["Crescioli, Phil" <Phil.Crescioli@xxxxxxxxxx>]

My reply to gharris comments:

With your input I was able to solve my problem.
Please keep in mind I am not the expert of these systems
and how they are configured. I was asked to sniff the data
and analyze the data.  So I have some assumptions about how the
data is being sent.  However, this process and Ethereal are making
me become an expert :).

FYI - I opened one of the data sets in Ethereal I had previously 
saved on the Linux box, then I went and disabled the RX protocol 
as you suggested, and wala, the UDP Data Packet I expected in the
First place was there!  
I analyzed the hex UDP data enough to verify the UDP data packets 
are correct. And yes, the data was being sent and received via 
port 7000, so (I assume, from your comments) that's why Ethereal 
was showing it as an RX protocol at the highest level?

This brings me to a follow up comment from me to Ethereal 
Developers:  If I'm sending UDP packets to/from port 7000, 
can Ethereal be coded so as to know it's not an Rx packet and 
actually just a UDP packet?  Or, should the sender of the UDP 
data not be sending to Port 7000 if in fact it is not using the 
RX protocol?

Thank for the advice!  Ethereal is an awesome tool.
Phil

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of
gharris@xxxxxxxxx
Sent: Thursday, September 16, 2004 7:35 PM
To: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] IP Multicast/UDP Data Packet Analysis
Problem


Crescioli, Phil said:

> However I am having problems analyzing the data I captured on the 
> third network. When I started a capture Ethereal's popup screen said 
> it was capturing UDP Packets, as it did before.  But when I went to 
> look at the Protocol Field in the Ethereal GUI it said the protocol 
> was RX.

RX - the low-level RPC protocol (not to be confused with ONC RPC or DCE
RPC) atop which the Andrew File System protocol runs - runs atop UDP, so
RX packets *ARE* UDP packets.

The Protocol column in the GUI shows the highest-level protocol for the
packet.

Are you running the Andrew File System on the machines to and from which
the RX traffic is going?  If not, this is probably just UDP traffic of
some sort that happens to be going to or from a port in the range
7000-7009 (the standard port range for RX) or to or from port 7021 (some
AFS backup protocol port).

> So I investigated the VME system that is sending the UDP data and have

> learned that it is using the following protocols to send UDP data.
Network Layer:
> IP/IGMP/ICMP and transport Layer: UDP.  It did not mention RX.

Then it's probably not RX traffic.

> I also think the data is being sent via IP Multicast.

If so, then it's almost certainly not RX traffic, as that's unicast.

> When I started the data capture I just let Ethereal capture 
> everything. But all I captured was UDP->RX ACK Packets.

All you captured was probably UDP packets to or from a port in the
7000-7009 range or to or from port 7021, which Ethereal interpreted as
RX packets.

> Where is the Data?

Nowhere - this is probably not RX traffic.

Try selecting "Enabled Protocols" from the "Analyze" menu, and turn off
the RX protocol.  Click "Save" and then "OK" - that'll disable RX *and*
store that setting in a file so that the next time you run Ethereal on
that machine RX will be disabled.

> To confuse things for me alittle further, I went and took the captured

> data and opened it in a more recent Version of Ethereal on Win2000
(Ethereal Version
> 0.10.6 with the correct Winpcap Version for it as specified on
ethereal.com).
> Welp, the Protocol field in the Ethereal GUI now listed all the 
> packets as either MTP3MG and in some data sets I captured Ethereal 
> listed them
as SCCP.

And are those packets also UDP packets?

> This definitley is not correct.  Maybe this is due to the fact that I
captured the data
> on Linux with Libpcap and the Winpcap version is incompatible?

No.  Packets is packets - it doesn't matter what OS you captured them
on.


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users