Note: This web page was automatically created from a PalmOS "pedit32" memo.

ethereal notes


ip.addr == 128.200.... in the filter pane at the bottom left
Max Garrick and Eric Carter situation: Trouble free: 69.25.227.27 Troublesome: 69.25.225.202
You can right click on the packet number on the leftmost column, and select "follow stream", to see just one session.
If you go to edit/preferences, you can get tons of extra, optional stuff you can collect about a large number of protocols, including NFS
To filter on a mac address: tethereal ether host 10:10:10:10:10:10
To filter on NFS traffic... This example only looks at NFSv3, procedures 1 and 3. You can pinpoint these procedures with: $ grep NFSPROC3_LOOKUP /usr/include/nfs/nfs.h #define NFSPROC3_LOOKUP ((rpcproc_t)3) $ grep NFSPROC3_GETATTR /usr/include/nfs/nfs.h #define NFSPROC3_GETATTR ((rpcproc_t)1) tethereal -r /tmp/capture -R "nfs and rpc.programversion == 3 and (rpc.procedure == 1 or rpc.procedure == 3)"
ethereal supports capture filters and read filters. capture filters are more limited, but read filters are very powerful. Apparently, capture filters control which packets are saved, while read filters control which packets that were saved, are actually displayed.
I left this command running on meter for a long time, and it never reported a single line of output: tethereal -t r -f 'dst host meter.eng' -R 'nfs.full_name and rpc.procedure == 3' However, this command gave output almost immediately: tethereal -t r -f 'dst host meter.eng' -R 'nfs and rpc.procedure == 3'
Getting a handle on how many users are accessing meter.eng's mailspool via NFS: date; tethereal -f 'dst host meter.eng' -R 'nfs and rpc.procedure == 3' | grep 'DH:0x21ea0116' | awk ' { print $9 }' | head -10000 | /var/tmp/count | sort | uniq > /var/tmp/mailspool-nfs; date; Xdialog --msgbox 'meter NFS monitor done' 10 100 I do -not- expect that hex gibberish to remain consistent across much of anything :)


Back to Dan's palm memos