Ethereal

RE: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture mode?
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-dev: November 1999

 

>I can fix it for MAC addresses, but there's no way to specify the names
>for IPX networks.  We could add support for an /etc/ipxnet file or
>something. There's no standard way of resolving names for IPX, so
>we'll have to make our own.

Microsoft Network Monitor has an interesting way of handling this for folks
who write protocol decoder plug-ins to drop into it.

There is an API available inside NETMON that lets a "parser" (what Ethereal
calls a "dissector") tell NETMON when it has found a name in a packet.  When
parsing a packet that has a system name in its payload, you yank the name
out of the packet and pass it to the API.  Then NETMON knows that name is
associated with the addressing on that packet.  Of course, you need a way in
the API to tell which side of the connection the name is associated with.
For other cases, instead of taking the addressing off the packet, you'd want
to pass an address to the API so for instance if you were parsing a DNS zone
transfer, you could build up an address list as you saw it go by.

This scheme works amazingly well, because typically network applications
will "look up" the name of a system right before the contact it.  So in many
cases the names you want are right there in the data you captured.

In the IPX world, servers typically "advertise" their names using SAP on a
60-second interval, so all you have to do is collect packets for a couple of
minutes and you usually see everything you need to get server names for
display.  Client names are a bit different, but there are still packets
where these could be picked up.

Of course, to make it truly usable, you need a way to cache the names you
have collected.  This helps cover cases where the naming wasn't available
and gives you the best of both possible worlds.  That's a no-brainer, you
just take the names you got from the dissectors through this API, and write
them into a configuration file when Ethereal exits, so they'll be available
next time.

=====================================
Tim Farley
Software Engineer
tfarley@xxxxxxx

Internet Security Systems, Inc.
(678) 443-6000 / Direct Dial (678) 443-6189 / fax (678) 443-6479
http://www.iss.net

Adaptive Network Security for the Enterprise
=====================================

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.