Ethereal-users: Re: [Ethereal-users] how to get tethereal to stop naming protocol s and leaving
Here's an example of tethereal -n vs windump -n on 5 entries from the same log
(that was collected with tcpdump).
Please note how tethereal does not put source nor destination port out
numerically eg:
a.b.c.7 -> a.b.c.255
whereas windump does:
2:19:51.847809 a.b.c.7.138 > a.b.c.255.138:
^^^ ^^^
src port dest port
So what if a program was sending probes to 138 from the unusual port 53456 would
it get labeled as NBDS or what I wonder? In a lot of circumstances someone would
want to see the source port. Also it would be really super if the protocol eg
UDP or TCP or ICMP be explicitly stated. Tethereal is not necessarily stating
the protocol. It can be inferred probably if one knows the translation table
it's using but ... Windump labels the protocol maybe a little clearer, but still
buries it in a lot of verbiage. They both are great programs but it would be
ever so nice if they had options to put out the data in a more program friendly
manner. The fact that tethereal can retrieve the date is a big plus over
tcpdump. Now if it was just a little more configurable...
tethereal -n -r mylog.log *****************************************
1 2001-11-14 12:19:51.8478 a.b.c.7 -> a.b.c.255 NBDS Direct_group
datagram[Short Frame]
3 2001-11-14 12:25:14.6755 a.b.c.6 -> a.b.c.255 NBNS Name query NB TRASH
<20>
7 2001-11-14 12:25:14.6762 a.b.c.6 -> a.b.c.165 TCP 1059 > 139 [SYN]
Seq=3604716611 Ack=0 Win=16384 Len=0
10 2001-11-14 12:25:14.6776 a.b.c.6 -> a.b.c.165 NBSS Session request[Short Frame]
12 2001-11-14 12:25:14.6780 a.b.c.6 -> a.b.c.165 SMB SMBnegprot Request
windump -n -r mylog.log ******************************************
12:19:51.847809 a.b.c.7.138 > a.b.c.255.138:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0xC IP=a (0x0).b (0x8).c (0x3).7 (0x7)
Port=138 (0x8a) Length=200 (0xc8) Res2=0x0
SourceName=GARBAGE NameType=0x00 (Workstation)
DestName=SC NameType=0x00 (Workstation)
SMB PACKET: SMBmkdir (REQUEST)
12:25:14.675536 a.b.c.6.137 > a.b.c.255.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
12:25:14.676276 a.b.c.6.1059 > a.b.c.165.139: S 3604716611:3604716611(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
12:25:14.677620 a.b.c.6.1059 > a.b.c.165.139: P 1:73(72) ack 1 win 17520
>>> NBT Packet
NBT Session Request
Flags=0x81000044
Destination=TRASH NameType=0x20 (Server)
Source=W NameType=0x00 (Workstation)
(DF)
12:25:14.678031 a.b.c.6.1059 > a.b.c.165.139: P 73:210(137) ack 5 win 17516
>>> NBT Packet
NBT Session Packet
Flags=0x0
Length=133 (0x85)
SMB PACKET: SMBnegprot (REQUEST)
(DF)