> Sun's snoop, I suspect, recognizes all packets with particular values at
> particular offsets as ONC RPC packets, and dissects them as particular
> RPC protocols based on the program number in the request or, for
> replies, the program number in the request that matches the reply.
> Ethereal does that as well; it should run on Alpha Linux (and Digital
> UNIX):
> http://www.ethereal.com/
> (it's free software; it's "ethereal.com" only because "ethereal.org" was
> already taken).
I was using Ethereal for a bit, but it got quite tedious with the problem I'm
working on. I'm comparing two streams of NFS traffic for differences which
could explain why a program works in one case and fails in another (when their
environment and all files involved are identical). (It looks like some quirk
of the Linux NFS client implementation and/or a bug in the custom NFS server.)
It's been much less labor intesive to diff Perl-filtered tcpdump output.
> Tcpdump should perhaps use a similar strategy; I assume, from "Our
> tcpdump keys off the RPC program number", that the tcpdump Ric's using
> does the latter of the two things I mention - I don't know whether it
> looks for specific port numbers (111 and 2049) for RPC, with the
> existing "-T" option, or if it uses a heuristic as I suspect snoop does
> and know Ethereal does.
Ric sent me a code snippet which I didn't include in my mail to the list, as
I'm not certain about what IP issues there might be. AFAICT, it's doing
heuristic matching as you describe Ethereal and snoop doing. It decodes the
RPC direction (rpc_msg.rm_direction), program (rpc_msg.rm_call.cb_prog), and
version (rpc_msg.rm_call.cb_vers) and through a couple of switch statements
picks a decode routine to call.
--Ken
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
