Wireshark · Ethereal-dev: RE : [Ethereal-dev] about ethereal

Ethereal-dev: RE : [Ethereal-dev] about ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "RABRET Laurent FTRD/DAC/ISS" <laurent.rabret@xxxxxxxxxxxxxxxxxxxx>

Date: Tue, 24 Jun 2003 17:05:02 +0200

I suppose the filtering is performed in kernel mode... Not absolutely
sure because I didn't find any information about this point. I can try
to benchmark those two drivers with many filters to compare
performances.

OK, one can propose to add the pcap driver while installing Ethereal but
it still won't be possible to monitor dialup connections... I use a
modified release of Ethereal for about 2 years (just 2 more lines in the
capture_wpcap.c file) so that I call the network monitor driver if my
dll is found. It works fine and there's no dialup limitation. If we
could propose this feature in standard, Windows Ethereal users would be
certainly more satisfied... What about a check box in the capture option
to enable/disable NM if it is present on the user's computer?
Regards
Laurent

-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx] 
Sent: Friday, June 20, 2003 9:22 PM
To: RABRET Laurent FTRD/DAC/ISS
Cc: ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Ethereal-dev] about ethereal

On Friday, June 20, 2003, at 2:02AM, RABRET Laurent FTRD/DAC/ISS wrote:

> I do agree, it's not purely Ethereal specific but it would be so cool 
> to
> have a "plug and play" Ethereal distribution for Windows able to 
> capture
> traffic stemming from LAN AND dialup networks (the NM driver is
> automatically distributed with Windows on 2000 & XP).

Does the libpcap-for-NM-driver implementation do packet filtering in 
user mode or in a kernel driver?  If it's in user mode, the LAN capture 
might be best done with WinPcap, as its driver does packet filtering 
(so packets that would have been discarded in user mode don't even get 
copied up to userland).

>  If the NM<->pcap
> adaptor is part of libpcap we can forget the "plug & play" feature...

Not if we arrange to install that version of libpcap as well.

If the NM<->pcap adaptor *isn't* part of libpcap, you would have to 
build *other* tools that use libpcap (e.g., Snort) specially (which 
would require a "developer's pack" for the NM<->pcap adaptor, rather 
than having the header files be part of Ethereal).

Follow-Ups:
- Re: RE : [Ethereal-dev] about ethereal
  - From: Guy Harris

Prev by Date: [Ethereal-dev] Support for pure protocol packets without underlying protocol data
Next by Date: Re: [Ethereal-dev] Support for pure protocol packets without underlying protocol data
Previous by thread: Re: [Ethereal-dev] about ethereal
Next by thread: Re: RE : [Ethereal-dev] about ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$