Ethereal-users: Re: [Ethereal-users] Feature for NAT Capture Filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 30 Apr 2005 15:42:22 -0700
Al Stu wrote:
"What do you mean by "request from the NAT"?  If you're sniffing on the
WAN side of the NAT, do you mean "packet from a host behind the NAT"?"

Yes, but obviously the packets would appear to be coming from the NAT, as they would have the NAT's WAN address as the source.

Which means that "request from the NAT" really means "any packet the NAT is sending out".

So the filter is presumably something such as "record the protocol type (TCP/UDP) and ports of outgoing packets, and save incoming packets that aren't directed to those ports".

That sounds a bit like the sort of thing an intrusion detection system might check for. Perhaps running an IDS such as Snort or Prelude would handle this; I think Snort can log to a libpcap-format file, and Prelude might be able to do so as well.

Yes, realize it would have to be an unconventional capture filter. Would it be possible for it to be implemented in WinPcap?

WinPcap is

1) a low-level driver that provides a packet capture mechanism, as Windows, unlike many UN*Xes, doesn't provide one;

	2) a port of libpcap to use that mechanism.

The packet capture mechanism uses the same BPF filter engine that is used on the capture mechanism in various BSDs, which is stateless. To implement such a capture mechanism in WinPcap would require adding more capabilities to that mechanism.