Wireshark · Ethereal-dev: [Ethereal-dev] Symantec Enterprise Firewall & Checkpoint fw monitor

Ethereal-dev: [Ethereal-dev] Symantec Enterprise Firewall & Checkpoint fw monitor - dumps

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Pichlmaier Martin <martin.pichlmaier@xxxxxxxxxxx>

Date: Thu, 28 Oct 2004 10:14:55 +0200

Hello all,

I'm not a member of the ethereal-dev list, but I found some
missing interpretation in Symantec Enterprise Firewall and
Checkpoint fw monitor data dissectors, but want to share the
information and ask whether you could add that to the source of ethereal.

Symantec: the first 4 bytes are the IP of the interface that saw the
packet. Helps to see going a packet through the firewall.
At least that works with my Symantec Firewalls (6.52 and 7.0 on NT),
never tried with Symantec 8 or with the appliances.
Here's the diff for the packet-symantec.c in epan/dissectors:
---------------------------------
40d39
< static int hf_symantec_if = -1;
50d48
< 	guint32 interface_ip;
54,56c52,54
< 	 * The first 4 bytes are the IPv4 address of the interface that
< 	 * captured the data, followed by 2 bytes of 0, then an Ethernet
< 	 * type, followed by 36 bytes of 0
---
> 	 * There appears to be 6 bytes of mysterious junk, followed by an
> 	 * Ethernet type (or, at least, there's 08 00), followed by 36 bytes
> 	 * of 0.
68d65
< 	tvb_memcpy(tvb, (guint8 *)&interface_ip, 0, 4);
70,71d66
< 		proto_tree_add_ipv4(symantec_tree, hf_symantec_if, tvb,
< 		    0, 4, interface_ip);
84,86d78
< 		{ &hf_symantec_if,
< 		    { "Interface",      "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0,
< 		"Interface", HFILL }},
-------------------------------------

I would greatly appreciate if someone could verify that and add it
or some better code that does the interpretation to the source tree.


Checkpoint:
That new code for UUID/SUUID with taking only 5 (or 6) chars of interface name
makes interface name unreadable for longer strings if the UUID/SUUID flags
of fw monitor are not used. Especially with Nokia IP boxes the interface names
are like eth-s1p1c0 or eth-s2p1c0 and you get no difference in the first 5 chars.
I tried a modification in packet-fw1.c:
--------------------------------------
167c167
<     tvb_get_nstringz0(tvb, 2, sizeof interface_name, interface_name);
---
>     tvb_get_nstringz0(tvb, 2, 6, interface_name);
---------------------------------------
and it worked fine for me. Don't know whether there are some drawbacks.

Thank you very much!

Regards,
Martin Pichlmaier

Follow-Ups:
- Re: [Ethereal-dev] Symantec Enterprise Firewall & Checkpoint fw monitor - dumps
  - From: Guy Harris

Prev by Date: [Ethereal-dev] Troubles to compile version from sources (Win)
Next by Date: [Ethereal-dev] Your latest packet-image-jfif patch
Previous by thread: [Ethereal-dev] Troubles to compile version from sources (Win)
Next by thread: Re: [Ethereal-dev] Symantec Enterprise Firewall & Checkpoint fw monitor - dumps
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$