Ethereal-dev: Re: [ethereal-dev] packet capture from switches and other RMON devices

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: guy@xxxxxxxxxx (Guy Harris)
Date: Wed, 12 May 1999 01:15:47 -0700 (PDT)
> during a conversation with someone the other day, the suggestion was made
> that some RMON capable devices allow you to do packet capture. 
> 
> Is this true? 

The Remote Network Monitoring MIB (RFC 1757) includes:

	2.3.8.  The Filter Group
   
	   The filter group allows packets to be matched by a filter equation. 
	   These matched packets form a data stream that may be captured or may
	   generate events.  This group consists of the filterTable and the
	   channelTable.
   
	2.3.9.  The Packet Capture Group
   
	   The Packet Capture group allows packets to be captured after they
	   flow through a channel.  This group consists of the
	   bufferControlTable and the captureBufferTable, and requires the
	   implementation of the filter group.

so, in theory, an RMON-capable device could allow you to do packet
capture using the RMON MIB.

I've yet to actually see such a device, however; a while ago, I
experimented with one of our SNMP-capable switches, but I was unable to
provoke it to let me do anything - that may just mean I was doing it
wrong.

> If so, it would make a useful feature for wiretap?

Yes.

The packet filtering mechanism isn't as sophisticated as that of
the Stanford/CMU packet filter (the one used by, for example, SunOS 4.x
and 5.x as its filtering language), much less the Berkeley packet filter
- the rules it only allow expressions like

	if ((a & mask) == (b & mask))
		save the packet

- but it probably can catch the most interesting cases.