Wireshark · Ethereal-users: Re: [Ethereal-users] network matching in display filter

Ethereal-users: Re: [Ethereal-users] network matching in display filter
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Daniel Cohn" <daniel.cohn@xxxxxxxxxxxx>
Date: Tue, 7 Feb 2006 06:21:25 -0500

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of
ethereal-users-request@xxxxxxxxxxxx
Sent: Sunday, February 05, 2006 1:00 PM
To: ethereal-users@xxxxxxxxxxxx
Subject: Ethereal-users Digest, Vol 34, Issue 7

Send Ethereal-users mailing list submissions to
	ethereal-users@xxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.ethereal.com/mailman/listinfo/ethereal-users
or, via email, send a message with subject or body 'help' to
	ethereal-users-request@xxxxxxxxxxxx

You can reach the person managing the list at
	ethereal-users-owner@xxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Ethereal-users digest..."


Today's Topics:

   1. Ethereal does not capture all packets? (spammy)
   2. Re: Ethereal does not capture all packets? (Guy Harris)
   3. Ethereal (neonlineinc@xxxxxxx)
   4. Bug with display filter ip.addr?? (Ran.Shenhar@xxxxxxxxxxx)
   5. Re: Bug with display filter ip.addr?? (Ulf Lamping)
   6. network matching in display filter (Andreas Fink)
   7. help (yuthika punchihewa)


----------------------------------------------------------------------

Message: 1
Date: Sat, 4 Feb 2006 17:09:53 CET
From: "spammy" <spammail2@xxxxxxxxxx>
Subject: [Ethereal-users] Ethereal does not capture all packets?
To: <ethereal-users@xxxxxxxxxxxx>
Message-ID: <20060204160954.20070.qmail@xxxxxxxxxxxxxxxxx>
Content-Type: text/plain;	charset="iso-8859-2"




Hello!
 
Is it possible that Ethereal does not capture all packets? I am sure that
one of my client generate TCP traffic as well, but ethereal capture only
Browser Election Requests or ARP, NBNS or DHCP messages. And no TCP/IP
traffic . Why? Should I change some settings? The funny is that from other
clients it captures TCP/IP as well. Thank you!

Thomas

--------------------------Hirdetis-----------------------------
Harry Potter is a Filvir Herceg!
Garantalt szallmtas a megjelenis napjan! (februar 10.)
Jegyezze elu
most!http://www.bookline.hu/control/news?newsid=322&affiliate=viphp6kar1487



------------------------------

Message: 2
Date: Sat, 04 Feb 2006 12:57:06 -0800
From: Guy Harris <gharris@xxxxxxxxx>
Subject: Re: [Ethereal-users] Ethereal does not capture all packets?
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <43E51522.5030609@xxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

spammy wrote:

> Is it possible that Ethereal does not capture all packets? I am sure
> that one of my client generate TCP traffic as well, but ethereal capture
> only Browser Election Requests or ARP, NBNS or DHCP messages. And no
> TCP/IP traffic . Why? Should I change some settings? The funny is that
> from other clients it captures TCP/IP as well. Thank you!

How is the network configured?  Are the machines to and from which 
you're trying to capture traffic plugged into a switch?  Are you 
capturing on some machine other than the clients, or are you running it 
on one of the clients?



------------------------------

Message: 3
Date: Sat, 4 Feb 2006 15:22:57 -0500
From: <neonlineinc@xxxxxxx>
Subject: [Ethereal-users] Ethereal
To: <ethereal-users@xxxxxxxxxxxx>
Message-ID:
	<20060204202254.XJWN8318.centrmmtao04.cox.net@[172.18.53.8]>
Content-Type: text/plain; charset=ISO-8859-1

Hello,

The newest version of Anti-Vir detects a trojan in the uninstall portion of
Ethereal. is this a false positive or what is the skiz?

the trojan is TR/Drop.ZAEL

Thank you for your time, I am not sure how to retrieve any response given ..
or if it is simply automatically emailed back to me.



------------------------------

Message: 4
Date: Sun, 5 Feb 2006 11:00:53 +0200
From: Ran.Shenhar@xxxxxxxxxxx
Subject: [Ethereal-users] Bug with display filter ip.addr??
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID:
	
<OF3F262F83.38FD19C9-ONC225710C.00312667-C225710C.003177ED@xxxxxxxxxxx>
	
Content-Type: text/plain; charset=US-ASCII

Hi,
I've seen it on two WinXP machines running 0.10.14 - can someone please
verify if it's reproducible on other machines as well?

The problem - try to write a display filter "ip.addr ==" - after the second
equal sign, ethereal hangs and needs to be killed...
I can workaround that by building the filter like ip.addr x.x.x.x and then
moving back and inserting the = signs, but then when I want to change the
filter and deletes the ip, I hit it again...

Anyone else seen it? How do I open a bug for it (that is - what info to
provide, etc)
TnX



------------------------------

Message: 5
Date: Sun, 05 Feb 2006 10:40:34 +0100
From: Ulf Lamping <ulf.lamping@xxxxxx>
Subject: Re: [Ethereal-users] Bug with display filter ip.addr??
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <43E5C812.30305@xxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Ran.Shenhar@xxxxxxxxxxx wrote:
> Hi,
> I've seen it on two WinXP machines running 0.10.14 - can someone please
> verify if it's reproducible on other machines as well?
>
> The problem - try to write a display filter "ip.addr ==" - after the
second
> equal sign, ethereal hangs and needs to be killed...
>   
You could simply wait until name resolution is done, but that's just 
annoying.
> I can workaround that by building the filter like ip.addr x.x.x.x and then
> moving back and inserting the = signs, but then when I want to change the
> filter and deletes the ip, I hit it again...
>
> Anyone else seen it? How do I open a bug for it (that is - what info to
> provide, etc)
> TnX
>
>   
Known bug, see: http://bugs.ethereal.com/bugzilla/show_bug.cgi?id=658

Regards, ULFL
Andreas,

Try ip.addr>192.168.0.0 and ip.addr<192.168.0.255.

Regards,

Daniel

------------------------------

Message: 6
Date: Sun, 5 Feb 2006 10:52:02 +0100
From: Andreas Fink <andreas@xxxxxxxx>
Subject: [Ethereal-users] network matching in display filter
To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
Message-ID: <022752BD-3475-41D6-A92B-35E6750E3E65@xxxxxxxx>
Content-Type: text/plain; charset=US-ASCII; format=flowed

I'm looking for something like this as a display filter

ip.host=="192.168.0.0/24"

Its being accepted syntax wise but the filtering is not done that way.
Is there any other way of saying this?


Andreas Fink
Fink Consulting GmbH

---------------------------------------------------------------
Tel: +41-61-6666332 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail:  afink@xxxxxxxxxxxxxxxxxx
Homepage: http://www.finkconsulting.com
---------------------------------------------------------------

ICQ: 101946485 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333
PGP9: 0714 DF2B A189 A760 6201  5CBD D040 3E71 4DAF 68BB




------------------------------

Message: 7
Date: Sun, 5 Feb 2006 05:18:12 -0800 (PST)
From: yuthika punchihewa <yuthikasgp@xxxxxxxxx>
Subject: [Ethereal-users] help
To: ethereal-users@xxxxxxxxxxxx
Message-ID: <20060205131812.82068.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Skipped content of type multipart/alternative

------------------------------

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users


End of Ethereal-users Digest, Vol 34, Issue 7
*********************************************

 
 
This mail passed through mail.alvarion.com
 
****************************************************************************
********
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
****************************************************************************
********
 
This mail passed through mail.alvarion.com
 
****************************************************************************
********
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
****************************************************************************
********

 
This mail passed through mail.alvarion.com
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
Prev by Date: Re: [Ethereal-users] Problem with ethernet Interface
Next by Date: Re: [Ethereal-users] network matching in display filter
Previous by thread: [Ethereal-users] SSLv3 Record Layer Alert
Next by thread: Re: [Ethereal-users] network matching in display filter
Index(es):
- Date
- Thread
Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application
$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$