Ethereal-users: Re: [Ethereal-users] Snooping ethernet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 11 Jul 2003 13:14:19 -0700

On Friday, July 11, 2003, at 5:10 AM, Mike Stickney wrote:

During a hardware test on 3 June 2003 they were using standard TCP
packets and I was able to capture and analyze them using ethereal. In a
subsequent test on 11 July 2003 ethereal was unable to capture any TCP
frames containing data.  Ethereal was working for UDP, ARP, etc frames
which were also being transmitted.  The TCP frames containing critical
data had disappeared.  An oscilloscope connected to the network showed
that transmissions were still present that ethereal was not capturing.

What kind of Ethernet is this? Is it, for example, a switched Ethernet? If so, is Ethereal running on the machine sending or receiving the packets, or are you doing a third-party passive snoop of the network? If it's a passive snoop, is the port into which the machine running Ethereal is plugged set up as a "mirrored" port?

See

	http://www.ethereal.com/faq.html#q5.2

and

	http://www.ethereal.com/faq.html#q5.3

and

	http://www.ethereal.com/faq.html#q5.1

And, as Richard Urwin asked, are you using a capture filter?

I'm now stuck with trying to analyze what they changed.  The data link
layer is still Ethernet (IEEE 802.3).  Can ethereal be used to capture
and display the Ethernet frames as is or will it require modification?

Yes, but if they are, in fact, using a proprietary protocol atop Ethernet, rather than IP, Ethereal won't be able to dissect it - it'll just show it as Ethernet data with a particular Ethernet type.