Ethereal: Re: [Ethereal-dev] Can anybody interpret this?

Ethereal-dev: October 2001

Subject: Re: [Ethereal-dev] Can anybody interpret this?
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 10 Oct 2001 12:23:26 -0700 (PDT)

>    I wrote a small program to write out all captured
> packets to disk. I can clearly make out HTTP and HTML
> in the dump file, However, how can I tell where each packet was heading for 
> / came from by looking at the raw
> TCP/IP? Is it possible?

Yes, that's what Ethereal and tcpdump/WinDump do.

> Is it easy?

Not too easy.  You'd first have to look at the link-layer header - what
the link-layer header is depends on the link-layer type of the capture
(in libpcap/WinPcap, "pcap_datalink()" returns the link-layer type;
you'll have to check the documentation for the ActiveX control to see
how to get it from the control) - and determine, from it, the protocol
running atop the link layer.  The way to do that depends on the
link-layer type.

Then, if the packet is an IP packet, you'd have to look at the IP
header, which contains the source and destination addresses of the
packet.

References:
- [Ethereal-dev] Can anybody interpret this?
  - From: Fiach Reid

Prev by Date: [Ethereal-dev] "decode as" within a dissector
Next by Date: [Ethereal-dev] RE: installation of ethereal on solaris 2.6]
Previous by thread: [Ethereal-dev] Can anybody interpret this?
Next by thread: [Ethereal-dev] "decode as" within a dissector
Index(es):
- Date
- Thread