Ethereal-users: [Ethereal-users] Libcrypto.so.0

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Berry, Richard" <BerryR@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 7 Nov 2001 09:02:25 -0600
I was just trying to load Ethereal 0.8.20 (and 0.8.19 when that didn't work)
on RH Linux 7.2. When either trying to install the RPM's, it says that it
needs libcrypto.so.0. I have the newest version of openssl installed on the
box, but it doesn't seem to do any good. This also happened in 7.1. 

I know there's something obvious I'm overlooking, but my Linux background
isn't as deep as I'd like (or as it's going to be). Any ideas?

(I tried compiling the source, but ran into similar problems; if it would
help, I can put the specific messages here).

Richard Berry
LAN Engineer - Principal
"Si hoc legere scis numium eruditionis habes." 



-----Original Message-----
From: ethereal-users-request@xxxxxxxxxxxx
[mailto:ethereal-users-request@xxxxxxxxxxxx]
Sent: Wednesday, November 07, 2001 6:31 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: Ethereal-users digest, Vol 1 #453 - 14 msgs


Send Ethereal-users mailing list submissions to
	ethereal-users@xxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.ethereal.com/mailman/listinfo/ethereal-users
or, via email, send a message with subject or body 'help' to
	ethereal-users-request@xxxxxxxxxxxx

You can reach the person managing the list at
	ethereal-users-admin@xxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Ethereal-users digest..."


Today's Topics:

   1. New User - Capture filter question (jeanne_gaskill@xxxxxxxxxxxxxx)
   2. Information on Internet packet monitoring/analysis
(jeanne_gaskill@xxxxxxxxxxxxxx)
   3. Re: New User - Capture filter question (Guy Harris)
   4. RE: tethereal - turning dissectors off (David Erickson)
   5. Re: question about CLNP (Guy Harris)
   6. Re: tethereal - turning dissectors off (Guy Harris)
   7. Re: Sniffing on HP Token Ring cards (Guy Harris)
   8. problem with reading AIX iptrace file (apparently giop creates a
       problem) (Porky Pig)
   9. Re: problem with reading AIX iptrace file (apparently
       giop creates a problem) (Guy Harris)
  10. Ethereal question (David Labanda)
  11. beaconing packet (Peter Rennert)
  12. Ethereal Does not load (Rodney Womack)

--__--__--

Message: 1
To: ethereal-users@xxxxxxxxxxxx
From: jeanne_gaskill@xxxxxxxxxxxxxx
Date: Tue, 6 Nov 2001 11:09:10 -0800
Subject: [Ethereal-users] New User - Capture filter question

This is a multipart message in MIME format.
--=_alternative 0069CB2188256AFC_=
Content-Type: text/plain; charset="us-ascii"

I have not been able to make sense of the TCPDump man page and have never 
worked with TCPDump before.  Please help with a couple of questions to get 
me started.  I think I'll be able to make sense of the man page after 
that.

Q1:  If I wanted to apply a capture filter so that I could capture say 
three different types of packets, what would the exact syntax be.  For 
arguments sake, let's say I want to capture TCP, AARP and DNS packets.

Q2:  If I wanted to view only traffic to or from a particular IP address 
and only see packets of the same three types I mentioned above, what would 
the exact syntax be.

Thanks in advance for this info.

Jeanne

--=_alternative 0069CB2188256AFC_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">I have not been able to make sense of the
TCPDump man page and have never worked with TCPDump before. &nbsp;Please
help with a couple of questions to get me started. &nbsp;I think I'll be
able to make sense of the man page after that.</font>
<br>
<br><font size=2 face="sans-serif">Q1: &nbsp;If I wanted to apply a capture
filter so that I could capture say three different types of packets, what
would the exact syntax be. &nbsp;For arguments sake, let's say I want to
capture TCP, AARP and DNS packets.</font>
<br>
<br><font size=2 face="sans-serif">Q2: &nbsp;If I wanted to view only
traffic to or from a particular IP address and only see packets of the same
three types I mentioned above, what would the exact syntax be.</font>
<br>
<br><font size=2 face="sans-serif">Thanks in advance for this info.</font>
<br>
<br><font size=2 face="sans-serif">Jeanne</font>
<br>
--=_alternative 0069CB2188256AFC_=--


--__--__--

Message: 2
To: ethereal-users@xxxxxxxxxxxx
From: jeanne_gaskill@xxxxxxxxxxxxxx
Date: Tue, 6 Nov 2001 11:20:28 -0800
Subject: [Ethereal-users] Information on Internet packet monitoring/analysis

This is a multipart message in MIME format.
--=_alternative 006AD3CF88256AFC_=
Content-Type: text/plain; charset="us-ascii"

Hi,

I work with Sniffer Po and Microsoft Network Monitor sniffs.  I am also 
beginning to use Ethereal as well.  I think I like it alot better than 
Microsoft Network Monitor, but I am still experimenting.

Does anyone know of any books or internet sites that have good information 
on monitoring/analyzing internet traffic.  I can find lots of things on 
network (Lan/Wan) monitoring and analysis, but very little on 
monitoring/analyzing internet traffic.  I am definitely applying a number 
of things I am finding at this level to my work.  But the network 
monitoring/analysis resources that I can find do not seem to directly 
address a number of the types of issues that I am working with.  I am 
especially looking for things on what various anomylous patterns mean 
(i.e. many multiple acks to the same packet, abnormally large #s of 
resets, other unusual patterns, ...), information on using sniffer traces 
for latency analysis, and just general troubleshooting hints for analyzing 
breakdowns or slowdowns in communication between internet sites.  This 
would be very useful information which I could compare against and/or 
incorporate into the procedures we are already using/developing on our 
own.

Thanks in advance for any leads anyone can provide.

Jeanne

--=_alternative 006AD3CF88256AFC_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">I work with Sniffer Po and Microsoft
Network Monitor sniffs. &nbsp;I am also beginning to use Ethereal as well.
&nbsp;I think I like it alot better than Microsoft Network Monitor, but I am
still experimenting.</font>
<br>
<br><font size=2 face="sans-serif">Does anyone know of any books or internet
sites that have good information on monitoring/analyzing internet traffic.
&nbsp;I can find lots of things on network (Lan/Wan) monitoring and
analysis, but very little on monitoring/analyzing internet traffic. &nbsp;I
am definitely applying a number of things I am finding at this level to my
work. &nbsp;But the network monitoring/analysis resources that I can find do
not seem to directly address a number of the types of issues that I am
working with. &nbsp;I am especially looking for things on what various
anomylous patterns mean (i.e. many multiple acks to the same packet,
abnormally large #s of resets, other unusual patterns, ...), information on
using sniffer traces for latency analysis, and just general troubleshooting
hints for analyzing breakdowns or slowdowns in communication between
internet sites. &nbsp;This would be very useful information which I could
compare against and/or incorporate into the procedures we are already
using/developing on our own.</font>
<br>
<br><font size=2 face="sans-serif">Thanks in advance for any leads anyone
can provide.</font>
<br>
<br><font size=2 face="sans-serif">Jeanne</font>
<br>
--=_alternative 006AD3CF88256AFC_=--


--__--__--

Message: 3
From: Guy Harris <guy@xxxxxxxxxx>
Subject: Re: [Ethereal-users] New User - Capture filter question
To: jeanne_gaskill@xxxxxxxxxxxxxx
Date: Tue, 6 Nov 2001 11:52:04 -0800 (PST)
Cc: ethereal-users@xxxxxxxxxxxx

> Q1:  If I wanted to apply a capture filter so that I could capture say 
> three different types of packets, what would the exact syntax be.  For 
> arguments sake, let's say I want to capture TCP, AARP and DNS packets.

It would be

	tcp or aarp or port domain

(the third of those selects DNS packets on port 53, assuming that the OS
you're using will translate "domain" to 53 in its "getservbyname()"
call; that should be true of most if not all modern UNIXes, and appears
to be true on my Windows 2000 machine, at least).

> Q2:  If I wanted to view only traffic to or from a particular IP address 
> and only see packets of the same three types I mentioned above, what would

> the exact syntax be.

	host 208.66.74.60 and (tcp or aarp or port domain)


--__--__--

Message: 4
Subject: RE: [Ethereal-users] tethereal - turning dissectors off
Date: Tue, 6 Nov 2001 12:16:46 -0800
From: "David Erickson" <derickson@xxxxxxx>
To: "Guy Harris" <guy@xxxxxxxxxx>
Cc: <ethereal-users@xxxxxxxxxxxx>

Is there a way to achieve the desired result by modifying the make file
or removing files from the source repository and building tethereal
without the unwanted sub-dissectors?

i.e. is tethereal built in such a way that subdissectors can be cleanly
and simply removed?=20

-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Friday, November 02, 2001 2:51 PM
To: David Erickson
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] tethereal - turning dissectors off


> Is there a way to run tethereal with specified protocol dissectors
> turned off?

No.  Nobody's written code to do that yet.


--__--__--

Message: 5
From: Guy Harris <guy@xxxxxxxxxx>
Subject: Re: [Ethereal-users] question about CLNP
To: =?ISO-8859-1?Q?=22Garc=EDa=2C_Federico=22?= <fedgarcia@xxxxxxxxxxxx>
Date: Tue, 6 Nov 2001 12:20:27 -0800 (PST)
Cc: ethereal-users@xxxxxxxxxxxx

> I dont understand why Ethereal works with CLNP (ISO-8473) but I can=B4t
> find anything about filtering this with Windump/Winpcap.

The reason why you can't find anything in the documentation is because
the man page on the WinDump site hasn't yet been updated to the tcpdump
3.6.2 man page, even though the current version of WinDump is 3.6.2,
based on tcpdump 3.6.2.

Note, however, that the current version of WinPcap is still 2.2, based
on libpcap 0.5.  The documentation for the filter expressions handled by
libpcap/WinPcap is in the tcpdump/WinDump man page, not the
libpcap/WinPcap man page.  This means that if they were to update the
man page, it would not match what the current version of WinPcap can do,
so perhaps it's OK that they haven't updated it.

Note that WinPcap and Ethereal are separate projects, as are WinDump and
Ethereal, so Ethereal may be able to work with protocols that WinPcap
can't, and *vice versa*.  ("Work with" in the sense of "analyze".)

Given that WinPcap is a library that WinDump and Ethereal (and Analyzer,
and so on) use to capture packets, and is a separate project from
WinDump and from Ethereal and from Analyzer and so on, it's also
possible that WinPcap or Ethereal or Analyzer or... may be able to
analyze protocols that WinPcap can't filter.

> I thought that Ethereal uses that in a lower level.

Yes, Ethereal users libpcap on UNIX, and WinPcap (which is a driver and
low-level library for Windows, and a port of libpcap atop that driver
and library) on Windows, to do packet capture.

However, it does *not* use them to do dissection, so it's perfectly
possible for a version of libpcap or WinPcap that knows nothing about
filtering CLNP packets to be used by Ethereal without that preventing
Ethereal from being able to dissect those packets.

In addition, libpcap/WinPcap doesn't have to know about a protocol in
order to capture packets of that protocol type; it just has to know
about it in order to implement *packet filters* that check for that
protocol type.

(The next release of WinPcap will probably be able to handle CLNP, at
least to the point that you can say

	iso protocol clnp

or just

	clnp

in a WinPcap filter expression, and that WinDump will be able to dissect
CLNP packets to some degree; WinPcap 2.3 beta is based on libpcap 0.6.2,
which supports that.

The current release of WinDump is 3.6.2, which should already be able to
dissect CLNP packets to some degree.

Note that this means that WinDump 3.6.2 works with CLNP but, if you have
WinPcap 2.2, rather than the beta version of WinPcap 2.3, isntalled, it

> I wrote that because I need to capture packets with C++ and I already
> have the Windump source available in internet.

See "print-isoclns.c" for the code that prints CLNP packets in WinDump.


--__--__--

Message: 6
From: Guy Harris <guy@xxxxxxxxxx>
Subject: Re: [Ethereal-users] tethereal - turning dissectors off
To: David Erickson <derickson@xxxxxxx>
Date: Tue, 6 Nov 2001 12:21:50 -0800 (PST)
Cc: Guy Harris <guy@xxxxxxxxxx>, ethereal-users@xxxxxxxxxxxx

> Is there a way to achieve the desired result by modifying the make file
> or removing files from the source repository and building tethereal
> without the unwanted sub-dissectors?

You may have to remove the "register.c" file first, but it *might* work
if you do that.


--__--__--

Message: 7
From: Guy Harris <guy@xxxxxxxxxx>
Subject: Re: [Ethereal-users] Sniffing on HP Token Ring cards
To: jason.scott@xxxxxxxxxxx
Date: Tue, 6 Nov 2001 16:16:49 -0800 (PST)
Cc: ethereal-users@xxxxxxxxxxxx

> Is it possible to sniff either of the following token-ring cards on a
> d-class hp-ux version 11 server.

I asked somebody I know at HP about this; his reply:

	> None of the "product information" pages say anything about
	> promiscuous mode or DLPI support on the J2166A card.
	> 

	> I couldn't find any obvious product information page about the
	> MDG0002 EISA card ...

	the EISA card is probably off the HP CLP.

	> Is it possible to sniff either of the following token-ring cards
on a
	> d-class hp-ux version 11 server.
	> 
	> 1) .Class     I  H/W Path  Driver      S/W State H/W Type
Description
	>
===================================================================
	> lan       0  10/4/8    token2      CLAIMED   INTERFACE HP J2166A -
802.5 Token Ring

	um, as near as I can tell a J2166A is an HP-PB card.  There are
	no HP-PB slots in a D Class, only EISA and HSC, so the ioscan
	info above is not from a D Class.

	I'd be surprised if the HP-PB TR card supported promiscuous
	mode.  I found what purports to be a Product Support Plan and it
	makes no mention of support for promiscuous mode in the EISA or
	HP-PB cards.

	Certainly that would imply that DL_PROMISC_PHYS is out.  Whether
	or not the driver provides DL_PROMISC_SAP I do not know.

(I assume "off the HP CLP" is equivalent to "so old that we don't even
bother keeping information about it on the Web site".)

Without DL_PROMISC_PHYS, you will not be able to sniff in promiscuous
mode; you will only be able to see traffic that the machine running
Ethereal (or tcpdump, or any other sniffer) receives and possibly
traffic it sends as well (depending on whether the driver wraps sent
traffic back when not in promiscuous mode; if it doesn't, you won't be
able to see traffic the machine sends).

This means that if you use tcpdump or Tethereal, you will have to run
them with the "-p" flag, to turn promiscuous mode off, and if you use
Ethereal, you will have to disable promiscuous mode in the "Capture
Preferences" dialog box, if you want to sniff at all.

Without DL_PROMISC_SAP - which is a function of the driver, *not* of the
hardwware - you will not even be able to sniff traffic to and from the
machine.  If the driver doesn't support DL_PROMISC_SAP, tcpdump and
Tethereal won't even work with the "-p" flag, and Ethereal won't even
work if you disable promiscuous mode in the "Capture Preferences" dialog
box.

NOTE: if capturing doesn't work even with promiscuous mode turned off,
that does not *ipso facto* mean that this is because DL_PROMISC_SAP
isn't supported; the error message might indicate whether that was the
problem or not, so we'd have to see the error message in order to
determine that (and even that might not indicate whether that's the
problem).


--__--__--

Message: 8
Date: Tue, 6 Nov 2001 18:41:33 -0800
From: "Porky Pig" <porky_pig_jr@xxxxxxxxxxx>
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] problem with reading AIX iptrace file (apparently
giop creates a
 problem)

Hello,

this is my first attempt to use ethereal. The major reason is that I have to
convert the capture traces taken on AIX to something Sniffer can understand.
TCPDUMP on AIX is broken, so we use IPTRACE.

Ethereal is installed on solaris 8, I've put the latest version (20), but
the same results are with prior version, (19).

The first IPTRACE file - no problems. I read it into Ethereal, and saved as
SNOOP, NGSNIFFER, whatever. No problems.

The second IPTRACE file - various problems. It has GIOP packets which
apparently Ethereal has some problems with. As I read the file in, I get
several messages:

WARNING  giop: We don't yet dissect LOCATION_FORWARD

It does read the file, but I can't convert it into anything. Except save
under the different name, but only as another IPTRACE file (with this file,
a pull-down menu shows only one option, IPTRACE 2.0. Now another problem.
I've thought of filtering out the offending packets (with GIOP), saving the
file as IPTRACE, reload it, and hopefully it would work. Alas, somehow
display filters with this file fail as well. I setup the filters, apply
them, file is reloaded, and it doesn't show the offending packets anymore,
but when I save it, somehow it saves everything. So I can't get rid of
offending packets. (I know I apply filters correctly, on a first file I've
tried the same filter type, and it worked just fine. I filter by IP
addresses rather than by protocol GIOP). 

So I'm stuck. And there is no other utilities I can use to convert IPTRACE
to non-AIX format. So Ethereal is my only hope. Any idea on what's wrong?

TIA.





------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/


--__--__--

Message: 9
From: Guy Harris <guy@xxxxxxxxxx>
Subject: Re: [Ethereal-users] problem with reading AIX iptrace file
(apparently
 giop creates a problem)
To: Porky Pig <porky_pig_jr@xxxxxxxxxxx>
Date: Tue, 6 Nov 2001 18:53:00 -0800 (PST)
Cc: ethereal-users@xxxxxxxxxxxx

> The second IPTRACE file - various problems.  It has GIOP packets which
> apparently Ethereal has some problems with.  As I read the file in, I
> get several messages:
> 
> WARNING  giop: We don't yet dissect LOCATION_FORWARD
> 
> It does read the file, but I can't convert it into anything.  Except
> save under the different name, but only as another IPTRACE file (with
> this file, a pull-down menu shows only one option, IPTRACE 2.0.  Now
> another problem.  I've thought of filtering out the offending packets
> (with GIOP),

Those packets *aren't* what's causing your problem.

Ethereal's dissection function, and its capture file reading/writing
functions, are separate; when it writes out a capture file, it writes
out the raw packet data - whether there's something in the packet that
its dissection function can't handle is irrelevant.

(In fact, Ethereal comes with a program - editcap - which can also read
capture files in one format and write them in another; editcap does not
make *any* attempt whatsoever to dissect the contents of the packets.)

The most likely reasons why it only allows you to save the file as an
iptrace file are:

	1) the file has packets of more than one link-layer type -
	   iptrace's capture file format supports that, but other
	   capture file formats don't;

	2) the file has packets of only one link-layer type, but that's
	   a link-layer type not supported by the capture file format
	   you're trying to save as;

	3) the file has packets of only one link-layer type, and the
	   capture file format you're trying to save as supports it, but
	   Ethereal doesn't know how to write out a capture file in that
	   format with that link-layer type.

What link-layer types are in the second iptrace file?  Check all of the
packets - if, for example, some are Ethernet and some are token-ring,
you will probably not be able to save the file as anything other than an
iptrace file.  (Snoop and Sniffer, for example, can only handle one
link-layer type per file.)


--__--__--

Message: 10
From: "David Labanda" <dlabanda@xxxxxxxx>
To: <ethereal-users@xxxxxxxxxxxx>
Date: Wed, 7 Nov 2001 11:37:47 +0100
Subject: [Ethereal-users] Ethereal question

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01C16780.9F7FEB40
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Dear Sirs:

   At present our company is evaluating  the Ethereal.

  Would you be kind enough as to tell us how to install libcap?


   Looking forward to your response, yours faithfully,

   David Labanda.


----------------------------------------------------------------------------
----

  David Labanda
  Network Engineer
  TCP SISTEMAS E INGENIERIA, S.L.

----------------------------------------------------------------------------
----




------=_NextPart_000_0004_01C16780.9F7FEB40
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD>
<BODY>
<P><FONT size=3D2><STRONG><FONT size=3D4>Dear Sirs:<BR><BR>&nbsp;&nbsp; =
At present=20
our company is evaluating&nbsp; the =
Ethereal.<BR>&nbsp;&nbsp;&nbsp;<BR>&nbsp;=20
Would you be kind enough as to tell us how to install=20
libcap?<BR></FONT></STRONG></FONT></P>
<P><FONT size=3D2><STRONG><FONT size=3D4>&nbsp;&nbsp; Looking forward to =
your=20
response, yours faithfully,<BR><BR>&nbsp;&nbsp; David=20
Labanda.<BR><BR><BR>-----------------------------------------------------=
---------------------------<BR><BR><FONT=20
color=3D#800000>&nbsp; David Labanda<BR>&nbsp; Network =
Engineer<BR>&nbsp; TCP=20
SISTEMAS E INGENIERIA,=20
S.L.<BR></FONT><BR>------------------------------------------------------=
--------------------------<BR><BR></FONT></STRONG>&nbsp;</FONT>=20
</P></BODY></HTML>

------=_NextPart_000_0004_01C16780.9F7FEB40--



--__--__--

Message: 11
From: "Peter Rennert" <prennert@xxxxxxxxxxxxxx>
To: <ethereal-users@xxxxxxxxxxxx>
Date: Wed, 7 Nov 2001 13:04:30 +0100
Subject: [Ethereal-users] beaconing packet

hello,

we search for an beaconing error occured in a token-ring network.
can ethereal grep the beaconing packet??
if yes.... who did it displayed??
thanx peter

Mit freundlichen Gru?en

Peter Rennert

Rennert GmbH
Administration & Netzwerk-Support
Neckaraue 19
71686 Remseck

Tel. 07146 / 880399
Fax  07146 / 880398
http://www.rennertgmbh.de



--__--__--

Message: 12
Date: Wed, 07 Nov 2001 07:28:35 -0500
To: ethereal-users@xxxxxxxxxxxx
From: Rodney Womack <rcwomack@xxxxxxxxxxxx>
Subject: [Ethereal-users] Ethereal Does not load

I have installed Ethereal and started it on my Windows 2000 machine but 
nothing happens. It shows no activity whatsoever. Is there something else 
that is needed to get it started. I have read the FAQ and the Ethereal 
website trying to figure out what I might be doing wrong. Any assistance 
would be greatly appreciated.

Thanks in advance,

Rodney 




--__--__--

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users


End of Ethereal-users Digest