Hallo Gyu,
> > + etype = tvb_get_ntohs(tvb, 12);
> > +
> > + if (tree) {
> > + sprintf(header, "FW1 Monitor");
> > +
> > + /* fetch info to local variable */
> > + direction[0] = tvb_get_guint8(tvb, 0);
> > + direction[1] = 0;
> > + tvb_get_nstringz0(tvb, 2, 10, interface);
>
> It looks as if the Firewall-1 header is like an Ethernet header except
> that it has 1 byte of direction, 1 byte of something, and 10 bytes of
> interface name, rather than 2 6-byte MAC addresses.
Exactly.
> Should FW1 monitor files be handled by the Ethernet dissector checking
> the "interpret_as_fw1_monitor" flag and, if it's set, displaying the
> direction and interface name rather than the MAC addresses?
Yes, that's the way.
The important other addition is to see the way through the firewall
on several places.
Meanwhile I have tried to write some words about the dissector.
This is my first verison and I think my English is not so good.
A collegue of me is reading and correcting it.
I will put the corrected version in a additional patch.
*
* To use this dissector use the command line option
* -o eth.eth_interpret_as_fw1_monitor:TRUE
*
* At the moment the way with the option is the best one.
* A automatic way is not possible. The file format isn't different
* to the snoop file.
*
* With "fw monitor" it is possible to collect packets on several places.
* The additional information:
* - is it a incoming or outgoing packet
* - is it before or after the firewall
* i incoming before the firewall
* I incoming after the firewall
* o outcoming before the firewall
* O outcoming after the firewall
* - the name of the interface
*
* What's the problem ?
* Think about one packet traveling across the firewall.
* With ethereal you will see 4 lines in the Top Pane.
* To analyze a problem it is helpful to see the additional information
* in the protocol tree of the Middle Pane.
*
* The presentation of the summary line is designed in the following way:
* Every time the next selected packet in the Top Pane includes a
* "new" interface name the name is added to the list in the summary line.
* The interface names are listed one after the other.
* The position of the interface names didn't change.
*
* And who are the 4 places represented ?
* The interface name represents the firewall module of the interface.
* On the left side of the interface name is the interface module.
* On the right side of the interface name is the "IP" module.
*
* Example for a ping from the firewall to another host:
* For the four lines in the Top Pane you will see the according lines
* in the Middle Pane:
* El90x1 o
* O El90x1
* i El90x1
* El90x1 I
*
Greetings
Alfred Koebler
---
I.CONSULT Beratungsgesellschaft mbH web: www.icon-sult.de
Dipl. Ing. Alfred Koebler email: ak@xxxxxxxxxxxx
CCSA/CCSE-2000, CCSA/CCSE-NG, CCSI, ACA
Breitwiesenstr. 6 Fon: +49 711 787808-13
70565 Stuttgart Fax: +49 711 787808-11
PGP Fingerprint = 0C15 BB1B 7E87 19F6 EDCC 539D AB04 BEB7 3409 9A09
Publickey: http://www.pca.dfn.de/dfnpca/pgpkserv/ - KeyID: ak@xxxxxxxxxxxx
X509/Certificate Fingerprint = 5E:2C:CF:46:91:96:0D:BD:B0:52:8C:E2:BE:3B:D7:60
Attachment:
pgpoVDTkWEnx8.pgp
Description: PGP signature
