Wireshark · Ethereal-dev: Re: [Ethereal-dev] Another Windows-only sniffer: PacScope ...

["Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>]

> When looking at an SMB capture it was also quite limited. It did more than
> what sniffem seemed to do, however, it would not decode all of a number of
> SMB packets, like the session-setup-andX packets, and could not handle the
> security blobs at all, even though they are simply ASN.1 encoded blobs
> with NTLMSSP stuff in them.

Not even we did decode the NTLMSSP blob until very recently.
It is unfair to compare this feature of ethereal to a non-ethereal sniffer
until
we give them at least one year to catch up. They will need some time to read
ethereal sources first before
they can implement this feature.

>
> I imagine they would not handle DCERPC or any of the Windows RPCs.

Probably not.  Does anyone else decode DCERPC?   The only other one i have
seen that even tries
to decode DCERPC properly would be NetMon (a good tool in many ways) but
even NetMon have
very limited support for the DCERPC interface.
(this could probably more be a political reason rather than a technical one)

>
> I wonder if I have the time to put up a sniffer comparison page? I wonder
> if these commercial vendors would let me have eval versions to do so?

Almost certainly they would not allow that.
You can ask.