Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!ut-sally!husc6!cmcl2!beta!hc!hi!cyrus
From: cyrus@hi.UUCP (Tait Cyrus)
Newsgroups: comp.dcom.lans
Subject: Re: Ethernet Analyzer Info Needed
Message-ID: <10669@hi.UUCP>
Date: Thu, 9-Jul-87 12:28:14 EDT
Article-I.D.: hi.10669
Posted: Thu Jul  9 12:28:14 1987
Date-Received: Sun, 12-Jul-87 06:10:01 EDT
References: <402@rover.UUCP> <1139@csib.UUCP>
Reply-To: cyrus@hc.dspo.gov (Tait Cyrus)
Distribution: world
Organization: U. of New Mexico, Albuquerque
Lines: 63

In article <1139@csib.UUCP> jwhitnel@csib.UUCP (Jerry Whitnell) writes:
>In article <402@rover.UUCP> fred@rover.UUCP (Fred Christiansen) writes:
>>we're thinking of getting an Ethernet monitor/analyzer for some
>>TOP work.  we need to examine packets/frames, to select frames
>>meeting certain criteria, etc.  i've seen some monitors that
>>know about XNS or TCP/IP packet types and display per those formats.
>
>You might also want to look at Network General's Sniffer.  They support
>a large number of protocols, as well as displaying of the packet in hex/ascii/
>ebcidic dumps.  I know they have XNS and I think TCP/IP.  They also support
>writting your own protocol disassemblers (in C).  Finally, they also support
>filtering of the packets on various criteria.  Their number is (408) 734-0464.

Here at the University of New Mexico we built up a network monitor/analyzer
package around a SUN 3.  We were building some ethernet hardware and
needed some way to see if we were transmitting things correctly, you know -
network byte order.  Using the NIT (Network Interface Tap) protocol on the
SUN, we were able to put the SUN's ethernet board in promiscuous mode
and capture all packets.  Now anyone that is familiar with SUN knows about
'etherfind' which basically does the same thing, or 'tcpdump' which gives
a little more info than 'etherfind'.

What we needed was some way to dump all incoming packets, from our
hardware, to a file to be analyzed later.  Well, this package now has
the ability to display, split screen style, both directions of a
connection, capture packets (to be looked at in depth later) plus
anything else we might want it to do.

We have even built up some utilities which verify checksums (in ip &
tcp packets), in a machine INDEPENDENT way.  This means that you
can look at these packets, which were dumped to file, on any machine
you like.  You don't have to worry about any evil "Network-byte-order"
problems.

It would be easy to add to this package to do just about anything you
wanted it to, whether it was capture XNS packets, IP packets or your
own XYZ type packets.  We are still cleaning some things up in this
package to add some more options.   When we feel it is clean enough,
we will post it.

Unlike 'tcpdump' which was derived from SUN sources and whose sources
can't be posted, our package was not derived from sources.  We feel
that just about anything that needs to be looked at can be derived
from our program.  One thing, though, that can't, as far as I know,
be obtained from the NIT protocol, is the number of collisions.

I have never really gotten 'down-and-dirty' with network monitors,
so my perception of what an ethernet monitor/analyzer should do
might be full of it.

I would appreciate any suggestions or ideas of things to include in this
this program, or any comments in general.  

-- 
    @__________@    W. Tait Cyrus   (505) 277-0806
   /|         /|    University of New Mexico
  / |        / |    Dept of EECE - Hypercube Project
 @__|_______@  |    Albuquerque, New Mexico 87131
 |  |       |  |
 |  |  hc   |  |    e-mail:
 |  @.......|..@       cyrus@hc.dspo.gov or
 | /        | /        seismo!unmvax!hi!cyrus
 @/_________@/