Ethereal-users: Re: Rer: [Ethereal-users] Capture filter syntax
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Pascal Chauffour" <CHAUFFOU@xxxxxxxxxx>
Date: Fri, 21 Mar 2003 18:40:10 +0100
Thanks for the informations.
Based on the observations found in the previous mails you did reference,
yes we use source routing and I have found packets with IP headers located
at different offsets, the Ethereal GUI seems to decode every packets
without problem so this is almost probably a still existing WinPcap
limitation.
For information, I did install the last binary packages of Ethereal 0.9.11
and winPcap 3.0 BETA.
"Martin Regner"
<martin.regner@ch To: Pascal Chauffour/France/IBM@IBMFR
ello.se> cc:
Subject: Rer: [Ethereal-users] Capture filter syntax
21/03/2003 16:07
I think that there could be a problem with using capture filters in WinPcap
in certain scenarios
when it's not Ethernet frames or similar.
Since you can capture the frames when not using a filter I guess that there
could be some limitations
with using filters for Token Ring.
What version of WinPcap are you using?
The following are very old messages indicating some problems with WinPcap
and Token Ring, but I couldn't
find any more recent ones - and didn't find any interesting information in
the WinPcap FAQ or similar.
http://ethereal.archive.sunet.se/lists/ethereal-users/200007/msg00047.html
http://ethereal.archive.sunet.se/lists/ethereal-users/200005/msg00055.html
You could of course use display filters to filter out dns packets, but I
understand that you want to limit the number
of captured packets and I don't know if this is possible or not.
Regards,
Martin
-----Original Message-----
From: Pascal Chauffour <CHAUFFOU@xxxxxxxxxx>
To: ethereal-users@xxxxxxxxxxxx <ethereal-users@xxxxxxxxxxxx>
Date: Friday, March 21, 2003 3:50 PM
Subject: RE: [Ethereal-users] Capture filter syntax
>
>This is true that some DNS traffic can flow thru TCP port 53 but this is
>dedicated to downloads between DNS servers, the DNS traffic I try to
>capture (queries) is going thru the UDP port 53.
>
>In fact the filter "port 53" shall work for both cases TCP or UDP...
>
>With kind regards
>Pascal Chauffour
>
>
>
>
> "Bates, Curtis"
> <Curtis.Bates@age To: Pascal
Chauffour/France/IBM@IBMFR, ethereal-users@xxxxxxxxxxxx
> dwards.com> cc:
> Subject: RE:
[Ethereal-users] Capture filter syntax
> 21/03/2003 14:58
>
>
>
>
>
>DNS can use TCP to send queries.
>
>
>-----Original Message-----
>From: Pascal Chauffour [mailto:CHAUFFOU@xxxxxxxxxx]
>Sent: Friday, March 21, 2003 3:57 AM
>To: ethereal-users@xxxxxxxxxxxx
>Subject: Re: [Ethereal-users] Capture filter syntax
>
>
>
>
>
>
>My workstation is a Thinkpad connected to an unswitched 16 MB/s token-ring
>LAN, the DNS server is running on a distinct machine on the same subnet
and
>
>I did run the nslookup on my Thinkpad.
>
>
>My Token-Ring adapter is an "IBM Turbo 16/4 Token-Ring PC Card 2" with an
>IBM driver dated 1/3/2000 version 12.23.3.50.
>I did check for the parameters and found nothing apart of a special
>advanced parameter named "ShallowMode Receive" which was set to "yes", I
>did try setting it to "no" & it did only degrade the situation in the
sense
>
>that the filter "proto \udp" was not capturing any frame as it was
>capturing SNMP & NTP frames (NO DNS) in the other case...
>
>
>This is what I is shown up concerning my nslookup command when running
>Tethereal without filter:
>(I did replaced the DNS address in the trace by "x.yyy.dn.s")
> 7.890322 00:60:94:6e:8b:5e -> ff:ff:ff:ff:ff:ff ARP Who has
>x.yyy.dn.s? Tell x.yyy.56.178
> ...
> 7.894668 00:04:ac:63:48:99 -> 00:60:94:6e:8b:5e ARP x.yyy.dn.s is at
>00:04:ac:63:48:99
> 7.894732 x.yyy.56.178 -> x.yyy.dn.s DNS Standard query PTR
>5.40.100.9.in-addr.arpa
> 7.898062 x.yyy.dn.s -> x.yyy.56.178 DNS Standard query response
PTR
>
>dnslge.lagaude.ibm.com
> ...
> 7.905527 x.yyy.56.178 -> x.yyy.dn.s DNS Standard query PTR
>183.23.100.9.in-addr.arpa
> ...
> 7.909004 x.yyy.dn.s -> x.yyy.56.178 DNS Standard query response
PTR
>
>mymachine.lagaude.ibm.com
>
>
>In summary, the status of the different trials:
>
|------------------------+------------------------+------------------------|
>
>|Commands |Thinkpad Win2000 with |Thinkpad Win2000 with
>|
>| |IBM Turbo 16/4 TR PC |IBM Turbo 16/4 TR PC
>|
>| |Card 2 (ShallowMode |Card 2 (ShallowMode
>|
>| |Receive="yes") |Receive="no")
>|
>
|------------------------+------------------------+------------------------|
>
>|tethereal |OK |OK
>|
>
|------------------------+------------------------+------------------------|
>
>|tethereal -f "proto |only SMTP & NTP packets |No packets
>|
>|\udp" |(no DNS) |
>|
>
|------------------------+------------------------+------------------------|
>
>|tethereal -f "proto |OK |OK
>|
>|\icmp" | |
>|
>
|------------------------+------------------------+------------------------|
>
>
>
>
>
>
>
>
>
>
>
> Guy Harris
>
>
> <guy@xxxxxxxxxx> To: Pascal
>Chauffour/France/IBM@IBMFR
>
>
> cc:
>ethereal-users@xxxxxxxxxxxx
>
>
> 20/03/2003 20:50 Subject: Re:
>[Ethereal-users] Capture filter syntax
>
>
>
>
>
>
>
>
>
>
>
>
>On Thu, Mar 20, 2003 at 12:11:47PM +0100, Pascal Chauffour wrote:
>> I did try Ethereal without capture filter and it worked well.
>
>
>Did it capture any unicast traffic (not broadcast and not multicast)
>that was neither sent to the machine running Ethereal or from the
>machine running Ethereal?
>
>
>> Then to avoid
>> recording too much packets I did try using the capture filter "port 53"
>but
>> I could not capture anything.
>> I first did the trial with Ethereal using the GUI and then I tried using
>> Tethereal on a DOS box with the following command:
>> tethereal -f "port 53" and I got a message telling the capture was
>started
>> "Capturing on \Device\NPF_{4D99DD04-CFB5-4973-BB80-602D8927503D}" but I
>> could not see any packet despite running several nslookup commands.
>
>
>Did you run nslookup *on the machine running Ethereal/Tethereal*? (I
>assume the DNS server wasn't running on that machine.)
>
>
>If not, then is the token-ring LAN switched?
>
>
>If so, then does that mean that unicast traffic from one station on the
>LAN to another station on the LAN can be seen by a third station on the
>LAN? If not, that's the standard switching problem.
>
>
>If the LAN isn't switched, is this your interface a Madge token-ring
>cards? If so, it might have promiscuous mode disabled:
>
>
>
>
>
>http://www.madge.com/_assets/downloads/lsshelp8.0/LSSHelp/AdvFeat/Promisc/Promisc2.htm
>
>
>
>
>
>
>
>
>
>
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
>
>
>
***********************************************************************************
>
>WARNING: All e-mail sent to and from this address will be received or
>otherwise recorded by the A.G. Edwards corporate e-mail system and is
>subject to archival, monitoring or review by, and/or disclosure to,
>someone other than the recipient.
>
************************************************************************************
>
>
>
>
>
>
>
>
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users
- Follow-Ups:
- Re: Rer: [Ethereal-users] Capture filter syntax
- From: Guy Harris
- Re: Rer: [Ethereal-users] Capture filter syntax
- Prev by Date: RE: [Ethereal-users] Capture filter syntax
- Next by Date: Rer: [Ethereal-users] Capture filter syntax
- Previous by thread: Re: [Ethereal-users] quick question
- Next by thread: Re: Rer: [Ethereal-users] Capture filter syntax
- Index(es):