Ethereal-users: Re: [Ethereal-users] Strange things happen with tethereal -w option (V 0.94) on

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Tino" <tinngo@xxxxxxxxxxx>
Date: Thu, 4 Jul 2002 09:43:36 +1000
1)   Thanks for mentioning it but I am aware that "test.txt is not a text
file.
2)  " not" meant as follow:
       the file size is zero during capture and after CTRL-C even when an
RST was generated.
 3) One thing though, when it was working capturing to the file without the
" tcp.flags.reset eq 1", I could see the file test.txt grows
      in size during capturing (not having to press CTRL-C to write to the
file).  Not sure why though.
4) A quick test on 0.95 seemed to have fixed the problem.  I need to wait
however till the problem occur, press CTRL-C and hope to see it
    in the capture file.
5) I meant to sit down and learn UNIX to convert the filter to TCPDUMP
format capture filter.  Thanks for your help with the conversion.

Cheers - Tino

----- Original Message -----
From: "Guy Harris" <guy@xxxxxxxxxx>
To: "Tino" <tinngo@xxxxxxxxxxx>
Cc: "Ethereal" <ethereal-users@xxxxxxxxxxxx>
Sent: Thursday, July 04, 2002 9:15 AM
Subject: Re: [Ethereal-users] Strange things happen with tethereal -w option
(V 0.94) on Win2k


> On Thu, Jul 04, 2002 at 08:52:54AM +1000, Tino wrote:
> > The following ***works*** for sending output to the console (without
the -w
> > option) or to the file test.txt with the -w option.
> > tethereal -n -t ad -i
> > \Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
> > 203.13.133.164 or ip.src eq 203.13.133.165)" -w d:\test.txt
>
> You're aware that "test.txt" will *NOT* be a text file, right?  Instead,
> it'll be a libpcap file that could be read by tcpdump or Ethereal or
> Tethereal or....
>
> > however, the following only works for sending the output to the console,
but
> > not to the file test.txt with the -w option.
> > tethereal -n -t ad -i
> > \Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
> > 203.13.133.164 or ip.src eq 203.13.133.165) and tcp.srcport eq 80 and
> > tcp.flags.reset eq 1" -w d:\test.txt
>
> What does "not" mean there?  Does it not write any packets, even if an
> RST is generated?
>
> Note that 0.9.4 (and earlier versions) had a bug, when capturing to a
> file (with "-w") and using a read filter (with "-R"), where the packet
> counter would be incremented for any packet that arrived, regardless of
> whether the packet actually passed the read filter and got written to
> the capture file or not.
>
> So if you saw a non-zero packet count when doing a "-w" capture with a
> read filter, that didn't guarantee that if you interrupted Tethereal
> there would actually be packets in the capture file.
>
> Furthermore, there was another bug in 0.9.4 (and some earlier versions)
> where Tethereal, on Windows, would crash if you tried to interrupt it
> with ^C.
>
> Both of those bugs should be fixed in 0.9.5; if the problem is that you
> run
>
> tethereal -n -t ad -i
> \Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
> 203.13.133.164 or ip.src eq 203.13.133.165) and tcp.srcport eq 80 and
> tcp.flags.reset eq 1" -w d:\test.txt
>
> and it showed a non-zero packet count, but you interrupted it and there
> weren't any packets in the capture, try installing 0.9.5 and running
> that.
>
> Note also that, although the syntax isn't as convenient, capture filters
> are more efficient than read filters - especially on platforms,
> including Windows, where the filtering is done in the OS kernel.  The
> equivalent capture filter would be
>
> (host 203.13.133.164 or host 203.13.133.165) and tcp src port 80
>     and tcp[13] & 0x02 != 0
>
> That should work even with 0.9.4.
>