Ethereal-users: Re: [Ethereal-users] EtherPeek equivalents in Ethereal (name table and offset fi

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 22 Oct 2004 11:13:30 -0700
Phillip Jordan wrote:
Name Resolution - In EtherPeek, you can define a name table (file with .nam extension). This allows for source/destination addresses in captures to be viewed as recognizable names (as opposed to numerical values). In Ethereal I would think the equivalent is Name Resolution, but I don't understand how this feature works. When selecting menu option View - Name Resolution - Resolve Name, where does Ethereal get the names?
For MAC addresses, they come from "/etc/ethers" on UN*X and the "ethers" file in the directory in which Ethereal was installed on Windows, or from $HOME/.ethereal/ethers on UN*X or the "ethers" file in the Ethereal subdirectory of your "application data" directroy on Windows. 


Can I add names to wherever it is looking?
Yes, but you currently have to do it by editing the file. See the "/etc/ethers" file or the one in the installation directory for an example of the format of the lines.
Offset Filtering - In EtherPeek, you can define a filter based on an offset anywhere within the packet. Looking at Ethereal, it seems as though filtering is accomplished based on the protocols available in the Filter Expression window (Analyze - Display Filters - Expression... button). I see LLC listed, but I would like to filter based on bytes further within the payload (I guess at the application layer), for example only filter packets where offset 51 is equal to 24H. How can I do this?
If by "offset 51" you mean the offset from the beginning of the packet, you can do it with 

	frame[51:1] == 24
With the "Add Expression" dialog, you can click on "Frame" in the "Field name" list, click on "==" in the Relation list, put "51:1" in the "Range" box (i.e., an offset of 51 and a length of 1), and put 24 in the "Value" list. If the length is greater than 1, the value is a list of hexadecimal byte values, e.g. 

	frame[51:2] == 24:17
would compare the 2 bytes starting at byte 51 with hex 24 and hex 17, respectively.
You can use protocol names other than "frame", in which case the offset is relative to the beginning of the protocol in question's header, and you can also use some field names, in which case the offset is relative to the beginning of the field.