Wireshark · Ethereal-dev: RE: [ethereal-dev] Re: Summary page for ethereal

Ethereal-dev: RE: [ethereal-dev] Re: Summary page for ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Farley, Tim (ISSAtlanta)" <TFarley@xxxxxxx>

Date: Wed, 16 Jun 1999 18:23:59 -0400

>> The base protocol (ethertype 1984) is called TRAIL,

>Called that by whom?  NetMon?  

Yeah, its just an M$-ism, I should have been clearer on that.

>>From which menu do you get those?  (It's not in any obvious 
>menu in the
>version of NetMon I have, but I'm not sure where that version came from

There's two places I got that.  One is if you are viewing a capture, and
select from the edit menu the "Read Only" option (so it becomes unchecked),
you can then pick the TOOLS menu and choose Insert Comment Frame.  In that
dialog you can create packets with comments in them to annotate a capture.
This lets you insert a COMMENT or BOOKMARK frame.   COMMENT is obvious.
BOOKMARK I'm not sure what that is for, since there is no obvious "go to
bookmark" item.

Once you have a packet like this in a cap, Netmon decodes the layer after
Ethernet as TRAIL.  That leads on to TRAIL.DLL and TRAIL.INI in the PARSERS\
subdirectory.  The TRAIL.INI file contains the following hints:

;//   USE THIS SECTION TO ADD ON YOUR OWN SPECIAL PARSERS WHICH WILL BE 
;//   CALLED AFTER TRAIL FIRST GIVE THE UNIQUE FRAMETYPE VALUE (OVER 1000) 
;//   THEN THE PARSER THAT WILL BE CALLED FOR THIS VALUE VALUE=PARSER
;// 
[TRAIL]
101=GENERIC
102=BOOKMARK
103=STATS
104=ODBC
105=MESSAGE
106=COMMENT

I think they meant this as a generic way for folks to annotate captures in
oddball ways without changing the file format.

>- I've heard NetMon is bundled with NT server, but the machine I have
>isn't running NT Server, and a version that may be fancier comes with
>System Management Server.)

Yes, NETMON is bundled with NT Server, you install it by opening the Control
Panel -> Network applet, going to Services and adding "Network Monitor Agent
and Tools".  The disadvantage of the bundled one is that it will not go
promiscuous, it only sniffs traffic to and from the server.  I think there a
handful of other oddball features that are disabled.

The main version is bundled with SMS.  The NT/SMS bundling issue is also the
source of some confusion about version numbers.  NETMON 1.2, which is
bundled with SMS 1.2, also reports a version of 4.0 in its About box to
match the version of NT it is bundled with as well.  Likewise NETMON 2.0
comes with SMS 2.0, but reports 5.0 in its About Box to match NT 5.0 aka
Win2000.


Boy, that was more than anyone on this list ever wanted to know about
NETMON, eh?  <grin>

=====================================
Tim Farley
Software Engineer
tfarley@xxxxxxx

Internet Security Systems, Inc.
(678) 443-6000 / Direct Dial (678) 443-6189 / fax (678) 443-6479
http://www.iss.net

Adaptive Network Security for the Enterprise
=====================================

Prev by Date: Re: [ethereal-dev] Re: Summary page for ethereal
Next by Date: RE: [ethereal-dev] Re: Summary page for ethereal
Previous by thread: Re: [ethereal-dev] Re: Summary page for ethereal
Next by thread: RE: [ethereal-dev] Re: Summary page for ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$