Ethereal-users: Re: [Ethereal-users] Feature for NAT Capture Filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: LEGO <luis.ontanon@xxxxxxxxx>
Date: Sun, 1 May 2005 00:44:14 +0200
Anoter easy job for MATE....

based on the example tcp configuration in
http://wiki.ethereal.com/Mate_2fExamples

you can just add a GopIdleTimeout=30;  to the GopDef.

At that point filtering with "tcp && !mate" would give you only those
tcp packets that do not belong to a group i.e. those for which a SYN
has not been seen and those coming after expiration.
 
a similar config can be done for UDP.

Luis 

On 5/1/05, Al Stu <AHStubbl@xxxxxxxxxxx> wrote:
> "What do you mean by "request from the NAT"?  If you're sniffing on the
> WAN side of the NAT, do you mean "packet from a host behind the NAT"?"
> 
> Yes, but obviously the packets would appear to be coming from the NAT, as
> they would have the NAT's WAN address as the source.
> 
> Yes, realize it would have to be an unconventional capture filter.  Would it
> be possible for it to be implemented in WinPcap?  Or would it have to be in
> Ethereal by necessity?
> 
> ----- Original Message -----
> From: "Guy Harris" <gharris@xxxxxxxxx>
> To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
> Sent: Saturday, April 30, 2005 3:14 PM
> Subject: Re: [Ethereal-users] Feature for NAT Capture Filter
> 
> > Al Stu wrote:
> >
> >> I would like to use Ethereal to capture packets of traffic not matching a
> >> request from the NAT.
> >> So if Ethereal was to see a packet from 1.2.3.4 port 3597 but Ethereal
> >> had not seen a request from the NAT matching this (within last n
> >> seconds), then it would capture that packet.
> >
> > The capture filter mechanism in many OSes (as used by libpcap) and in
> > libpcap is stateless and has no notion of timeouts, so a filter of the
> > type you describe can't be implemented as a regular capture filter.
> >
> > It might be possible to implement it in Ethereal, so that it'd capture all
> > packets and discard the uninteresting ones in user space.
> >
> > What do you mean by "request from the NAT"?  If you're sniffing on the WAN
> > side of the NAT, do you mean "packet from a host behind the NAT"?
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan