Ethereal-users: Re: [Ethereal-users] [Fwd: Ethereal statistics reporting]

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Fri, 17 Jun 2005 00:35:19 +1000
all packets that contain an IP header (which ethereal detects) will
end up in the ip tab regardless of what options or upper layer
protocols are used.
if you use IP over IP tunnelling the packet will occur in the tab
twice, once for each ip header.
EVERYTHING containig an ip header will show up there regardless of
which protocol transports IP.
I.e. every single ip header in the trace will show up there.

This also means that ICMP packets will show up twice there since they
contain 2 IP headers :
Ethernet
IP 1
ICMP
IP 2
...

will make BOTH IP 1 and IP 2 show up.   This is a feature not a bug.


TCP:
Every TCP header that ethereal recognize will show up there 
regardless of how the header is shifted in the frame.   Ethereal does
not use offsets into frames for calculations as some other primitive
analyzers does.

TCP packets will show up in the tab regardless of what IP and what IP
options are used, even regardless of which transport is used,
i.e. every single tcp header will show up there regardless of what packet it is.
TCP over IP over Ethernet,   TCP over AH over IP over ATM, TCP over IP
over PPPoE , ...

every single TCP header that ethereal can recognize will show up.

==> if you can see the TCP layer inside the middle/decode pane, then
the TCP will show up in the tab.

IF there are more than one TCP header in the trace TCP will show up
multiple times in the TAB :
ATM
PPPoA
IP
TCP 1
<some tunneling protocol>
IP
TCP 2

will add BOTH  TCP1 and TCP2 to the tab.   This is a feature not a bug.


I assume from your question about the TCP header being shifted when
you use IP-options and whether ethereal will still find the TCP header
you use some primitive analyzer that does silly thingsa like looking
at a specific offset into the frame and fails whenever the offset
changes.
Ethereal does not have that design flaw or brokenness.



On 6/16/05, Alex <alexle4@xxxxxxxxxxx> wrote:
> Hi,
> I am looking for a response, please.
> 
> Have to know what packets go to what bucket. How a decision is made
> which packets go where?
> 
> When stats (conversations) are ran what packets end up on the IP tab?
> Are IP - ESP packets counted to this tab?  What if  there is TCP below
> ESP  - where these packets end up?
> 
> Appreciate your help very much !!
> 
> -Alex
> 
> 
> 
> ---------- Forwarded message ----------
> From: Alex <alexle4@xxxxxxxxxxx>
> To: ethereal-users@xxxxxxxxxxxx
> Date: Tue, 14 Jun 2005 11:23:51 -0700
> Subject: Ethereal statistics reporting
> Hi,
> Sorry if am asking a question, which is in the docs, but I did not find.
> 
> Suppose I am capturing a traffic mix - clear text and IPSec with ESP (no
> encryption), but TCP header is shifted back.
> 
> How TCP statistics are reported in this case?
> 
> Manual says: *"TCP* a TCP endpoint is a combination of the IP address
> and the TCP port used, so different TCP ports on the same IP address are
> different TCP endpoints."
> 
> My guess is that Ethereal does not see ports and cannot not recognize
> TCP as TCP.  It reads it as ESP....but actually it is a TCP packet.
> 
> Basically the bigger question is "what to trust" and "what not to trust"
> on stats?  What stats screen is actually shows? I am wondering if my ESP
> traffic even counted...
> 
> Thanks much,
> -Alex
> 
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 
>