------------+------------------------|
|tethereal -f "proto     |OK                      |OK                      |
|\icmp"                  |                        |                        |
|------------------------+------------------------+------------------------|





                                                                                                                                    
                      Guy Harris                                                                                                    
                      <guy@xxxxxxxxxx>         To:       Pascal Chauffour/France/IBM@IBMFR                                          
                                               cc:       ethereal-users@xxxxxxxxxxxx                                                
                      20/03/2003 20:50         Subject:  Re: [Ethereal-users] Capture filter syntax                                 
                                                                                                                                    
                                                                                                                                    
                                                                                                                                    



On Thu, Mar 20, 2003 at 12:11:47PM +0100, Pascal Chauffour wrote:
> I did try Ethereal without capture filter and it worked well.

Did it capture any unicast traffic (not broadcast and not multicast)
that was neither sent to the machine running Ethereal or from the
machine running Ethereal?

> Then to avoid
> recording too much packets I did try using the capture filter "port 53"
but
> I could not capture anything.
> I first did the trial with Ethereal using the GUI and then I tried using
> Tethereal on a DOS box with the following command:
> tethereal -f "port 53" and I got a message telling the capture was
started
> "Capturing on \Device\NPF_{4D99DD04-CFB5-4973-BB80-602D8927503D}" but I
> could not see any packet despite running several nslookup commands.

Did you run nslookup *on the machine running Ethereal/Tethereal*?  (I
assume the DNS server wasn't running on that machine.)

If not, then is the token-ring LAN switched?

If so, then does that mean that unicast traffic from one station on the
LAN to another station on the LAN can be seen by a third station on the
LAN?  If not, that's the standard switching problem.

If the LAN isn't switched, is this your interface a Madge token-ring
cards?  If so, it might have promiscuous mode disabled:


http://www.madge.com/_assets/downloads/lsshelp8.0/LSSHelp/AdvFeat/Promisc/Promisc2.htm