home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tech Arsenal 1
/
Tech Arsenal (Arsenal Computer).ISO
/
tek-05
/
gobblr.zip
/
GOBBLER.ASC
< prev
next >
Wrap
Text File
|
1991-10-25
|
29KB
|
835 lines
The Gobbler
A packet capturer for the BEHOLDER
v 2.0
User's Guide
-------------------------------------------------------------------------------
TABLE OF CONTENTS
1. INTRODUCTION
1.1 What is the Gobbler?
1.2 Outline of this manual
2. USING THE ONLINE GOBBLER PROGRAM
2.1 Starting and ending the online Gobbler
2.2 The Packet Capturer
2.2.1 The Show-action
2.2.2 The Start-action
2.2.2.1 Setting the maximum packet dumpfile size
2.2.2.2 Setting the maximum number of packets
2.2.2.3 Setting the maximum runtime
2.2.2.4 Setting the packet dumpfile name
2.2.2.5 Setting the filters
2.2.3 The Stop-action
2.2.4 The Hide-action
2.2.5 The Reset-action
2.2.6 The Update-action
2.3 The filters
2.3.1 The filter criteria
2.3.2 Manipulating the filters
2.3.2.1 Read filter file
2.3.2.2 Write filter file
2.3.2.3 Positive/negative packet/start/stop filter
2.3.2.3.1 Adding a filter
2.3.2.3.2 Editing a filter
2.3.2.3.3 Deleting a filter
2.4 The Dumpfile Viewer
2.4.1 The Start-action
2.4.1.1 Viewing the packet dumpfile
2.4.1.2 Selecting the packet dumpfile
2.4.2 The Stop-action
2.5 The format of the packet dumpfile
2.6 The format of the filter file
3. THE DP.INI FILE
3.1 Introduction
3.2 The HDRTYPE definitions
3.3 The HDRADDR definitions
4. THE RDUNIX-UTILITY
4.1 Introduction
4.2 The rdunix output format
5. HISTORY
-------------------------------------------------------------------------------
1. INTRODUCTION
1.1 What is the Gobbler?
The Gobbler is a standalone BEHOLDER application for capturing Ethernet
packets and writing them to a packet dumpfile with filtering possibilities.
1.2 Outline of this manual
This manual has the following outline:
Chapter one is this introduction. Chapter two describes the use of the online
Gobbler program: the Packet Capturer, the filters, the Dumpfile Viewer, the
dumpfile format and the filter file format. Chapter three descibes the layout
of the DP.INI file as far as the Gobbler is involved. Chapter four describes a
simple utility for viewing the packet dumpfile under UNIX. Chapter five gives
the history of the Gobbler.
-------------------------------------------------------------------------------
2. USING THE ONLINE GOBBLER PROGRAM
2.1 Starting and ending the online Gobbler
The online Gobbler program can be started by typing "gobbler" at the MS-DOS
prompt.
C:\>gobbler
To get the Apps menu you have to push <ESC>. This menu contains three entries:
PktCapt
FileView
Quit
To start the Packet Capturer you select "PktCapt", for the Dumpfile Viewer you
choose "FileView" and to end the Gobbler program you select "Quit". Please
note that the Gobbler requires the lines:
[PKTCAPT]
StartMask = 0
to be present in your BEHOLDER.INI file.
2.2 The Packet Capturer
To start the Packet Capturer you choose "PktCapt" in the Apps menu. After this
you get the Action menu containing six entries:
Show
Start
Stop
Hide
Reset
Update
The result of choosing these entries will be discussed in the next paragraphs.
Pressing <ESC> returns you to the Apps menu. The Packet Capturer has a status
window (named Capture Status) in the upper right corner of your screen. It
shows the packet dumpfile name, the current and maximum packet dumpfile size,
the current and maximum runtime, the current and maximum number of captured
packets, the number of the different types of filters and the total number of
received and missed packets (from the Ethernet card) during this capturing.
2.2.1 The Show-action
Selecting "Show" in the Action menu pops a window in the upper left half of
your screen where the source address, the destination address and the protocol
type of the captured packets are displayed. The addresses are displayed in the
form "xx:xx:xx:xx:xx:xx", the protocol is displayed formatted "xxxx", where x
is a hexadecimal digit. However, this window is updated in freetime, so if the
Packet Capturer is very busy you may not see all the captured packets. See
also "Hide-action" and "Update-action".
2.2.2 The Start-action
Selecting "Start" in the Action menu pops the Capture menu, which allows you
to set several Packet Capture parameters and also to set the filters. The
Capture menu has five entries:
Max. dumpfile size
Max. number of packets
Max. runtime
Dumpfile name
Filters
Each of these entries is described in turn in the next paragraphs. If you
push <ESC> the Capture menu disappears and the capturing starts. See also
"Stop-action" and "Reset-action".
2.2.2.1 Setting the maximum packet dumpfile size
Selecting "Max. dumpfile size" in the Capture menu allows you to set the
maximum size (in bytes) of the packet dumpfile. The default is 10Kb. The
capturing stops automatically if adding the next packet would make the packet
dumpfile larger than this limit.
2.2.2.2 Setting the maximum number of packets
Selecting "Max. number of packets" in the Capture menu allows you to set the
maximum number of packets this capturing may catch. The default is 100 packets.
The capturing stops automatically if the number of captured packets exceeds
this limit.
2.2.2.3 Setting the maximum runtime
Selecting "Max. runtime" in the Capture menu allows you to set the maximum
runtime (in seconds) for this capturing. The default is 100 seconds. The
capturing stops automatically if the runtime exceeds this limit.
2.2.2.4 Setting the packet dumpfile name
Selecting "Dumfile name" in the Capture menu allows you to set the name of the
packet dumpfile. The default is "PKTCAPT.DMP".
2.2.2.5 Setting the filters
See "Manipulating the filters".
2.2.3 The Stop-action
Selecting "Stop" in the Action menu stops the capturing and closes the packet
dumpfile. The capturing stops automatically if one of the limits (maximum
dumpfile size, maximum number of captured packets or maximum runtime) is
exceeded, but the Stop-action allows you to stop the capturing by hand. It is
not necessary to perform the Stop-action when the capturing has stopped by
itself. Please note that the Stop-action does not change the values for the
maximum dumpfile size, the maximum number of packets, the maximum runtime and
the dumpfile name! See also "Start-action" and "Reset-action".
2.2.4 The Hide-action
Selecting "Hide" in the Action menu hides the window in the upper left half of
your screen where the source address, the destination address and the protocol
type of the captured packets are displayed. See also "Show-action" and "Update-
action".
2.2.5 The Reset-action
Selecting "Reset" in the Action menu resets the maximum dumpfile size, the
maximum number of packets, the maximum runtime and the dumpfile name to their
default values (resp. 10Kb, 100, 100 and PKTCAPT.DMP) and resets the Capture
Status window. Please note that the Reset-action does not dispose the filters
(yet)!!! See also "Start-action" and "Stop-action".
2.2.6 The Update-action
Selecting "Update" in the Action menu gives the Packet Capturer forced
freetime, so it may update the window where the source address, the
destination address and the protocol type of the captured packets are
displayed (if it isn't hidden). See also "Show-action" and "Hide-action".
2.3 The filters
There are six type of filters to be used with the Packet Capturer:
Positive packet filters,
Negative packet filters,
Positive start filters,
Negative start filters,
Positive stop filters,
Negative stop filters.
Positive filters contain criteria a packet has to conform to to pass the
filter, negative filters contain criteria a packet has to conform to to be
rejected by the filter. A packet is accepted if het passes ONE of the positive
filters and ALL the negative filters (i.e. is not rejected by one of the
negative filters). So if a positive filter fi consists of criteria fi1...fik
and a negative filter gi contists of criteria gi1...gik and the packets are
tested on equalness to the criteria then:
A(packet) = (f1 || f2 || ... || fn) && (!g1 && !g2 && ... && !gm)
= P(f1, f2, ..., fn) && !N(g1, g2, ..., gm)
where P(f1, f2, ..., fn) = f1 || f2 || ... || fn
and N(g1, g2, ..., gm) = g1 || g2 || ... || gm
where fi = (fi1 && fi2 && ... && fik)
and gi = (gi1 && gi2 && ... && gik)
The packet filters control which packets are let through to the Packet
Capturer, while the start and stop filters trigger the starting and stopping
of letting the packets through respectively. Please note that the start and
stop filters do not start or stop the capturing itself. As long as no packet
has passed the start filters, no packet is let through to the Packet Capturer.
After a packet has passed the start filters, packets that pass the packet
filters are let through to the Packet Capturer until a packet passes the stop
filters. After this no packets are let through to the Packet Capturer anymore
until another packet passes the start filters.
2.3.1 The filter criteria
There are six criteria a packet can be checked for:
1. Destination address
2. Source address
3. Protocol type
4. Contents, consisting of
a. the contents itself and
b. an offset for the contents from the beginning of the packet
5. Device number
6. Packet size (interval), given by
a. a lower limit for the packet length and
b. an upper limit for the packet length
The filters have a status window (named Filter Status) in the lower half of
your screen. Of the first nine filters the type (Ty*), the number of the
filter in the type list (#) and the setting for the destination address
(DestAddress), the source address (SrcAddress), the protocol type (Protoco),
the contents offset (Offs), the first ten bytes of the contents (Contents),
the device number (D), the lower (Len>) and upper (Len<) limit for the packet
size are displayed. Fields for criteria which are not set are left blank.
* +P stands for positive packet filter
-P stands for negative packet filter
+B stands for positive start ("begin") filter
-B stands for negative start ("begin") filter
+E stands for positive stop ("end") filter
-E stands for negative stop ("end") filter
2.3.2 Manipulating the filters
Selecting "Filters" in the Capture menu pops the Filters menu, which allows
you to perform various actions on the filters. The Filters menu has eight
entries:
Read filter file
Write filter file
Positive packet filters
Negative packet filters
Positive start filters
Negative start filters
Positive stop filters
Negative stop filters
2.3.2.1 Read filter file
To read a filter configuration from file choose "Read filter file" in the
Filters menu. You are first presented with a Filter file window allowing you
to select the filter file. The default filemask is "<current directory>\*.FIL",
but you can either give another filemask or give the filename directly. If you
supply a filemask, a Select File menu is opened and you can select a file by
using the Up and Down arrow keys (or the PgUp and PgDn keys) and giving
<ENTER>. If the opening of the file succeeds the filter configuration is read
in. See "The format of the filter file".
2.3.2.2 Write filter file
To write the current filter configuration to file choose "Write filter file"
in the Filters menu. You are first presented with a Filter file window
allowing you to give the name of the filter file. If the opening of the file
succeeds the current filter configuration is written to this file. See "The
format of the filter file".
2.3.2.3 Positive/negative packet/start/stop filter
Each of these entries in the Filters menu pops a menu containing three
entries:
Add filter
Edit filter
Delete filter
Each of these actions is described in the next paragraphs.
2.3.2.3.1 Adding a filter
If you select "Add filter" a filter of the previously selected type is added
to the type list and you automatically get the Edit filter window for editing
this newly added filter. Since there is no limit on the number of filters per
type (other than memory space), it is possible to create filters with filter
numbers higher than 9. You can edit these filters directly after they have
been created, but please note that you can't edit them anymore through "Edit
filter" and you can't delete them through "Delete filter" unless you have
deleted filters with a lower filter number first. See "Editing a filter" and
"Deleting a filter".
2.3.2.3.2 Editing a filter
If you select "Edit filter" you are asked for a filter number in the range 1
to 9. Because the program reacts on the first key you press, the largest
filter number per type is limited to 9. After entering the filter number
you are presented with the Edit filter window which allows you to set or alter
the filter's destination address, source address, protocol type, contents and
contents offset, device number, and packet size lower and upper limit.
Criteria which are not set are left blank. If you set or alter the source or
destination address you are provided with a Host names menu containing the
hostnames from the DP.INI file (see "The DP.INI file"). If you select one of
these hostnames the source or destination address is set to the corresponding
Ethernet address. On top of the menu is an entry called "Self define". If you
select this one, you can enter the Ethernet address yourself, formatted
"xx:xx:xx:xx:xx:xx", where x is an hexadecimal digit. If for some reason the
Host names menu cannot be created (memory shortage), you can always enter the
source or destination adress in this way. If you set or alter the protocol
type you are provided with a Protocols menu containing the protocol names from
the DP.INI file (see "The DP.INI file"). If you select one of these protocol
names the protocol type is set to the corresponding protocol number. On top of
the menu is an entry called "Self define". If you select this one, you can
enter the protocol number yourself, formatted "xxxx", where x is an
hexadecimal digit. If for some reason the Protocols menu cannot be created
(memory shortage), you can always enter the protocol in this way.
2.3.2.3.3 Deleting a filter
If you select "Delete filter" you are asked for a filter number in the range 1
to 9. Because the program reacts on the first key you press, the largest
filter number per type is limited to 9. If you delete a filter, the filter
number of the next filters in the type list is decreased by one.
2.4 The Dumpfile Viewer
To start the Dumpfile Viewer you choose "FileView" in the Apps menu. After
this you get the Action menu containing six entries:
Show
Start
Stop
Hide
Reset
Update
Only the Start- and Stop-action are implemented within the Dumpfile Viewer,
other actions have no effect. The result of choosing these two entries will
be discussed in the next paragraphs. Pressing <ESC> returns you to the Apps
menu.
2.4.1 The Start-action
Selecting "Start" in the Action menu pops the Fileview menu, which contains
two entries:
View
Dumpfile
These entries is described in turn in the next paragraphs. From here on the
Dumpfile Viewer works exactly like the former standalone program NETVIEW,
only the packet number is now also displayed at the beginning of each line of
the Frame window. See also "Stop-action".
2.4.1.1 Viewing the packet dumpfile
Selecting "View" in the Fileview menu starts the viewing of the packet
dumpfile. If you haven't explicitly selected a packet dumpfile (see "Selecting
the packet dumpfile"), the default Packet Capture dumpfile PKTCAPT.DMP is
taken. "View" opens a screen sized Frame window with a list of the packets in
the dumpfile, one per line. At the bottom of the Frame window the packet
dumpfile name and its creation date and time are shown. Pressing <ESC> returns
you to the Fileview menu. Of each packet the packet number, the timestamp
since the start of the capturing (uS), the source address (Source), the
destination address (Dest), the protocol type (Type), the packet length in
bytes (Len) and some info (Info) are displayed. You can browse through the
list using the Up and Down arrow keys and the PgUp and PgDn keys. If you
select one of the packets by pressing <ENTER>, the packet's data (in
hexadecimal and ASCII dump) and, if it's a TCP/IP packet, also its IP datagram
header are shown. You can browse through the data using the Up and Down arrow
keys and the PgUp and PgDn keys. Pressing <ESC> returns you to the Frame
window.
2.4.1.2 Selecting the packet dumpfile
Choosing "Dumpfile" in the Fileview menu allows you to select the packet
dumpfile. The default filemask is "<current directory>\*.DMP", but you can
either give another filemask or give the filename directly. If you supply a
filemask, a Select File menu is opened and you can select a file by using the
Up and Down arrow keys (or the PgUp and PgDn keys) and giving <ENTER>.
2.4.2 The Stop-action
Selecting "Stop" in the Action menu stops the Dumpfile Viewer. You have to
perform the Stop-action before you can perform the Start-action again. See
also "Start-action".
2.5 The format of the packet dumpfile
The format of the packet dumpfile is as follows:
First 4 "records" containing some info about the dumpfile itself:
1) a dumpfile header record ("FRAME dumpfile") of 18 bytes;
2) a version number record ("v1.00") of 9 bytes;
3) a hdrinfo record of 15 bytes, containing the integer values (2 bytes) of
DPHDRINFO *hdrinfo (DestOff= 00 00 =0, SrcOff= 06 00 =6, TypOff= 0c 00 =12,
DatOff= 0e 00 =14, AddrLen= 06 00 =6, TypLen= 02 00=2);
4) a timestamp record of 21 bytes, formatted "mm/dd/yy hh:mm:ss",
and then the packet frame records.
All records start with a 1-byte tag:
0xfe = REC_HEADER for record "dumpfile header"
0xfd = REC_VERSION for record "version"
0xfc = REC_HDRINFO for record "hdrinfo"
0xfb = REC_TIMESTAMP for record "timestamp"
0xf8 = REC_FRAME for record "packet-frame",
followed by two bytes indicating the total record length (in bytes):
12 00 = 18 for record "dumpfile header"
09 00 = 9 for record "version"
0f 00 = 15 for record "hdrinfo"
15 00 = 21 for record "timestamp",
i.e. including the tag and the two length-bytes.
The packet frame records first start (after the tag-byte and 2 length-bytes)
with 18 bytes for the DPBUF-structure: 2 bytes for int Dev, 4 bytes for
unsigned long ClockMs, 2 bytes for unsigned Status, 2 bytes for unsigned Size,
4 bytes for BYTE *pBuf en 4 bytes for struct _DPBUF *pNext. Next is the
Ethernet packet itself. The Ethernet packet starts with a 6-bytes destination
address, followed by a 6-bytes source address, a 2-bytes protocol type and
then the data.
Next is an example of a packet dumpfile with 1 packet frame record.
0000: fe 12 00 46 52 41 4d 45 20 64 75 6d 70 66 69 6c "...FRAME dumpfil"
^ dumpfile header record
0010: 65 00 fd 09 00 76 31 2e 30 30 00 fc 0f 00 00 00 "e....v1.00......"
^ ^ version record ^ ^ hdrinfo
0020: 06 00 0c 00 0e 00 06 00 02 00 fb 15 00 30 31 2f ".............01/"
record ^ ^ timestamp
0030: 30 35 2f 39 31 20 31 35 3a 33 31 3a 33 38 00 f8 "05/91 15:31:38.."
record ^ ^
0040: 68 00 00 00 27 34 1f 00 00 00 53 00 98 1b b2 40 "h...'4....S....@"
| Dev | ClockMs |Stat.|Size | pBuf |
0050: 00 00 00 00 00 00 c0 62 73 12 00 00 c0 44 34 1c ".......bs....D4."
| pNext | dest. address | src. address |
0060: 08 00 45 00 00 45 6d b8 00 00 1e 11 08 4d 82 a1 "..E..Em......M.."
|p.typ| data
0070: 90 ab 82 a1 90 b5 04 0c 00 a1 00 31 98 9f 30 27 "...........1..0'"
data
0080: 02 01 00 04 09 6b 65 72 73 74 73 68 6f 77 a0 17 ".....kerstshow.."
data
0090: 02 02 07 fb 02 01 00 02 01 00 30 0b 30 09 06 05 "..........0.0..."
data
00a0: 2a 03 04 05 03 05 00 "*.....
data ^|
2.6 The format of the filter file
The filter should have the following layout:
First two characters indicating the filter type:
"+P" for a positive packet filter
"-P" for a negative packet filter
"+B" for a positive start ("begin") filter
"-B" for a negative start ("begin") filter
"+E" for a positive stop ("end") filter
"-E" for a negative stop ("end") filter
and then the filter's criteria. The following filter criteria are optional and
can be given in any order, but all filter criteria of the same filter should
be on the same line, following the filter type.
Destination address:
A tag "D", followed by the Ethernet address formatted "xx:xx:xx:xx:xx:xx",
where x is a hexadecimal digit.
Source address:
A tag "S", followed by the Ethernet address formatted "xx:xx:xx:xx:xx:xx",
where x is a hexadecimal digit.
Protocol type:
A tag "P", followed by the protocol number formatted "xxxx", where x is a
hexadecimal digit.
Contents:
A tag "C", followed by the contents formatted "xxxx...xx", where x is a
hexadecimal digit.
contents Offset:
A tag "O", followed by the contents offset (integer) from the beginning
of the packet.
device Number:
A tag "N", followed by the device number (integer).
packet length Lower limit:
A tag "L", followed by the packet size lower limit (integer).
packet length Upper limit:
A tag "U", followed by the packet size upper limit (integer).
Next is an example of a filter file with 1 positive packet filter with the
destination address set to Ethernet address 08:00:20:09:b3:92, the source
address to Ethernet address 00:00:c0:44:34:1c, the protocol type to 0800 (IP),
the contents to 2bdced at offset 17, the device number to 0, and the packet
size between 60 and 1500; and 1 negative start filter with the protocol type
set to 8035 (RARP).
+P D08:00:20:09:b3:92 S00:00:c0:44:34:1c P0800 C2bdced O17 N0 L60 U1500
-B P8035
-------------------------------------------------------------------------------
3. THE DP.INI FILE
3.1 Introduction
The DP.INI file is a file containing several definitions for BEHOLDER
applications, also for the Packet Capturer and the Dumpfile Viewer. For the
Packet Capturer only the HDRTYPE and the HDRADDR definitions are of interest
and will be discussed in the next paragraphs.
3.2 The HDRTYPE definitions
The HDRTYPE definitions contain the (key, description)-pairs for the
protocol names and their corresponding protocol numbers. The HDRTYPE
definition should start with the line:
DEFINE HDRTYPE 2 7 HEX
The "2" says the key (the protocol number) is 2 bytes long, the "7" that the
description (the protocol name) may be up to 7 characters long, and the "HEX"
that the key should be taken hexadecimal. After this the (key, description)-
pairs for the protocols follow in the form:
HDRTYPE 0xhh 0xhh ccccccc # Comment
where h is an hexadecimal digit, and c a character.
Following is an example for the definition of the ARP-protocol with protocol
number 806.
DEFINE HDRTYPE 2 7 HEX
HDRTYPE 0x80 0x06 ARP # Adress resolution
3.3 The HDRADDR definitions
The HDRTYPE definitions contain the (key, description)-pairs for the
hostnames and their corresponding Ethernet addresses. The HDRADDR definition
should start with the line:
DEFINE HDRADRR 6 13 HEX
The "6" says the key (the Ethernet address) is 6 bytes long, the "13" that the
description (the host name) may be up to 13 characters long, and the "HEX"
that the key should be taken hexadecimal. After this the (key, description)-
pairs for the hostnames follow in the form:
HDRADRR 0xhh 0xhh 0xhh 0xhh 0xhh 0xhh ccccccccccccc # Comment
where h is an hexadecimal digit, and c a character.
Following is an example for the definition of the host dutepp0 with Ethernet
address 08:00:20:09:b3:92.
DEFINE HDRADRR 6 13 HEX
HDRADRR 0x80 0x00 0x20 0x09 0xb3 0x92 dutepp0 # My host name
-------------------------------------------------------------------------------
4. THE RDUNIX-UTILITY
4.1 Introduction
With Gobbler distribution comes the source for the rdunix program, which
should be compiled with gcc. The rdunix program is a simple packet dumpfile
viewer to work under UNIX. The program is called with
%rdunix [dumpfile name]
If you leave out the dumpfile name, the file "netcapt.dmp" is read. BEWARE:
This program only works if the dumpfile is EXACTLY the same as under DOS, so
transfer the packet dumpfile from DOS to UNIX in BINARY mode!!!!!!! Check the
file length under both DOS and UNIX to be sure. The program reads the packet
frame length info from the dumpfile itself (see "The format of the packet
dumpfile"), and if the packet frame becomes smaller because the LF-bytes are
left out....
4.2 The rdunix output format
Following is an example of the rdunix output format.
FRAME #1
Frame length = 185
Logic device # = 0
Timestamp (in us): 566:672:591
Status 0
Packet length (in bytes) = 164
Destination address: 08:00:20:09:6b:39
Source address: aa:00:04:00:6b:74
Protocol type: 0800
Data:
45 00 00 96 28 67 00 00 1e 11 4d 56 82 a1 90 99 E...(g....MV....
82 a1 90 be 00 35 09 fa 00 82 66 6f 00 01 85 80 .....5....fo....
00 01 00 00 00 00 00 01 03 73 75 6e 03 73 6f 65 .........sun.soe
08 63 6c 61 72 63 73 6f 6e 03 65 64 75 02 65 74 .clarcson.edu.et
07 74 75 64 65 6c 66 74 02 6e 6c 00 00 01 00 01 .tudelft.nl.....
02 65 74 07 74 75 64 65 6c 66 74 02 6e 6c 00 00 .et.tudelft.nl..
06 00 01 00 01 42 b4 00 2d 05 64 6f 6e 61 75 c0 .....B..-.donau.
34 0e 6e 73 2d 6d 61 69 6e 74 61 69 6e 65 72 73 4.ns-maintainers
c0 4d 00 00 00 37 00 00 2a 30 00 00 0e 10 00 09 .M...7..*0......
3a 80 00 01 51 80 :...Q.
FRAME #2
Frame length = 172
Logic device # = 0
Timestamp (in us): 566:679:191
Status 0
Packet length (in bytes) = 151
Destination address: 08:00:20:09:6b:39
Source address: aa:00:04:00:6b:74
Protocol type: 0800
Data:
45 00 00 89 28 68 00 00 1e 11 4d 62 82 a1 90 99 E...(h....Mb....
82 a1 90 be 00 35 09 fb 00 75 1b 09 00 02 85 80 .....5...u......
00 01 00 00 00 00 00 01 03 73 75 6e 03 73 6f 65 .........sun.soe
08 63 6c 61 72 63 73 6f 6e 03 65 64 75 07 74 75 .clarcson.edu.tu
64 65 6c 66 74 02 6e 6c 00 00 01 00 01 07 74 75 delft.nl......tu
64 65 6c 66 74 02 6e 6c 00 00 06 00 01 00 01 2d delft.nl.......-
91 00 26 06 64 75 74 72 75 6e c0 31 06 64 6e 73 ..&.dutrun.1.dns
6d 67 72 c0 47 00 04 94 14 00 00 70 80 00 00 38 mgr.G......p...8
40 00 09 3a 80 00 01 51 80 @..:...Q.
-------------------------------------------------------------------------------
5. HISTORY
Gobbler history:
Version 1.0 (10/04/91) by Tirza van Rijn:
Made available for anonymous ftp on Friday, October 4th, 1991.
Version 1.1 (10/08/91) by Tirza van Rijn:
Fixed "printf statements in DPUINI.C" bug, which caused problems on
certain screen types. Made available for anonymous ftp on Wednesday,
October 9th, 1991.
Version 2.0 (10/22/91) by Tirza van Rijn:
Added display for total received packets and missed packets in Capture
Status window of the Packet Capturer. Added packet number to Frame window
of the Dumpfile Viewer. Fixed "on Reset dumpfile name not cleared" bug in
the Capture Status window of the Packet Capturer. Added file interface
(reading filter configuration from file and writing current filter
configuration to file) to the filters. Made available for anonymous ftp on
Friday, October 25th, 1991.