Frequently Asked Questions

Previous page
Table of content
Next page

  < Day Day Up > 


The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1. 

My capture filter or display filter that uses multiple ands or ors doesn’t work the way I intended it to work.

the precedence of the operations may not be what you re expecting it to be. this means that the parts of your filter are being run in an order that you didn t expect. use parentheses to group the parts properly.

2. 

I’m using contains to look for a certain string that I know should be there, but Ethereal can’t find it.

look closely at the hex-dump when you have the field that you re interested in selected; the encoding of the string may be unicode or ebcdic, which won t work with the contains operator. only ascii strings are currently compatible with contains .

3. 

I want to find all packets that do not have an IP address of 1.2.3.4. Why does ip.addr != 1.2.3.4 show all packets instead of limiting the packets to what I want?

the ip.addr field occurs more than once in a packet. your display filter is running correctly; it shows you all packets that have at least one ip.addr that is not equal to 1.2.3.4 . you want not ip.addr == 1.2.3.4 .

4. 

The filters that I enter in the Capture Filter or Display Filter windows aren’t there when I quit Ethereal and start Ethereal again.

don t forget to click the save button in those windows. the ok button merely saves the changes to the filters in memory; the save button saves them to disk.

5. 

My filter can be expressed very easily in both the capture filter and display filter languages. Which should I choose?

if your network has very little traffic on it, then it s easier not to supply a capture filter and use only display filters. but if you have a lot of traffic on the network, especially extraneous traffic, and you re sure that your filter will provide all the packets that you need to look at to solve your problem, then use a capture filter. if you re not sure where to find the clues that will help you solve your problem, capture everything and use a display filter to look for packets that might help you.

6. 

Ethereal comes with a manual for its display filter language. Where’s the manual for the capture filter language?

it s provided by the tcpdump manual page. it s also on-line at www.tcpdump.org/tcpdump_man.html.

Answers

1. 

The precedence of the operations may not be what you’re expecting it to be. This means that the parts of your filter are being run in an order that you didn’t expect. Use parentheses to group the parts properly.

2. 

Look closely at the hex-dump when you have the field that you’re interested in selected; the encoding of the string may be Unicode or EBCDIC, which won’t work with the contains operator. Only ASCII strings are currently compatible with contains.

3. 

The ip.addr field occurs more than once in a packet. Your display filter is running correctly; it shows you all packets that have at least one ip.addr that is not equal to 1.2.3.4. You want not ip.addr == 1.2.3.4.

4. 

Don’t forget to click the Save button in those windows. The OK button merely saves the changes to the filters in memory; the Save button saves them to disk.

5. 

If your network has very little traffic on it, then it’s easier not to supply a capture filter and use only display filters. But if you have a lot of traffic on the network, especially extraneous traffic, and you’re sure that your filter will provide all the packets that you need to look at to solve your problem, then use a capture filter. If you’re not sure where to find the clues that will help you solve your problem, capture everything and use a display filter to look for packets that might help you.

6. 

It’s provided by the tcpdump manual page. It’s also on-line at www.tcpdump.org/tcpdump_man.html.


 < Day Day Up > 


Previous page
Table of content
Next page
Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Lotus Notes and Domino 6 Development (2nd Edition)
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Special Edition Using Crystal Reports 10
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy