Hi,
> Basically, first I'd like to know if I can even do what I
> need to do (I
> still want to learn how to use ethereal, but right now I need to get
> this data to the Web-application provider), which is:
>
> Capture a session from one particular IP address on an
> internal network
> from three different places:
>
> a) coming off of the NIC on the workstation
>
> b) coming off of our Firewall WAN interface, and
>
> c) coming off of the ISP Router WAN interface (T-1)
>
> I'd *like* to be able to do this from my workstation (also on the
> internal (private IP range 192.168.xxx.xxx) if possible.
>
T1 is a point-to-point interface; that means you cannot sniff it unless you can break the line and put something in the middle that forwards the traffic to and fro and keeps a copy; your other option is that your router is prepared to mirror the data and copy it somewhere, and potentially Ethereal might read that copy. For that to work, you'd need it to be written into a format that Ethereal understands; the very best way would be the router to send a copy of the packets over an Ethernet link, but that seems doubtful.
AS for the WAN interface of the Firewall, as long as it is ethernet, or something similar, and you can sniff there, you can read the capture later in Ethereal. For instance, if you have a unix based firewall, a snoop on the WAN interface can create a capture file Ethereal can read afterwards. It might be possible also to do that in real time, sort of asking the firewall to send you in real time a copy of the traffic it is sending out, but that is the sort of thing firewall administrators are usually sort of reticent to do, and it is not trivial anyway.
On your workstation you should have no problems if you are an administrator or can convince yours to help -it's normally easier if it is a Windows workstation-.
So, in sort:
> a) coming off of the NIC on the workstation
Yes, quite easily, you'll need the support of the administrator
> b) coming off of our Firewall WAN interface, and
You definitely need the support of the Firewall administrator
There should be no problem in offline reads if the firewall is unix-based. If it is hardware specific, it depends on the firewall
> c) coming off of the ISP Router WAN interface (T-1)
Looks difficult. I'd look for other options
In my experience, it is much more likely that you have problems inside your network, -i.e. from your workstation to the router- that outside, and the type of problems outside are usually gross ones you can infer from traffic inside. That's because you usually ask for a more complex behaviour in a firewall than in an access router, and a behaviour that depends more on the type of traffic, but might not be true if your router provides you a sophisticated service. I'd begin with traces in your workstation plus firewall if possible, and then look for other things. But, of course, I don't know which type of problems you have.
Regards,
Francisco