Ethereal-users: Re: [Ethereal-users] New to capturing, ?about capturing from specific IP
try a capture filter of "ip host 164.106.71.2 and ip host 164.106.70.221"
Richard Hall wrote:
Hello,
I tried the procedure given in the reply to John Vo. It didn't work for me.
The IP I attempted capturing from is a printer with an HP JetDirect NIC.
I've also attempted to capture from a workstation with the same result.
I'm running Ethereal 0.10.5 (C) in a Windows 2000 environment. Workstations
are running either Win2K or WinXP. Servers are running Win2K and WinNT 4.0.
All machines are up-to-date on patches and service packs. I got the error
message shown in the attachments. The .DOC is in Word 2000 format.
Addresses I have attempted capturing from are: 164.106.71.2 (printer)
164.106.70.221 (work
station)
Can someone please help me? I really need to watch a few specific IPs
because of suspected hacking attempts.
Thanks for your help. I've learned a lot from these exchanges.
Regards,
Richard Hall
Computer Networking Technician Senior
Germanna Community College
2130 Germanna Highway
Locust Grove, VA 22508
540-727-3126
rhall@xxxxxxxxxxxx
"The purpose of computing is insight, not numbers."
Richard W. Hamming (1915-1998)
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx]On Behalf Of Jonathan
Sanders
Sent: Friday, December 10, 2004 3:08 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] New to capturing, ? about http
authorizations
Can't you throw in a -e for link level info? And you're right about the
-s 0, I just throw 1500 down there out of an old bad habit and haven't
changed to -s 0 yet. :) Thanks for the reminder. I really need to get
with the times here...
Guy Harris wrote:
Jonathan Sanders wrote:
I do a
tcpdump -nt -X -s1500 'filter expression here'
for whenever I need to get the actual packet data from tcpdump....
Presumably by "actual packet data" you mean "full packet dissection" -
if you mean "raw packet data", in a form Ethereal can use, you'd also
use "-w {filename}" for a file that can be read by programs that can
read libpcap files (tcpdump/WinDump, Ethereal/Tethereal, and a number of
other programs that do various sorts of network analysis).
Note also that if you want to capture a full Ethernet packet, the
argument to "-s" needs to be 1514 or greater or, in newer versions of
tcpdump, 0 (which, in newer versions, means "65535", which is the
largest snapshot length that some systems support). The argument to
"-s" is the largest packet length *including the link-layer header*, not
the largest *payload* length - i.e., if you want all packets to be
captured in full, it should *not* be the MTU for the network.
(Note also that the "link-layer header" might include various bits of
"metadata", such as VPI/VCI and possibly packet type information for ATM
and radio information such as signal strength for some 802.11 link-layer
header types.)
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
------------------------------------------------------------------------
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users