Wireshark · Ethereal-dev: Re: [Ethereal-dev] [Fwd: ClearSight Analyzer's use of Ethereal decode engine]

Ethereal-dev: Re: [Ethereal-dev] [Fwd: ClearSight Analyzer's use of Ethereal decode engine]

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Wed, 7 Jan 2004 15:29:13 -0800


On Jan 7, 2004, at 3:10 PM, Gerald Combs wrote:

I received this email earlier today. After downloading a demo ofClearSight Anayzer, it's clear that they've DLL-ified Ethereal andcall it directly from their application. A copy of the default decodeengine (DecodeEngine.dll) resides in "DecodeEngines\Ethereal\". Astring analysis of the DLL indicates that it contains Ethereal'sdissector code plus epan, and possibly more of Ethereal's components.
I sent an email to ClearSight, and am waiting for a response.

As long as they're stealing from us, it might be interesting to stealfrom them - the column headings above the lines in the hex dump panemight be useful, for example; see figure 7-4 in their Getting StartedGuide:

http://www.clearsightnetworks.com/files/docs/Clearsight%20GSG(10-03).pdf

(The information in the summary line in that figure looks certainlylooks familiar, as does the detail pane in figure 7-5....)

"Working with Trace Files" in chapter 7 says they can read "Genericcapture files (*.cap)". I'm not sure what that means, as I don't knowof any file format for "generic capture files", although i do know ofseveral different formats that use ".cap" (Windows Sniffer, NetworkMonitor, and I think Shomiti Surveyor) - are they also using Wiretap?If so, I guess they have to give us code to read AppDancer files(assuming they're not just using some existing capture file format thatwe already read).

But as they say you can only save trace files in AppDancer or DOSSniffer format, perhaps they're *not* using Wiretap - if they were,they could save in other formats as well.

(Then again, their display filter capability isn't as powerful as ours;I guess they didn't want to force their users to confront displayfilters in their full glory, although Microsoft provides a scheme ofequivalent power in Network Monitor - in fact, the "Add Expression"dialog box in Ethereal is modeled after the NetMon box, although wedon't have a GUI for constructing a full expression tree as NetMondoes.)

Follow-Ups:
- Re: [Ethereal-dev] [Fwd: ClearSight Analyzer's use of Ethereal decode engine]
  - From: Richard Sharpe

References:
- [Ethereal-dev] [Fwd: ClearSight Analyzer's use of Ethereal decode engine]
  - From: Gerald Combs

Prev by Date: Re: [Ethereal-dev] Change how SCCP determines ANSI/ITU variant
Next by Date: Re: [Ethereal-dev] [Fwd: ClearSight Analyzer's use of Ethereal decodeengine]
Previous by thread: Re: [Ethereal-dev] [Fwd: ClearSight Analyzer's use of Ethereal decode engine]
Next by thread: Re: [Ethereal-dev] [Fwd: ClearSight Analyzer's use of Ethereal decode engine]
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$