Wireshark · Ethereal-dev: RE: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture mode?

Ethereal-dev: RE: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Farley, Tim (ISSAtlanta)" <TFarley@xxxxxxx>

Date: Mon, 8 Nov 1999 17:29:10 -0500

>I can fix it for MAC addresses, but there's no way to specify the names
>for IPX networks.  We could add support for an /etc/ipxnet file or
>something. There's no standard way of resolving names for IPX, so
>we'll have to make our own.

Microsoft Network Monitor has an interesting way of handling this for folks
who write protocol decoder plug-ins to drop into it.

There is an API available inside NETMON that lets a "parser" (what Ethereal
calls a "dissector") tell NETMON when it has found a name in a packet.  When
parsing a packet that has a system name in its payload, you yank the name
out of the packet and pass it to the API.  Then NETMON knows that name is
associated with the addressing on that packet.  Of course, you need a way in
the API to tell which side of the connection the name is associated with.
For other cases, instead of taking the addressing off the packet, you'd want
to pass an address to the API so for instance if you were parsing a DNS zone
transfer, you could build up an address list as you saw it go by.

This scheme works amazingly well, because typically network applications
will "look up" the name of a system right before the contact it.  So in many
cases the names you want are right there in the data you captured.

In the IPX world, servers typically "advertise" their names using SAP on a
60-second interval, so all you have to do is collect packets for a couple of
minutes and you usually see everything you need to get server names for
display.  Client names are a bit different, but there are still packets
where these could be picked up.

Of course, to make it truly usable, you need a way to cache the names you
have collected.  This helps cover cases where the naming wasn't available
and gives you the best of both possible worlds.  That's a no-brainer, you
just take the names you got from the dissectors through this API, and write
them into a configuration file when Ethereal exits, so they'll be available
next time.

=====================================
Tim Farley
Software Engineer
tfarley@xxxxxxx

Internet Security Systems, Inc.
(678) 443-6000 / Direct Dial (678) 443-6189 / fax (678) 443-6479
http://www.iss.net

Adaptive Network Security for the Enterprise
=====================================

Prev by Date: Re: [ethereal-dev] plugins support
Next by Date: Re: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture mode?
Previous by thread: Re: [ethereal-dev] Re: [ethereal-users] Ethereal - Displaying IPX Net names and hostnames in capture mode?
Next by thread: Re: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture mode?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$