The same packet will most likely appear several times, especially if it
passed the FW. FW monitor (until FW-1 NG FP3), would place 'fw monitor' in 4
locations:
1. Before the FW's virtual machine, inbound direction ('i')
2. After the FW's virtual machine, inbound direction ('I')
3. Before the FW's virtual machine, outbound direction ('o')
4. After the FW's virtual machine, outbound direction ('O').Therefore, a packet that was not manipulated (encrypted, NAT, etc.), and was accepted, will be seen multiple times. In FP3 and above, the ability to place the monitoring anywhere in the chain was added. HTH, Y. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Guy Harris Sent: Tuesday, December 10, 2002 2:21 AM To: Alfred Koebler Cc: [EMAIL PROTECTED] Subject: Re: [Ethereal-dev] FW1 monitor dissector patch for additional column By the way, I infer from the comment at the beginning of "packet-fw1.c" that the same packet can occur multiple times in the log file; is that the case? If so, then note that many stateful dissectors in Ethereal might be confused by this and, for example, report them as retransmissions. _______________________________________________ Ethereal-dev mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-dev
