Ethereal-dev: Re: [Ethereal-dev] ERTSP: Ethereal's RemoTe Sniffing Protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Wed, 16 Feb 2005 20:14:12 +1100
To be successful   a remote capture protocol have to be
1, well defined/documented
2, secure
3, supported by BOTH winpcap and libpcap community

while i am certain that rpcap from winpcap provides 1 and actually
works as far as i can tell reasonably well in a trusted private
network,
i seem to recall pushback from libpcap folks about the protocol/implementation
since it at that time lacked any sort of security/authentication whatsoever.


i think the best solution would be if winpcap people could talk to
libpcap people and implement the requirements for a solution that is
acceptable to both camps,   in order
to provide a solution that works for both winpcap and libpcap.


some sort of authentication MUST be implemented, it is not feasible to
use a protocol that allows any random person to start and produce
remote captures without any control watsoever.

maybe some sort of simple CHAP protocol would be sufficient?
Please talk to the libpcap people and discuss what changes are
required to winpcap so that it becomes a useable solution to both
camps.


accesscontrol based on the ip address of the client trying to connect
to what is essential a remote root-style daemon  does not work and
will NEVER be installed on any box i manage or maintain. proper
authentication is a MUST.



On Mon, 14 Feb 2005 17:46:16 +0100, Gianluca Varenni <varenni@xxxxxxxxx> wrote:
> Hi.
> 
> What about the remote capture features of WinPcap? WinPcap is able to
> capture from remote machines, and the code for the remote capture runs on
> windows and Linux (I'm not sure about BSD).
> 
> More details can be found here
> 
> http://winpcap.polito.it/docs/man/html/group__remote__help.html
> 
> Have a nice day
> GV
> 
> 
> ----- Original Message -----
> From: "John McDermott" <jjm@xxxxxxxxxx>
> To: "LEGO" <luis.ontanon@xxxxxxxxx>
> Cc: <jjm@xxxxxxxxxx>; "Ethereal development" <ethereal-dev@xxxxxxxxxxxx>
> Sent: Monday, February 14, 2005 5:25 PM
> Subject: Re: [Ethereal-dev] ERTSP: Ethereal's RemoTe Sniffing Protocol
> 
> >
> >>> > The Idea is a protocol to have sniffing clients and a sniffing servers
> >>> > communicate. Part like RTSP, and part like RTP+RTCP with
> >>> > retransmissions.
> >>> This sounds really cool and well thought out.  Maybe I'm missing
> >>> something, though.  What about RMON? Yes, it has another filtering
> >>> language and yes, it is not "real time" in the sense that Ethereal is,
> >>> but
> >>> mightn't it be an appropriate solution?  Then, Ethereal could
> >>> inter-operate with existing probes and so forth.
> >>
> >> The point is to be able to use display filters on the remote probe
> >> before packets are transmitted.
> >
> > Well, RMON does that, but it uses its own filtering language, and if we
> > want true Ethereal display filters, then, of course RMON is out (unless we
> > were to create a private filter MIB, I suppose...).  I just thought
> > interoperability might be useful.  I'm not convinced RMON is better than
> > your proposal, BTW, I just wanted to offer the thought.
> >
> > We discussed this in 1999/2000 so you might want to check the archives for
> > that discussion, too.
> >
> > --john
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> >
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>