Ethereal-users: [Ethereal-users] Re:Ethereal-users Digest, Vol 31, Issue 20

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Richard St John" <Richard.StJohn@xxxxxxx>
Date: Sat, 19 Nov 2005 12:00:51 -0600
My mail box has received a message from you.

I will be out of the office on vacation from November 19, 2005 through November 27, 2005. I will check E-mail occassionally but will not be in a position to check it routinely.

If this is an emergency, please feel free to contact me via my cel phone

Thanks for your understanding

Richard S. St. John
Graybar Electric Company
Sr. Network Security Specialist
Phone: 314.573.5907
Cel Phone: 636.448.5366
E-Mail: richard.stjohn@xxxxxxx
PGP Key ID: 0xC52419E2

>>> ethereal-users 11/19/05 12:00 >>>

Send Ethereal-users mailing list submissions to
	ethereal-users@xxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.ethereal.com/mailman/listinfo/ethereal-users
or, via email, send a message with subject or body 'help' to
	ethereal-users-request@xxxxxxxxxxxx

You can reach the person managing the list at
	ethereal-users-owner@xxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Ethereal-users digest..."


Today's Topics:

   1. Capture filter - show only specific http get	requests?
      (Jeff Davis)
   2. Decode G.729a (Eric Jaakkola)
   3. Using ethereal on windows to monitor network	traffic
      (Lamont McGee)
   4. Re: Control many ethereal PC's? (Ulf Lamping)
   5. Re: don't know the result of Protocol Hierarchy	Statistics
      (Ulf Lamping)
   6. Re: Capture filter - show only specific http get	requests?
      (Ulf Lamping)
   7. Re: ASCII Dump? (Guy Harris)
   8. Re: Capture filter - show only specific http get	requests?
      (Guy Harris)
   9. RE: Help automating Historical network	capture-rollover
      (Cory Perry (SNL:434-951-7463))
  10. RE: Control many ethereal PC's? (Eric Jaakkola)
  11. RE: Help automating Historical	networkcapture-rollover
      (Eric Jaakkola)
  12. RE: Help automating Historical network	capture-rollover
      (Hansang Bae)
  13. RE: ss7 monitoring query (Jacques, Olivier (OCBU-Test Infra))


----------------------------------------------------------------------

Message: 1
Date: Fri, 18 Nov 2005 10:37:50 -0800
From: Jeff Davis <jdavis@xxxxxxxxxxxxxxxxxx>
Subject: [Ethereal-users] Capture filter - show only specific http get
	requests?
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <437E1F7E.5070308@xxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Still trying to chase down virus-infected host(s)...

Need to filter out specific http get requests for specific file names.  
Or should this be done in a display filter...

Thanks

-- 
Jefferson K. Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA  93308
USA
661-392-2110 ext 120




------------------------------

Message: 2
Date: Fri, 18 Nov 2005 10:33:30 -0600
From: "Eric Jaakkola" <eriq@xxxxxxxxxxxxxxx>
Subject: [Ethereal-users] Decode G.729a
To: "'Ethereal user support'" <ethereal-users@xxxxxxxxxxxx>
Message-ID: <002401c5ec5d$cfa94da0$64dca8c0@mila>
Content-Type: text/plain;	charset="us-ascii"

I know this has been asked before but does anyone have any experimental
plug-in for Ethereal that would allow it to save rtp captures in G729a
format?

I have the g729 codec that comes with unity unified messaging for the
client computers, but ethereal won't even save the wav file in g729
format.

Or does anyone have any tools they've developed to do something similar?
Thanks,
Eric




------------------------------

Message: 3
Date: Fri, 18 Nov 2005 13:11:08 -0500
From: "Lamont McGee" <Lamont.McGee@xxxxxxxxxxx>
Subject: [Ethereal-users] Using ethereal on windows to monitor network
	traffic
To: <ethereal-users@xxxxxxxxxxxx>
Message-ID:
	<DA4851544293A042BF0FF28BB14D6D092F98E5@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Skipped content of type multipart/alternative

------------------------------

Message: 4
Date: Fri, 18 Nov 2005 20:24:09 +0100
From: Ulf Lamping <ulf.lamping@xxxxxx>
Subject: Re: [Ethereal-users] Control many ethereal PC's?
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <437E2A59.8050608@xxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Karalis, Ilias wrote:

> I have many different PC's that capture different subnets. When I want 
> to make a trace for a VoIP call I use at the time being 2-3 different 
> ethereal PC's.
>
> This is very difficult if it has to be done very often.
> Do you know if there is a solution to that problem?
> I could imagine a kind of control-master PC where the client ethereal 
> stations are controlled and tracers are then delivered to this master PC.
>
That's a feature commonly known as remote capturing.

Currently, Ethereal is not well prepared to do such a job.

Although this is widely excepted to be a useful feature, please don't 
expect any improvements on this topic soon...

Regards, ULFL



------------------------------

Message: 5
Date: Fri, 18 Nov 2005 20:28:06 +0100
From: Ulf Lamping <ulf.lamping@xxxxxx>
Subject: Re: [Ethereal-users] don't know the result of Protocol
	Hierarchy	Statistics
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <437E2B46.7@xxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Ngo Giang wrote:

> Hello every one,
>  
> I'm newbie to ethereal. My PC is on the LAN , i used ethereal to 
> capture traffic on the NIC of my PC. In Protocol Hierarchy Statistics 
> , I saw
>  
>         TCP traffic is approximate 85%,  in which
>                                ftp data is 49 %,  
>                                   FTP is 1.74%
>                                  HTTP is 3.4% and
>  sum of other traffic belong to TCP  less than 1% .
>  
> I saw sum of ftp data, ftp, http and other traffic is only appoximate 
> 55% , smaller than 85 %.
> Could any one tell me what is 30 % remain traffic ? 
>  

The rest is plain TCP traffic (like TCP Acknowledges), which is not part 
of one of the subgroups.

Example: a TCP ACK in a TCP stream containing a HTTP session is not 
counted as HTTP traffic, as the HTTP dissector is not affected in that case.

Regards, ULFL



------------------------------

Message: 6
Date: Fri, 18 Nov 2005 20:42:15 +0100
From: Ulf Lamping <ulf.lamping@xxxxxx>
Subject: Re: [Ethereal-users] Capture filter - show only specific http
	get	requests?
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <437E2E97.5050102@xxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Jeff Davis wrote:

> Still trying to chase down virus-infected host(s)...
>
> Need to filter out specific http get requests for specific file 
> names.  Or should this be done in a display filter...

See http://wiki.ethereal.com/Hyper_Text_Transfer_Protocol

You may better use display filters for this.

This way, you can be sure not to miss some packets that might be 
important for your research.

Regards, ULFL



------------------------------

Message: 7
Date: Fri, 18 Nov 2005 11:51:41 -0800
From: Guy Harris <gharris@xxxxxxxxx>
Subject: Re: [Ethereal-users] ASCII Dump?
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <437E30CD.6040604@xxxxxxxxx>
Content-Type: text/plain; charset=windows-1252; format=flowed

Luke wrote:

> What I'm looking for:
> Just the TCP payload of a Kerberos packet, after ASN.1 decoding.
> 
> All Kerberos packets are ASN.1 encoded, to my knowledge.  I'd rather  
> not require users that will be using my tool to process these packets  
> to have to download another tool that I've written to do the ASN.1  
> decoding of the packet, especially since Ethereal takes the ASN.1,  
> interprets it correctly, and displays the Kerberos data, byte by  byte, 
> correctly, without any of the ASN.1 headers or ASN.1  information.  
> Ethereal will be required anyway, and since it contains  the 
> functionality I need, I'm hoping to use it to do this particular  type 
> of packet capture.  What I want to do is just have the Kerberos  packet, 
> without TCP/IP (and lower level) headers, after the ASN.1 has  been 
> decoded, dumped to a file.
> 
> Perhaps I'm misunderstanding how the ASN.1 encoding/decoding works.   I 
> was under the impression that ASN.1 added information to a data  stream 
> to support a correct transfer, and then that extra data was  removed on 
> the receiving side, leaving you with the data stream that  was 
> originally sent from the sender.

The "A" in "ASN.1" stands for "Abstract" - "ASN.1" is "Abstract Syntax 
Notation One".  ITU-T Recommendation X.680, "Information technology * 
Abstract Syntax Notation One (ASN.1): Specification of basic
notation", says:

	This Recommendation | International Standard presents a standard
notation for the definition of data types and values. A data type (or 
type for short) is a category of information (for example,
numeric, textual, still image or video information). A data value (or 
value for short) is an instance of such a type. This Recommendation | 
International Standard defines several basic types and their 
corresponding values, and rules for combining them into more complex
types and values.

	In some protocol architectures, each message is specified as the binary 
value of a sequence of octets.  However,  standards-writers need to 
define quite complex data types to carry their messages, without concern 
for their binary  representation. In order to specify these data types, 
they require a notation that does not necessarily determine the
representation of each value. ASN.1 is such a notation.  This notation 
is supplemented by the specification of one or more algorithms called 
encoding rules that determine the value of the octets that carry the 
application semantics (called the transfer syntax).  ITU-T Rec. X.690 | 
ISO/IEC 8825-1, ITU-T Rec. X.691 | ISO/IEC 8825-2 and ITU-T Rec. X.693 |
ISO/IEC 8825-4 specify three families of standardized encoding rules, 
called Basic Encoding Rules (BER), Packed Encoding Rules (PER), and XML 
Encoding Rules (XER).

The "Abstract" part refers to the fact that ASN.1 does *NOT* specify how 
data is represented "on the wire", it just specifies what types of 
objects are sent "on the wire".  The encoding rules specify how 
particular types of objects are sent over the wire.

Kerberos uses the Basic Encoding Rules (or maybe one of the subsets 
thereof).  Those encoding rules add tags to items specifying their types 
(so that the data is, if you will, "self-describing"), and also add 
length information (as, for example, numbers have a variable-length 
encoding).  A data structure (which would be a SEQUENCE type) would also 
have a tag specifying the length of the structure, followed by encoded 
values of its member.

BER-encoding doesn't just take the data structures handed to the encoder 
and add in tag/length information; it might also *transform* the data, 
e.g. a 4-byte signed integral value might be encoded as a tag, a length, 
and 1 to 4 bytes of data (and a 4-byte *unsigned* integral value might 
require *5* bytes of data, so that the leading bits are zero).  It's not 
as if stripping out the BER-encoding tags and lengths will give you back 
the exact data handed to the encoder.

It's also not a "data stream", it's structured data, and the tag 
information might be necessary to know what the structure was - for 
example, a data structure could have optional members, and the tags 
would be necessary to determine whether the members are present or not.

> So how I'm hoping tethereal  will fit 
> into this idea is that I'm hoping tethereal can take the TCP  or UDP 
> packet, depending on what Kerberos decides to use, take only  the 
> payload, do the ASN.1 decoding, and dump the result to a file.   The 
> reason I was even mentioning ACSII before is that usually when I  see 
> dumps of this type,  I see them in pcap format,

Well, if it's in pcap format, it's just a raw packet, with no decoding 
of any sort done.

> whereas what I'm  
> actually looking for is just a straight dump of bytes to a file.   When 
> that happens, some of those bytes should display as ASCII  characters 
> (for instance, kerberos packets will contain "krb").   Other characters 
> will not display as nicely.
> 
> Note that I do not want anything other than the ASN.1 decoded (if I'm  
> understanding this correctly) Kerberos packet - no dissection  
> information, no Ethernet headers, no ARP address, no dissection  
> information (i.e., this field is a flag, this field is a principal,  etc.).

It would, in principle, be possible to just strip out the BER tagging 
information; the resulting data would be binary data, with only text 
string data being meaningful when interpreted as ASCII (and even that 
only if it's ASCII text, not text in some other character encoding, such 
as UTF-8, where only the ASCII characters in the string would be 
meaningful as ASCII).

That's not something Tethereal does, and not something I'd expect it 
ever to do; the dissector model isn't oriented towards stripping out 
arbitrary bits of data (and, at the level of Tethereal, it *is* 
arbitrary - the BER dissector routines, and their callers, know about 
the BER tags, but there's no higher-level notion, and dissectors are 
only intended to build protocol trees that turn into the detailed packet 
view (and that are used to evaluate display filters), and, at the level 
of the top-level Tethereal code, one protocol tree field is just like 
another.

What is it you're *really* trying to do here?  I.e., what sort of 
processing is your tool doing to Kerberos packets?  There might be a 
better form of input than a Kerberos packet with the BER tags and length 
bytes stripped out (especially given that the tags are *required* in 
order to correctly interpret the content bytes!).  For example, getting 
the packets in PDML format, and parsing that (and ignoring in *that* 
parser the fields you're not interested in) might work better.



------------------------------

Message: 8
Date: Fri, 18 Nov 2005 11:57:06 -0800
From: Guy Harris <gharris@xxxxxxxxx>
Subject: Re: [Ethereal-users] Capture filter - show only specific http
	get	requests?
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <437E3212.9000006@xxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Jeff Davis wrote:
> Still trying to chase down virus-infected host(s)...
> 
> Need to filter out specific http get requests for specific file names.  
> Or should this be done in a display filter...

Capture filters have very limited capabilities (deliberately limited, so 
they can be implemented by small "programs" loaded into the kernel, with 
a simple checker in the kernel that can make sure the programs are safe; 
that way, packets can be discarded fairly close to the point of 
reception, so they're not processed further in the kernel, and not 
copied up to userland, saving a fair bit of CPU time).  Looking for HTTP 
GET requests for specific file names would be difficult.

I'd suggest doing that in a display filter - or, perhaps, with an 
intrusion detection system such as Snort:

	http://www.snort.org/

which has a language for writing rules for matching packets; that 
language is presumably designed to allow faster matching than the 
Ethereal display filter matching (it's not as powerful as Ethereal's 
display-filter matching, as far as I know, but is probably faster), but 
to allow more capabilities than libpcap capture filters.

Ethereal's not designed to be, and not intended to be used as, an IDS. 
Snort is.



------------------------------

Message: 9
Date: Fri, 18 Nov 2005 15:49:55 -0500
From: "Cory Perry (SNL:434-951-7463)" <CPerry@xxxxxxx>
Subject: RE: [Ethereal-users] Help automating Historical network
	capture-rollover
To: <ethereal-users@xxxxxxxxxxxx>
Message-ID:
	<B8DB6CCC77D8884F8777F7700363000C01C5AB0C@xxxxxxxxxxxxxxxx>
Content-Type: text/plain;	charset="us-ascii"

Not sure what I might be troubleshooting at any point in time so
difficult to create filter. Same for packet size, if troubleshooting URL
strings and session information, that could be deep within packet.

I have thought of setting unlimited rollover but have been hitting my
nogin against a wall trying to figure out best way to handle files and
space management. How to automatically delete older files without
running out of space for new files.

Like several people, I would like to take a vacation once in a blue
moon. ;)

Thanks for response.


   



>Message: 1
>Date: Thu, 17 Nov 2005 11:00:30 -0500
>From: "David DuPre" <david@xxxxxxxxxxxxxxxx>
>Subject: RE: [Ethereal-users] Help automating Historical network
>capture-rollover
>
>To: "'Ethereal user support'" <ethereal-users@xxxxxxxxxxxx>
>Message-ID: <00e901c5eb90$09543a20$6a00a8c0@DellTechsup>
>
>You might consider capturing only partial packets. Try some tests with
capturing only the first 90bytes of each packet.
>Then analyze it...if that isn't enough expand it to 180bytes, and
check.
>You might find that you only need the first XXX bytes of the 1500 byte
packet to understand the problem you are researching. This could reduce
>the amount of data.
>
>Another possible option is to only capture packets with a payload...so
nothing smaller than XX bytes would be captured.
>This could hide a network error though...
>
>Hope that helps,

>David

>P.S. I run Ethereal on Linux 24x7 capturing filtered traffic. I set it
up for unlimited rollover at a specific file size. Then if I need to
>analyze a certain part of a day I use the mergecap to put the files
together and look at them as one large file.

 

 




------------------------------

Message: 10
Date: Fri, 18 Nov 2005 14:21:07 -0600
From: "Eric Jaakkola" <eriq@xxxxxxxxxxxxxxx>
Subject: RE: [Ethereal-users] Control many ethereal PC's?
To: "'Ethereal user support'" <ethereal-users@xxxxxxxxxxxx>
Message-ID: <001201c5ec7d$9f3eb040$64dca8c0@mila>
Content-Type: text/plain;	charset="us-ascii"

Save the cap files to a central file server.  Just be sure to exclude
the IP address of the server your saving the cap files to.  You can use
mergecap to splice the files together.

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Ulf Lamping
Sent: Friday, November 18, 2005 1:24 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] Control many ethereal PC's?

Karalis, Ilias wrote:

> I have many different PC's that capture different subnets. When I want

> to make a trace for a VoIP call I use at the time being 2-3 different 
> ethereal PC's.
>
> This is very difficult if it has to be done very often.
> Do you know if there is a solution to that problem?
> I could imagine a kind of control-master PC where the client ethereal 
> stations are controlled and tracers are then delivered to this master
PC.
>
That's a feature commonly known as remote capturing.

Currently, Ethereal is not well prepared to do such a job.

Although this is widely excepted to be a useful feature, please don't 
expect any improvements on this topic soon...

Regards, ULFL

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users




------------------------------

Message: 11
Date: Fri, 18 Nov 2005 14:58:41 -0600
From: "Eric Jaakkola" <eriq@xxxxxxxxxxxxxxx>
Subject: RE: [Ethereal-users] Help automating Historical
	networkcapture-rollover
To: "'Ethereal user support'" <ethereal-users@xxxxxxxxxxxx>
Message-ID: <004e01c5ec82$db4bd1d0$0200000a@xxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;	charset="us-ascii"

I didn't read your original post, but why not save the packets to a
dedicated drive so that the free space is constant.  Then just set the
rollover number and file size appropriately.  

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Cory Perry
(SNL:434-951-7463)
Sent: Friday, November 18, 2005 2:50 PM
To: ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] Help automating Historical
networkcapture-rollover

Not sure what I might be troubleshooting at any point in time so
difficult to create filter. Same for packet size, if troubleshooting URL
strings and session information, that could be deep within packet.

I have thought of setting unlimited rollover but have been hitting my
nogin against a wall trying to figure out best way to handle files and
space management. How to automatically delete older files without
running out of space for new files.

Like several people, I would like to take a vacation once in a blue
moon. ;)

Thanks for response.


   



>Message: 1
>Date: Thu, 17 Nov 2005 11:00:30 -0500
>From: "David DuPre" <david@xxxxxxxxxxxxxxxx>
>Subject: RE: [Ethereal-users] Help automating Historical network
>capture-rollover
>
>To: "'Ethereal user support'" <ethereal-users@xxxxxxxxxxxx>
>Message-ID: <00e901c5eb90$09543a20$6a00a8c0@DellTechsup>
>
>You might consider capturing only partial packets. Try some tests with
capturing only the first 90bytes of each packet.
>Then analyze it...if that isn't enough expand it to 180bytes, and
check.
>You might find that you only need the first XXX bytes of the 1500 byte
packet to understand the problem you are researching. This could reduce
>the amount of data.
>
>Another possible option is to only capture packets with a payload...so
nothing smaller than XX bytes would be captured.
>This could hide a network error though...
>
>Hope that helps,

>David

>P.S. I run Ethereal on Linux 24x7 capturing filtered traffic. I set it
up for unlimited rollover at a specific file size. Then if I need to
>analyze a certain part of a day I use the mergecap to put the files
together and look at them as one large file.

 

 


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users




------------------------------

Message: 12
Date: Fri, 18 Nov 2005 22:01:58 -0500
From: Hansang Bae <hbae@xxxxxxxxxx>
Subject: RE: [Ethereal-users] Help automating Historical network
	capture-rollover
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <6.2.3.4.2.20051118220005.02620098@xxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

At 03:49 PM 11/18/2005, Cory Perry (SNL:434-951-7463) wrote:
>Not sure what I might be troubleshooting at any point in time so
>difficult to create filter. Same for packet size, if troubleshooting URL
>strings and session information, that could be deep within packet.
>
>I have thought of setting unlimited rollover but have been hitting my
>nogin against a wall trying to figure out best way to handle files and
>space management. How to automatically delete older files without
>running out of space for new files.

Then perhaps you are using the wrong tool.  I don't consider Ethereal/winpcap to be an ideal solution to long term capturing.  For that, I would consider Niksun's NetVCR.

As far as slice size goes, you rarely need to see more than 128 bytes.  Or even 256 bytes if URL is important.   For that *ONE* case where you may need to see more, you are wasting volumes of disk space.

hsb



------------------------------

Message: 13
Date: Sat, 19 Nov 2005 09:23:11 +0100
From: "Jacques, Olivier (OCBU-Test Infra)" <olivier.jacques@xxxxxx>
Subject: RE: [Ethereal-users] ss7 monitoring query
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Message-ID:
	<1AB048BB58C35849AD36CDE65F16C110021E17FC@xxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Skipped content of type multipart/alternative

------------------------------

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users


End of Ethereal-users Digest, Vol 31, Issue 20
**********************************************