Wireshark · Ethereal-users: RE: [Ethereal-users] [Q-OT] Size of a trace and hub functions

Ethereal-users: RE: [Ethereal-users] [Q-OT] Size of a trace and hub functions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 9 Feb 2001 15:43:02 -0600

You are totally right, in regards to known errors ... but here is my 
problem (as I stated it in my initial posting): I do NOT know what 
the FTP error is. I have to capture EVERYTHING, and do a "post-
mortem" analysis of the traffic, as - in what FTP is concerned - 
whether the file was fully/completely downloaded/uploaded or not, it 
still reports "226 - "I am done"" - thus not knowing what filter to put 
in for a snort usage.

Actually my theory is that I have a "big pipe/small pipe" (Ethernet 
100 Mbps --> 56 frame relay --> Ethernet 100 Mbps) type of 
environment/problem, and I think I am loosing (discarded) frames, 
but the provider doesn't send me any info on their managed 
devices, and I have no rights to the SNMP info on the routers for 
FR info ... thus the "twisted" way of having to capture everything at 
both ends, and - I hope - prooving that neither end is at fault, but 
that actually something leaves on ened and never reaches the 
other ==> timeouts and the likes ==> with FTP thinking "it's done".
Does all this make any sense ?!?

Thx again for help,
Stef

On 9 Feb 2001, at 14:26, Eichert, Diana wrote:

> Ahhh, but that is what snort does best, looking for an event and only
> logging that event.  You see you used "rules", but I'm suggesting
> running snort with only one rule, the ftp error.
> 
> We've tracked distributed applications this way on a very busy network
> because it's amazing how little a developer really knows what going on
> with their application, they were just writing using the available
> libraries, but hey YMMV.
> 
> diana
> 
> -----Original Message-----
> From: stefmit@xxxxxxxxxxxxx [mailto:stefmit@xxxxxxxxxxxxx]
> Sent: February 09, 2001 2:13 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
> 
> 
> You see ... I am still thinking that each tool is to be used for
> what's supposed to do best - I am using snort on the DMZ and in other
> critical points, but I have a hard time believing that it would
> outperform a packet capturing program, if the latter doesn't need to
> run through rules. I may be wrong ... but I would still like to use
> ethereal for what I was initially asking ...
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users

Follow-Ups:
- Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
  - From: Guy Harris

References:
- RE: [Ethereal-users] [Q-OT] Size of a trace and hub functions
  - From: Eichert, Diana

Prev by Date: Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
Next by Date: Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
Previous by thread: RE: [Ethereal-users] [Q-OT] Size of a trace and hub functions
Next by thread: Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$