Ethereal-dev: Re: [Ethereal-dev] Another Windows-only sniffer: PacScope ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>
Date: Wed, 3 Sep 2003 08:17:34 +1000
> I wonder if I have the time to put up a sniffer comparison page? I wonder
> if these commercial vendors would let me have eval versions to do so?

Such a comparasion would be very useful.

Some items useful for comparasion:

PDU reassembly:
Can it reassemble AIM PDUs spanning multiple TCP
Can it reassemble ATP PDUs spanning multiple TCP
Can it reassemble BGP PDUs spanning multiple TCP
Can it reassemble CLNP PDUs
Can it reassemble COPS PDUs spanning multiple TCP
Can it reassemble DCERPC PDUs spanning multiple TCP
Can it reassemble DCERPC Fragments into full DCERPC PDUs
Can it reassemble DCERPC PDUs spanning multiple SMB named pipe
Trans/Read/Write calls
Can it reassemble DIAMETER PDUs spanning multiple TCP
Can it reassemble DNS PDUs spanning multiple TCP
Can it reassemble DSI PDUs spanning multiple TCP
Can it reassemble multi-sequence FibreChannel PDUs
Can it reassemble FCIP PDUs spanning multiple TCP
Can it reassemble GRYPHON PDUs spanning multiple TCP
Can it reassemble 802.11 PDU fragments
Can it reassemble IPv4 PDU fragments
Can it reassemble IPv6 PDU fragments
Can it reassemble iSCSI PDUs spanning multiple TCP
Can it reassemble KERBEROS5 PDUs spanning multiple TCP
Can it reassemble LDAP PDUs spanning multiple TCP
Can it reassemble LDP PDUs spanning multiple TCP
Can it reassemble MySQL PDUs spanning multiple TCP
Can it reassemble NBSS(NetBIOS over TCP) PDUs spanning multiple TCP
Can it reassemble NCP PDUs spanning multiple TCP
Can it reassemble NDMP PDUs spanning multiple TCP
Can it reassemble NDMP fragments into NDMP PDUs
Can it reassemble NDPS PDUs spanning multiple TCP
Can it reassemble NDPS PDUs spanning multiple SPX
Can it reassemble NetBIOS PDUs
Can it reassemble Q.931 PDUs spanning multiple TCP
Can it reassemble ONC-RPC PDUs spanning multiple TCP
Can it reassemble ONC-RPC Fragments into a full ONC-RPC PDU
Can it reassemble RSYNC PDUs spanning multiple TCP
Can it reassemble SKINNY PDUs spanning multiple TCP
Can it reassemble SMB Transaction Payloads
Can it reassemble SMTP PDUs spanning multiple TCP
Can it reassemble fragmented SNA BIUs
Can it reassemble SSH PDUs spanning multiple TCP
Can it reassemble SSL PDUs spanning multiple TCP
Can it reassemble TDS PDUs spanning multiple TCP
Can it reassemble TNS PDUs spanning multiple TCP
Can it reassemble TPKT PDUs spanning multiple TCP
Can it reassemble X.25 PDUs
Can it reassemble X11 PDUs spanning multiple TCP
Can it reassemble X.25 Over TCP PDUs spanning multiple TCP


Then we can move on to more interesting protocols:
Can it dissect DCERPC/LSA
Can it dissect DCERPC/SAMR
Can it dissect DCERPC/NETLOGON
... fill in with all the other dce interfaces we support
Can it dissect NFSv4
... fill in with all the other oncrpc interfaces we support
Can it dissect AFS
Can it dissect NDMP
Can it dissect iSCSI
Can it dissect iSNS
Can it dissect h.323
Can it dissect h.225
Can it dissect h.245
Can it dissect FibreChannel
Can it dissect FibreChannel Name Server
... add all the other fc related protocols
Can it dissect SMB properly
Can it dissect SCSI-CDB
... add all the other interesting protocols noone else can handle


Then we can check:
Can it create ONC-RPC Service Response Time tables
Can it filter for ONC-RPC Service Response times?
Can if flag/colorize ONC-RPC Service Response in different colors depending
on the response time?
Can it create DCE-RPC Service Response Time tables
Can it filter for DCE-RPC Service Response times?
Can if flag/colorize DCE-RPC Service Response in different colors depending
on the response time?
Can it create SMB Service Response Time tables
Can it filter for SMB Service Response times?
Can if flag/colorize SMB Service Response in different colors depending on
the response time?
...  add all the other response times we can calculate


Then we can check filtering:
Does packet filtering work?   I.e. if you filter for NFS, will this pick up
all packets that contain an NFS PDU or will it only find an undocumented
subset of these packets?
...

Then we can check all the things in TCP Sequence Number Analysis:
Can it find and flag a TCP keep-alive
Can it find and flag when someone writes to a zero-window?
...

then we can check authentication protocols:
Can it dissect NTLMSSP authentication blobs
Can it dissect the authentication blobs wor windows authentication
...
Can it decode and display the encrypted payload of SAMR packets?
...


we need a comparison table showing what ethereal can do. things that are
useful.