[Winpcap-users] can not get any captured package when

Bryan Kadzban bryan at kadzban.is-a-geek.net
Wed Aug 6 12:34:06 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Lin George wrote:
>> When you're pinging (or doing HTTP to) www.google.com, or when
>> you're pinging (or doing HTTP to) a.b.c.d directly?
> 
> I am ping www.google.com, and get its IP address like a.b.c.d.

Yes, but the next time you ping it by name, you'll get a different
address -- at least if your name resolution works anything like mine:

$ ping www.google.com
PING www.l.google.com (64.233.167.99): 48 data bytes
...
$ ping www.google.com
PING www.l.google.com (64.233.167.104): 48 data bytes
...
$ ping www.google.com
PING www.l.google.com (64.233.167.147): 48 data bytes

Notice the last octet of the address.

>> Otherwise instead of trying to match up two random values (the
>> result of the windump name resolution and the result of the name
>> resolution done by the other program), you're trying to match one
>> fixed value (the "manual" name resolution) to one random value (the
>> result of the name resolution done by the other program).  *Both*
>> need to be fixed.
> 
> Could you explain why you think IP address after name resolution is
> random

Because I've seen it come back random: see above.  ;-)

> I have this confusion is becasue, when I ping the www.google.com. on
> the command line window, always returns the same IP address,

Then your caching name server or your client resolver isn't quite right.
The www.l.google.com name (which www.google.com is a CNAME for) comes
back with three different A records (and a TTL of five minutes), and my
client resolver library switches their order each time the name is
requested.  I believe that's because my caching nameserver switches
their order too, but I don't know that for sure (haven't looked at the
order of returned records in the raw packet).  Most programs just choose
the first address in the list.

However, none of this applies to web traffic, due to the proxy.  The
client doesn't even resolve the name on its own for proxy traffic.  It
just sends the entire request off to the proxy, name and everything.

>> windump (or any other libpcap/winpcap program) doesn't look inside
>> the proxy traffic when comparing packets against the "host"
>> directive; it just compares the IP src and dst addresses on the
>> packet.
> 
> You mean if I am using proxy in my intranet, the source address and
> destination address (which we could use host to filter in WinDump) is
> always my computer's IP and proxy's IP?

For traffic headed to the proxy server, yes.  And when you set up a
proxy in a web browser, *all* HTTP/HTTPS traffic from the browser will
go to the proxy.  (That's sort of the whole point of a proxy.  ;-) )

> And this is why when I set host to the IP of google, I can not get
> any result?

Most likely.  If you set host to the IP of the proxy (and use the right
proxy port), then you'll see the GET request that gets sent to the
proxy.  You'll be able to see how instead of a normal HTTP GET, which
includes only the part of the URL after the server portion (e.g.
/files/), the browser sends the entire URL (e.g. http://server/files/).

Note that this won't apply to ping, since ping isn't HTTP, and proxies
are only valid for HTTP.  Also note that if your network has a proxy, it
may not allow pings out either (or name resolution, for that matter) --
but it sounds like yours does, so that shouldn't be an issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFImZo9S5vET1Wea5wRA+SWAJ9e07gDW2p1MRfiRd/gL0MZf+d9hACgupkt
0wMKL6cmMYbau4AvgCGTmDc=
=cdlw
-----END PGP SIGNATURE-----

More information about the Winpcap-users mailing list