> I dont understand why Ethereal works with CLNP (ISO-8473) but I can´t
> find anything about filtering this with Windump/Winpcap.
The reason why you can't find anything in the documentation is because
the man page on the WinDump site hasn't yet been updated to the tcpdump
3.6.2 man page, even though the current version of WinDump is 3.6.2,
based on tcpdump 3.6.2.
Note, however, that the current version of WinPcap is still 2.2, based
on libpcap 0.5. The documentation for the filter expressions handled by
libpcap/WinPcap is in the tcpdump/WinDump man page, not the
libpcap/WinPcap man page. This means that if they were to update the
man page, it would not match what the current version of WinPcap can do,
so perhaps it's OK that they haven't updated it.
Note that WinPcap and Ethereal are separate projects, as are WinDump and
Ethereal, so Ethereal may be able to work with protocols that WinPcap
can't, and *vice versa*. ("Work with" in the sense of "analyze".)
Given that WinPcap is a library that WinDump and Ethereal (and Analyzer,
and so on) use to capture packets, and is a separate project from
WinDump and from Ethereal and from Analyzer and so on, it's also
possible that WinPcap or Ethereal or Analyzer or... may be able to
analyze protocols that WinPcap can't filter.
> I thought that Ethereal uses that in a lower level.
Yes, Ethereal users libpcap on UNIX, and WinPcap (which is a driver and
low-level library for Windows, and a port of libpcap atop that driver
and library) on Windows, to do packet capture.
However, it does *not* use them to do dissection, so it's perfectly
possible for a version of libpcap or WinPcap that knows nothing about
filtering CLNP packets to be used by Ethereal without that preventing
Ethereal from being able to dissect those packets.
In addition, libpcap/WinPcap doesn't have to know about a protocol in
order to capture packets of that protocol type; it just has to know
about it in order to implement *packet filters* that check for that
protocol type.
(The next release of WinPcap will probably be able to handle CLNP, at
least to the point that you can say
iso protocol clnp
or just
clnp
in a WinPcap filter expression, and that WinDump will be able to dissect
CLNP packets to some degree; WinPcap 2.3 beta is based on libpcap 0.6.2,
which supports that.
The current release of WinDump is 3.6.2, which should already be able to
dissect CLNP packets to some degree.
Note that this means that WinDump 3.6.2 works with CLNP but, if you have
WinPcap 2.2, rather than the beta version of WinPcap 2.3, isntalled, it
> I wrote that because I need to capture packets with C++ and I already
> have the Windump source available in internet.
See "print-isoclns.c" for the code that prints CLNP packets in WinDump.
