Wireshark · Ethereal-users: Re: [Ethereal-users] Feature for NAT Capture Filter

["Al Stu" <AHStubbl@xxxxxxxxxxx>]

"What do you mean by "request from the NAT"?  If you're sniffing on the
WAN side of the NAT, do you mean "packet from a host behind the NAT"?"

Yes, but obviously the packets would appear to be coming from the NAT, as 
they would have the NAT's WAN address as the source.

Yes, realize it would have to be an unconventional capture filter.  Would it 
be possible for it to be implemented in WinPcap?  Or would it have to be in 
Ethereal by necessity?

----- Original Message ----- 
From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Sent: Saturday, April 30, 2005 3:14 PM
Subject: Re: [Ethereal-users] Feature for NAT Capture Filter


> Al Stu wrote:
>
> > I would like to use Ethereal to capture packets of traffic not matching a 
> > request from the NAT.
> > So if Ethereal was to see a packet from 1.2.3.4 port 3597 but Ethereal 
> > had not seen a request from the NAT matching this (within last n 
> > seconds), then it would capture that packet.
>
> The capture filter mechanism in many OSes (as used by libpcap) and in 
> libpcap is stateless and has no notion of timeouts, so a filter of the 
> type you describe can't be implemented as a regular capture filter.
>
> It might be possible to implement it in Ethereal, so that it'd capture all 
> packets and discard the uninteresting ones in user space.
>
> What do you mean by "request from the NAT"?  If you're sniffing on the WAN 
> side of the NAT, do you mean "packet from a host behind the NAT"?
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users