Ethereal-users: RE: [Ethereal-users] New to capturing, ?about capturing from specific IP
Hello,
I tried the procedure given in the reply to John Vo. It didn't work for me.
The IP I attempted capturing from is a printer with an HP JetDirect NIC.
I've also attempted to capture from a workstation with the same result.
I'm running Ethereal 0.10.5 (C) in a Windows 2000 environment. Workstations
are running either Win2K or WinXP. Servers are running Win2K and WinNT 4.0.
All machines are up-to-date on patches and service packs. I got the error
message shown in the attachments. The .DOC is in Word 2000 format.
Addresses I have attempted capturing from are: 164.106.71.2 (printer)
164.106.70.221 (work
station)
Can someone please help me? I really need to watch a few specific IPs
because of suspected hacking attempts.
Thanks for your help. I've learned a lot from these exchanges.
Regards,
Richard Hall
Computer Networking Technician Senior
Germanna Community College
2130 Germanna Highway
Locust Grove, VA 22508
540-727-3126
rhall@xxxxxxxxxxxx
"The purpose of computing is insight, not numbers."
Richard W. Hamming (1915-1998)
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx]On Behalf Of Jonathan
Sanders
Sent: Friday, December 10, 2004 3:08 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] New to capturing, ? about http
authorizations
Can't you throw in a -e for link level info? And you're right about the
-s 0, I just throw 1500 down there out of an old bad habit and haven't
changed to -s 0 yet. :) Thanks for the reminder. I really need to get
with the times here...
Guy Harris wrote:
> Jonathan Sanders wrote:
>
>> I do a
>>
>> tcpdump -nt -X -s1500 'filter expression here'
>>
>> for whenever I need to get the actual packet data from tcpdump....
>
>
> Presumably by "actual packet data" you mean "full packet dissection" -
> if you mean "raw packet data", in a form Ethereal can use, you'd also
> use "-w {filename}" for a file that can be read by programs that can
> read libpcap files (tcpdump/WinDump, Ethereal/Tethereal, and a number of
> other programs that do various sorts of network analysis).
>
> Note also that if you want to capture a full Ethernet packet, the
> argument to "-s" needs to be 1514 or greater or, in newer versions of
> tcpdump, 0 (which, in newer versions, means "65535", which is the
> largest snapshot length that some systems support). The argument to
> "-s" is the largest packet length *including the link-layer header*, not
> the largest *payload* length - i.e., if you want all packets to be
> captured in full, it should *not* be the MTU for the network.
>
> (Note also that the "link-layer header" might include various bits of
> "metadata", such as VPI/VCI and possibly packet type information for ATM
> and radio information such as signal strength for some 802.11 link-layer
> header types.)
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Attachment:
Ethereal Capture Error.doc
Description: MS-Word document
Attachment:
Ethereal Capture Error.rtf
Description: MS-Word document
