Ethereal-users: Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Mon, 04 Nov 2002 05:30:13 -0500
Guy,

thanks a lot for the feedback. 

For this test I am only using Ethereal to load capture files from a third party analyser. When I start Ethereal it allways comes up showing the columns No.; Time; Source Addr.; Dest Addr.; etc.. I have found the option to delete and add columns but that didn't change the way that Ethereal decoded my packets. Where would I configure Ethereal for example to look for a PPP-header etc. instead of the MAC SA/DA at the beginning of the packet as it does in default. 

Attached are one POS capture in ASCII (tcp_cap.txt) and libpcap (tcp_cap.eth) format. The IP source address is 1.1.1.1 and the IP destination address is 2.2.2.2.

I do not have a POS or ATM interface in my PC, so could that be the problem?

Thanks a lot

Regards

Martin


Guy Harris <gharris@xxxxxxxxx> wrote:

>On Wed, Oct 30, 2002 at 04:29:33AM -0500, mrmartin1903@xxxxxxxxxxxx wrote:
>> using Ethereal to load libcap captures I did not find a way to tell my
>> Ethereal Installation on W2k to properly show POS or ATM capture files,
>> since Ethereal always starts with MAC source/destination address.
>
>What do you mean "Ethereal always starts with MAC source/destination
>address"?
>
>Ethereal does *not* assume that packets always start with MAC source and
>destination addresses - it doesn't even assume that on LANs, given that
>on FDDI, Token Ring, and 802.11, there's some frame control stuff in the
>packet before the destination and source addresses.
>
>If your POS is just running PPP over SONET, then a libpcap POS capture
>would have either DLT_PPP or perhaps DLT_PPP_BSDOS as the link-layer
>type; Ethereal does *not* assume that PPP packets being with a MAC
>source or destination address.
>
>There are a variety of *different* libpcap ATM capture file formats,
>which Ethereal can read and can capture.  WinPcap can, in theory,
>capture ATM packets, and currently uses the DLT_ATM_RFC1483 format (in
>which the packet starts with an 802.2 LLC header) for them.  However,
>ATM captures have never been tested with WinPcap - the WinPcap FAQ at
>
>    http://winpcap.polito.it/misc/faq.htm
>
>says:
>
>    Q-17: Which network adapters are supported?
>
>    A: The NPF device driver was developed to work primarily with
>    Ethernet adapters.  Support for other MACs was added during the
>    development, but Ethernet remains the preferred one.  The main
>    reason is that all our development stations have Ethernet
>    adapters so all our tests were made on this type of network.
>    However, the current situation is: 
>
>       o Windows 95/98/ME: the packet driver works correctly on
>         Ethernet networks.  It works also on PPP WAN links, but
>         with some limitations (for example it is not able to
>         capture the LCP and NCP packets).  FDDI, ARCNET, ATM and
>         Token Ring should be supported, however we did not test
>         them because we do not have the hardware, so do not expect
>         them to work perfectly. 
>       o Windows NT4/2000: the packet driver works correctly
>         on Ethernet networks.  We were not able to make it working
>         on PPP WAN links, because of binding problems on the
>         NDISWAN adapter.  As in Win9x, FDDI, ARCNET, ATM and Token
>         Ring should be supported, but are not granted to work
>         perfectly.
>
>        ...
>
>I suspect FDDI and Token Ring will Just Work, as they're relatively
>straightforward and have a standard frame format.
>
>ATM, however, is another matter; the ATM code could just supply, for
>example, raw AAL5 PDUs, or could supply a "pseudo-header" giving
>information such as the VPI and VCI for the PDUs.  Network Monitor
>appears to have as the link-layer header for ATM captures, a 6-byte
>"Destination address", a 6-byte "Source address", a 2-byte VPI, and a
>2-byte VCI, and no information as to the type of traffic
>(LLC-multiplexed, VC-multiplexed traffic of a particular type, LANE,
>etc.).
>
>> On the web I have seen that at least Linux would in theorie support
>> Ethernet, ATM and PPP.  Has anybody tried this with POS or ATM captures
>> on W2K or any other OS?
>
>It works fine on Solaris with ATM.  I haven't tried ATM on other
>platforms.
>
>As for POS, if it just runs PPP over SONET, it should work on any OS
>where you can capture PPP traffic.
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users
>

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

Attachment: tcp_cap.zip
Description: tcp_cap.zip