On Wed, Mar 10, 2004 at 04:43:39PM +0100, Zanetta Michael wrote:
> Here is what you asked me, two dump, one from the user-side
> with ethereal, and the other one is from the Firewall side,
> on the internal interface.
> I hope it will help you...
Well, it appears that the header on the Symantec Firewall capture has 6
bytes of mysterious data, 2 bytes of what appears to be an Ethernet
type, and 36 bytes of what appears to be zeroes.
I've checked in a change to Ethereal to analyze those captures based on
that assumptions; it should appear whenever the next Ethereal release
comes out (whenever that will be - I don't know).
I've also checked in changes to libpcap and tcpdump for those captures.
> By the way, what I meant for Binary is in fact the tcpdump.exe.
> But it wouldn't work on your machine, as it needs the driver
> installed by the firewall itself.
It won't work on my machines because:
% uname -sr
FreeBSD 3.4-RELEASE
on one machine, and
%uname -sr
FreeBSD 4.6-RELEASE
on another machine and
% uname -sr
Darwin 7.2.0
on yet another machine.
The first of those machines can also run NT 4.0, but I don't know
whether it could run the Symantec firewall software.
> Sorry but there is no documentation, it is supposed to work like
> the linux tcpdump, you can use almost the same options.
What matters is the link-layer header, not the options.
> If you really want to test this tcpdump, you must install the
> firewall on a machine. It can be downloaded from Symantec Site.
If I were to run that tcpdump, it'd help only if it printed the
mysterious data - what happens if you run that tcpdump, with the "-e"
flag, and tell it to read the firewall capture file you sent (i.e., "-r
tcpdump.dmp")?