Ethereal-users: Re: [Ethereal-users] IP Multicast/UDP Data Packet Analysis Problem
Crescioli, Phil said:
> However I am having problems analyzing the data I captured on the third
> network.
> When I started a capture Ethereal's popup screen said it was capturing UDP
> Packets, as it did before. But when I went to look at the Protocol
> Field in the Ethereal GUI it said the protocol was RX.
RX - the low-level RPC protocol (not to be confused with ONC RPC or DCE
RPC) atop which the Andrew File System protocol runs - runs atop UDP, so
RX packets *ARE* UDP packets.
The Protocol column in the GUI shows the highest-level protocol for the
packet.
Are you running the Andrew File System on the machines to and from which
the RX traffic is going? If not, this is probably just UDP traffic of
some sort that happens to be going to or from a port in the range
7000-7009 (the standard port range for RX) or to or from port 7021 (some
AFS backup protocol port).
> So I investigated the VME system that is sending the UDP data and have
> learned that it is using the following protocols to send UDP data.
Network Layer:
> IP/IGMP/ICMP and transport Layer: UDP. It did not mention RX.
Then it's probably not RX traffic.
> I also think the data is being sent via IP Multicast.
If so, then it's almost certainly not RX traffic, as that's unicast.
> When I started the data capture I just let Ethereal capture everything.
> But all I captured was UDP->RX ACK Packets.
All you captured was probably UDP packets to or from a port in the
7000-7009 range or to or from port 7021, which Ethereal interpreted as RX
packets.
> Where is the Data?
Nowhere - this is probably not RX traffic.
Try selecting "Enabled Protocols" from the "Analyze" menu, and turn off
the RX protocol. Click "Save" and then "OK" - that'll disable RX *and*
store that setting in a file so that the next time you run Ethereal on
that machine RX will be disabled.
> To confuse things for me alittle further, I went and took the captured
> data and opened it in a more recent Version of Ethereal on Win2000
(Ethereal Version
> 0.10.6 with the correct Winpcap Version for it as specified on
ethereal.com).
> Welp, the Protocol field in the Ethereal GUI now listed all the packets
> as either MTP3MG and in some data sets I captured Ethereal listed them
as SCCP.
And are those packets also UDP packets?
> This definitley is not correct. Maybe this is due to the fact that I
captured the data
> on Linux with Libpcap and the Winpcap version is incompatible?
No. Packets is packets - it doesn't matter what OS you captured them on.