Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-dev: Re: [Ethereal-dev] RAdius ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Thu, 1 Jul 2004 14:15:49 -0700 (PDT)
achraf laamarti said:
> I would like to know how can i implement a function which is used for :
> 1/Calculate th eresponse time of the accept paquets
> 2/Save in a file the packets which have a high response time
> 3/Send a SNMP trap

You'd have to write a program to capture RADIUS packets (it sounds as if
you want a program that monitors RADIUS response time in real time, so
you'd want to capture live traffic), figure out which ones are RADIUS
packets, remember the arrival time and identifier of Access-Request
packets, and, for Access-Accept packets, look for the arrival time of the
Access-Request packet with the same identifier, compute the response time
as the difference between the Accept and Request arrival times and, if
that's higher than whatever threshold you use for "high response time":

    1) write the Accept packet to the file (and perhaps write the Request
packet to the file before it)

and

    2) send the SNMP trap (you might be able to use the Net-SNMP library
to do that).

You'd use libpcap/WinPcap to capture them.  You'd probably use a capture
filter that captures UDP traffic to or from the relevant ports (1645 and
1812, and possibly others, so that'd be "udp port 1645 or udp port 1812",
possibly with other "or udp port XXX" values), so that you don't see all
the other traffic on the network.  You'd then have to either skip the
link-layer header (if it's fixed length, as it is on Ethernet) or read
enough of it to skip it (if it's variable-length, as it is on Token Ring),
look at the IP header to determine whether it's IPv4 or IPv6 and to
determine how long it is, skip that, skip the UDP header, and then parse
enough of the RADIUS header to get the code and identifier fields.

(You may have noticed that I haven't used the word "Ethereal" in the
above.  Ethereal doesn't currently do request/response matching, and
response time computation, for RADIUS, as nobody's contributed code to do
that.  More importantly, it has no mechanism for sending SNMP traps; it
was not designed as a tool for doing that sort of real-time network
monitoring, it was designed as a tool for capturing traffic and analyzing
it in detail.)