> What happens with the IPX traffic when you read that capture file with > Ethereal (or Ethereal) - or with the Sniffer software for Windows - > later?
It seems that no matter the packet size specified when using -s, the full packet output is captured and decoded. I have tried multiple packet sizes since I suspected I wasn't capturing enough of the packet as you have calculated. There is nothing wrong with the tethereal utility - I am just trying to cheat and only capture enough of the decoded output to track the details of the file access and not the entire contents of the file itself. > ...if you want to know what file they were viewing, it needs > to dissect > *NCP* traffic - i.e., it has to dissect not just the IPX header, but > enough of the NCP header to show information about the file. Exactly. Sorry I should have been more specific about NCP. > Unfortunately, to do *that*, it appears you need more than > the 64 bytes > you've requested with "-s 64" - at least in one capture, an NCP > "Open/Create File or Subdirectory" has 62 bytes of *NCP* > message in it, > so that'd be 14+30+62 = 106 bytes, and a longer file name > might require > more data. I will retry with multiple capture size variations but if I remember correctly - it's as if tethereal wants to capture the entire packet to decode it. Perhaps there is a way to then pass it through some form of read filter before it is written to disk? Thanks, Justin.
