|
EtherealRe: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture mode? |
|
||
|
|
EtherealRe: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture mode? |
|
||
On Mon, Nov 08, 1999 at 04:34:27PM -0600, Farley, Tim (ISSAtlanta) wrote: > > There is an API available inside NETMON that lets a "parser" (what Ethereal > calls a "dissector") tell NETMON when it has found a name in a packet. When > parsing a packet that has a system name in its payload, you yank the name > out of the packet and pass it to the API. Then NETMON knows that name is > associated with the addressing on that packet. Of course, you need a way > in > the API to tell which side of the connection the name is associated with. > For other cases, instead of taking the addressing off the packet, you'd > want > to pass an address to the API so for instance if you were parsing a DNS > zone > transfer, you could build up an address list as you saw it go by. > > This scheme works amazingly well, because typically network applications > will "look up" the name of a system right before the contact it. So in > many > cases the names you want are right there in the data you captured. What worries me are the cases in which an address is used (perhaps by another host) *before* a name lookup is made. Let's say some IPX client is talking to our server, so we add this line the the packet summary GUI C0A82C00.0000f6000001 00000BAD.000000000001 NCP File read And then we find the SAP naming our 0xC0A82C00 and 0xBAD network (or server). How should ethereal go back and update the text it has already printed in the packet summary? Should two passes be made? We could mark those packets which had a name which could not be resolved, so after parsing a file, if we made any updates to our name cache, we could go back and re-parse those packets. --gilbert
Powered by MHonArc 2.6.10