Ethereal-users: RE: [Ethereal-users] yet another filter question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Broggy, David" <David.Broggy@xxxxxx>
Date: Thu, 24 Jan 2002 15:31:21 -0600
Title: RE: [Ethereal-users] yet another filter question

You're amazing, Guy. So let me share with you all what I was working on.
We had a misconfigured pc with the wrong ipx network number(should be network 101, not b0b0b0b0).
I turned on an ipx-capable network printer and observed how it learns it's ipx number.
It sends out an "IPX SAP Nearest Query" (offset 44, hex 0x0003) and expects back an
"IPX SAP Nearest Response" (offset 44, hex 0x0004). Thus by sniffing for b0b0b0b0 and 0004 I can
trap misconfigured pc's. Of course, since the traffic is directed and not a broadcast, I would have
to monitor by vlan on our closet switches.


For quick sniffs like this, I'll take Ethereal over Network General any day.
Tx. again and keep the good tips coming.

-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Thursday, January 24, 2002 1:49 PM
To: Guy Harris
Cc: Broggy, David; 'ethereal-users@xxxxxxxxxxxx'
Subject: Re: [Ethereal-users] yet another filter question


> > For example, take the following code:
> >
> > 0000  ff ff ff ff ff ff 00 40 68 1b 3d 26 00 60 ff ff   .......@h.=&.`..
> > 0010  00 60 00 04 b0 b0 b0 b0 ff ff ff ff ff ff 04 52   .`.............R
> > 0020  b0 b0 b0 b0 00 40 68 1b 3d 26 04 52 00 02 03 63   .....@h.=&.R...c
> > 0030  45 53 49 31 37 38 35 31 32 36 00 00 00 00 00 00   ESI1785126......
> > 0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> > 0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> > 0060  00 00 00 00 00 40 68 1b 3d 26 40 0b 00 01         .....@h.=&@...

By the way, that looks like an 802.3 packet with:

        destination address ff:ff:ff:ff:ff:ff (broadcast)
        source address 00:40:68:1b:3d:26
        packet length hex 0060 (96)

with a payload beginning with 0xffff, i.e. a NetWare Ethernet_802.3 IPX
packet.  In fact, after text2pcapifying it, it's a Service Advertisement
Protocol packet, and the b0b0b0b0 at an offset of 20 is the destination
network field in the IPX header.

However, libpcap doesn't know enough IPX to let you check for that
conveniently.

You might, however, want to try the filter

        ipx and link[26:4] = 0xb0b0b0b0

just to make sure it doesn't check non-IPX packets, if what you *really*
want is to capture IPX packets sent to b0b0b0b0 as the destination
network.


This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. 


Sanitizer (start="1011908123"):
  Part (pos="1553"):
    SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
      Match (rule="2"):
        Enforced policy: accept

  Part (pos="3892"):
    SanitizeFile (filename="unnamed.html", mimetype="text/html"):
      Match (rule="default"):
        Enforced policy: accept

    Rewrote HTML tag: >>_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<<
                  as: >>_MANGLED_ON_PURPOSE_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<<
    Rewrote HTML tag: >>_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<<
                  as: >>_MANGLED_ON_PURPOSE_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<<
    Total modifications so far: 2

Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $