On Friday, July 11, 2003, at 5:10 AM, Mike Stickney wrote:
During a hardware test on 3 June 2003 they were using standard TCP
packets and I was able to capture and analyze them using ethereal. In
a
subsequent test on 11 July 2003 ethereal was unable to capture any TCP
frames containing data. Ethereal was working for UDP, ARP, etc frames
which were also being transmitted. The TCP frames containing critical
data had disappeared. An oscilloscope connected to the network showed
that transmissions were still present that ethereal was not capturing.
What kind of Ethernet is this? Is it, for example, a switched
Ethernet? If so, is Ethereal running on the machine sending or
receiving the packets, or are you doing a third-party passive snoop of
the network? If it's a passive snoop, is the port into which the
machine running Ethereal is plugged set up as a "mirrored" port?
See
http://www.ethereal.com/faq.html#q5.2
and
http://www.ethereal.com/faq.html#q5.3
and
http://www.ethereal.com/faq.html#q5.1
And, as Richard Urwin asked, are you using a capture filter?
I'm now stuck with trying to analyze what they changed. The data link
layer is still Ethernet (IEEE 802.3). Can ethereal be used to capture
and display the Ethernet frames as is or will it require modification?
Yes, but if they are, in fact, using a proprietary protocol atop
Ethernet, rather than IP, Ethereal won't be able to dissect it - it'll
just show it as Ethernet data with a particular Ethernet type.