On Fri, May 26, 2006 at 06:54:06AM -0500, Thomas Stein wrote:
> There are various re-current, often used capture tasks.
> I could imagine that there already exists a guide which filter settings
> and interpretations are necessary for certains tasks.
Yes and no, I use ethereal everyday and use different filters
every day. There are however some filters I use frequently.
It's possible to save these in the filters dialogue box...
> Task 1: Which remote IPs are visited by local IP a.b.c.d
ip.addr==a.b.c.d
> Task 2: Which port scanning tries occur on port xxx
tcp.port == xxx or udp port == xxx
(it is not certain that a frame listed with this filter
is part of a port scan or just a specific try, but at
least you know which source tried to connect on that port)
> Task 3: Which other IPs communicate on CLASS B 192.168.*.*
ip.addr==192.168.0.0/16
> Ok I can start to write my own cooking recipe but why
> re-inventing the wheel?
Re-inventing the wheel is necessary, because every network
is different and every analysis has a different goal...
> I assume that these solution are described somewhere.
> However I didn't found it in the official manual.
> Does someone know a good web pages ?
Yes, there's a section on display-filters in the user's guide:
http://www.ethereal.com/docs/eug_html_chunked/ChWorkBuildDisplayFilterSection.html
... and also on the wiki: http://wiki.ethereal.com/DisplayFilters
If you have any nice filters, you can add them on the wiki so
that someone else does not have to re-invent the wheel :)
Hope this helps, Cheers, Sake
PS If you want to use the filters as capture-filters, you have to use:
1) host a.b.c.d
2) port xxx
3) net 192.168.0.0 mask 255.255.0.0
More info on capturefilters:
http://www.ethereal.com/docs/eug_html_chunked/ChCapCaptureFilterSection.html
http://wiki.ethereal.com/CaptureFilters
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users