Great Circle Associates Firewalls
(February 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: dos sniffers?
From: "Joseph L. Moll" <jmoll @ acquion . com>
Date: Mon, 26 Feb 1996 12:30:36 -0500
To: firewalls @ greatcircle . com 
At 08:40 AM 2/26/96 -0600, Peter da Silva wrote:
>> Mine's v3.11A.  When I inquired about upgrades, Novell disavowed any
>> knowledge of it, although it prints Novell copyright statements.  It
>> understands IP only in a brain-dead sort of way:  it direct maps MAC
>> to IP on the current segment.  Unless all the traffic you're analyzing
>> originates on the same subnet, this creates the bizarre appearance that
>> much of it originated at the last router hop.  You can decode the
>> packets and read the IP addresses yourself, but IMNSHO that should be
>> serviced by the software directly.
>
>Ah! Light dawns! OK, that may be the case. I haven't been in a position
>where I wanted to use it to analyze WAN traffic. After all, it *is* a "LAN"
>analyzer. OK, OK, that's quibbling, but it hadn't occurred to me to try
>using it beyond the subnet. Good point.
>

But that is how the traffic is actually on the network.  The MAC address of
the IP packet will get the MAC address of the router from which it was
received if the source IP network is on the other side of the router.

I have an Exelan LANalyzer as well, I have not seen these limitations.  As I
recall the version that I am running shows the IP addresses directly on the
summary screen without having to decode the packet.  Decoding the packet
shows which IP protocol, i.e. UDP, TCP, ICMP... and of course the data in
the datagram...

Maybe I'm running an older version than yours.  Since Novell really does not
like IP (they would have everyone believe that IPX is the only network
protocol, even though it's really only XNS in disguise :), they may have
stripped it in some way.  I think that the software version that I am
running is about 2 to 3 years old.

I also have access to a Network General Sniffer (with the FDDI support).  I
find that the older LANalyzer is still a little more useful to me.

Regards,
---
Joseph (Joe) L. Moll  mailto:jmoll @
 acquion .
 com
Network/Communications Engineering
http://www.acquion.com  phone:864-281-4108  fax:864-281-4576
Acquion, Inc.  Greenville, SC  USA -- Specialists in Electronic Commerce
Indexed By Date Previous: Re: CERN Proxy (WHERE?)
From: Chris Woods <cjwoods @ Paladin . COM>
Next: Re: RealAudio and firewalls
From: jgt10 @ amdahl . com (John G. Thompson)
Indexed By Thread Previous: Re: dos sniffers?
From: peter @ nmti . com (Peter da Silva)
Next: ftp and html through firewall
From: rebowes @ tasc . com (Bob Bowes)
Google
 
Search Internet Search www.greatcircle.com