[Winpcap-users] can not get any captured package when

Thu Aug 7 11:44:08 GMT 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Lin George wrote:
> My question is, if the ping fails, where is the resolved IP
> 72.17.235.101 comes from?

Name resolution is a whole different process than pinging.  The local
name server, whatever it is, is returning a semi-valid result for
www.google.com, or at least that's what it looks like.  (The address is
different, but Google has servers everywhere, so it wouldn't surprise me
if they return different addresses depending on where your request comes
from.)  But your network won't allow you to send ICMP traffic to that IP
address.

> You mean each time the ping returns 3 address for google.com,

Ping does two things: first it asks the local resolver library to
resolve the name (which results in at least one DNS packet in each
direction, but these are not sent by ping directly).  Then it sends an
ICMP echo request packet to that IP address.

In the first step, the local resolver (or the name server that it's
configured to ask) will cache the result for about five minutes, but it
does seem to rotate through the returned list of three IP addresses, at
least on my machine.  But all that is implementation details in the
resolver, so maybe yours isn't doing that.

In any case, ping requires a single IP address target.  So when it asks
the local resolver library, and the local library returns three
different addresses, it usually just picks the first one off the list.
The one that it chooses is up to the program, but most programs seem to
simply choose the first.

> I am confused why in your result each time there is different result,
> because you mentioned time out is 5 minutes and the same result
> should be returned within 5 minutes, correct?

Not necessarily in the same order, just the same three records.

But all of this is probably an implementation detail, so if you're using
another implementation (i.e. not this particular Linux glibc version or
not this particular version of BIND9), then you may very well get a
different result.

>> may not allow pings out either (or name resolution, for that
>> matter) -- but it sounds like yours does, so that shouldn't be an
>> issue.
> 
> Why proxy does not allow ping?

There are two uses for a proxy.  The first is to simply cache content
coming from remote web servers -- in this case, if you allow the clients
to bypass the proxy, it's not a huge problem.  They'll be surfing
slightly slower, but that's their own fault.

The second use is as a security mechanism -- the proxy scans all the
content that flows through it, and prevents the clients from requesting
pages that the admin has decided shouldn't be allowed.  In this kind of
a setup, the admin *really* doesn't want people to be able to bypass the
proxy, because that means that the security protection that it provides
will no longer be there.

So if you have a proxy, then depending on how the network is set up, you
may or may not be able to browse without it.

But the proxy is *only* used for HTTP and HTTPS traffic.  (It can be
used for other TCP protocols, but that seems to be rare, at least in my
experience.)  But since ping isn't TCP, there's no way to get ping to go
through the proxy.

> Do you have any documents describing this?

Not really...

> From my reply in item 1, seems ping is not allowed.

That's a side effect of disallowing any client communication to any
machine that's outside the local network.

In any case, if you just capture the traffic headed to your proxy, you
should be able to get what you need.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFImuAHS5vET1Wea5wRA98LAJ9DEgkrGkDFAsEumS/Kpo6wSEkz5wCfSRlU
2LGD0LM0UuyT9DYyQOgRV+Q=
=bG8s
-----END PGP SIGNATURE-----