[Winpcap-users] can not get any captured package when
george4academic at yahoo.com
Sat Aug 9 12:02:54 GMT 2008
Really great reply and knowledge about network communication protocol!
> Ping does two things: first it asks the local resolver library to
> resolve the name (which results in at least one DNS packet in each
> direction, but these are not sent by ping directly). Then it sends an
> ICMP echo request packet to that IP address.
You mean ping does not have the responsibility and function to resolve related IP address to name, and its function is just to send ICMP to test connectivity? And since we send name other than IP to ping, and ping will first delegate the work of name resolution to name resolution library, since ping only recognize IP address, other than name. Does my understanding correct?
You mentioned two terms in your reply, "The local name server" and "local resolver library", my question is, does the local name server you mean the one which is displayed as DNS when we type ipconfig command? And what is "local resolver library"? Does "local resolver library" always use "the local name server" to resolve address?
> The local
> name server, whatever it is, is returning a semi-valid result for
> www.google.com, or at least that's what it looks like.
In my network environment, the result of ping www.google.com is the same address of proxy server. Do you think it is what you called "semi-valid" result? If not, what do you mean a "semi-valid" result (sorry my English is not very good)?
> In any case, ping requires a single IP address target. So when it asks
> the local resolver library, and the local library returns three
> different addresses, it usually just picks the first one off the list.
It picks up. you mean the local resolver library picks up or the ping utility picks up? And no matter how many real IP address does a web server have (e.g. www.google.com has a lot of IP address), but local resolver library only keeps 3 at most?
----- Original Message ----
From: Bryan Kadzban <bryan at kadzban.is-a-geek.net>
To: Lin George <george4academic at yahoo.com>
Cc: winpcap-users at winpcap.org
Sent: Thursday, August 7, 2008 7:44:08 PM
Subject: Re: [Winpcap-users] can not get any captured package when
-----BEGIN PGP SIGNED MESSAGE-----
Lin George wrote:
> My question is, if the ping fails, where is the resolved IP
> 184.108.40.206 comes from?
Name resolution is a whole different process than pinging. The local
name server, whatever it is, is returning a semi-valid result for
www.google.com, or at least that's what it looks like. (The address is
different, but Google has servers everywhere, so it wouldn't surprise me
if they return different addresses depending on where your request comes
from.) But your network won't allow you to send ICMP traffic to that IP
> You mean each time the ping returns 3 address for google.com,
Ping does two things: first it asks the local resolver library to
resolve the name (which results in at least one DNS packet in each
direction, but these are not sent by ping directly). Then it sends an
ICMP echo request packet to that IP address.
In the first step, the local resolver (or the name server that it's
configured to ask) will cache the result for about five minutes, but it
does seem to rotate through the returned list of three IP addresses, at
least on my machine. But all that is implementation details in the
resolver, so maybe yours isn't doing that.
In any case, ping requires a single IP address target. So when it asks
the local resolver library, and the local library returns three
different addresses, it usually just picks the first one off the list.
The one that it chooses is up to the program, but most programs seem to
simply choose the first.
> I am confused why in your result each time there is different result,
> because you mentioned time out is 5 minutes and the same result
> should be returned within 5 minutes, correct?
Not necessarily in the same order, just the same three records.
But all of this is probably an implementation detail, so if you're using
another implementation (i.e. not this particular Linux glibc version or
not this particular version of BIND9), then you may very well get a
>> may not allow pings out either (or name resolution, for that
>> matter) -- but it sounds like yours does, so that shouldn't be an
> Why proxy does not allow ping?
There are two uses for a proxy. The first is to simply cache content
coming from remote web servers -- in this case, if you allow the clients
to bypass the proxy, it's not a huge problem. They'll be surfing
slightly slower, but that's their own fault.
The second use is as a security mechanism -- the proxy scans all the
content that flows through it, and prevents the clients from requesting
pages that the admin has decided shouldn't be allowed. In this kind of
a setup, the admin *really* doesn't want people to be able to bypass the
proxy, because that means that the security protection that it provides
will no longer be there.
So if you have a proxy, then depending on how the network is set up, you
may or may not be able to browse without it.
But the proxy is *only* used for HTTP and HTTPS traffic. (It can be
used for other TCP protocols, but that seems to be rare, at least in my
experience.) But since ping isn't TCP, there's no way to get ping to go
through the proxy.
> Do you have any documents describing this?
> From my reply in item 1, seems ping is not allowed.
That's a side effect of disallowing any client communication to any
machine that's outside the local network.
In any case, if you just capture the traffic headed to your proxy, you
should be able to get what you need.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Winpcap-users