Welcome to EtherPeek 3.5.2, our Ethernet network and protocol analysis software for the Macintosh platform.
Please read on for a change history, and list of new features and enhancements included in this release, Plug-in descriptions, compatibility issues, hardware interface support, and information on EtherPeek's expanded capability to resolve names of IP and AppleTalk devices with their respective Ethernet addresses.
3.5.2 - Changes since 3.5
• Pressing command-D at the "Save all packets?" dialog box is the same as clicking "Don't Save".
• Fixed a bug which prevented the reading of locked packet files.
• Fixed bug which prevented all packets from being analyzed in the statistics.
• Exporting of statistics to HTML files now uses " " instead of " ".
• Fixed a bug which caused the network statistics to display incorrectly when the network speed was set to 100MBit/sec.
• Replaced FTP Downloads Plug-in with FTP Analysis Plug-in.
• Modified Land Attack Plug-in to support logging, paging, and AppleScripts.
• Modified ICMP Plug-in to only display text by default (used to log events by default).
• Modified Checksum Plug-in to be disabled by default (used to log and display text by default).
• Added SMTP Analysis Plug-in (see description of plug-ins below).
• Summary statistics are no longer dumped to the log window in release versions of EtherPeek.
• A warning is no longer displayed when closing the statistics windows on quit if HTML output is enabled.
• Global Village k56Flex card support added to Hardware Interface files.
• Processing of packets is much faster.
• Log File window is now reopened if it was open at the time of the last quit.
• Resolving of Ethernet addresses follows rules defined by the user in Name Lookup Options.
• A few of the static text items in the Main and network statistics windows were changed to custom user items so they could be updated more quickly.
• Changed "Scroll During Capture" so auto scrolling will work immediately when starting capture.
• Changed "Scroll During Capture" so it will scroll to the end of the buffer only while capturing.
• Enabled "Protocol Descriptions" menu item when a protocol from the protocol statistics list is selected.
• Added a lock icon to Summary Statistics.
• Fixed a bug in the LAND Attack Plug-in which incremented the count every time "Get Packet String" was called for a LAND attack packet.
• Fixed an ICMP bug related to the mishandling of sliced packets.
• Added Source and Destination port columns in the Main window.
• Added new decoders which use the ‘NBNM’ command to decode NetBios names.
• Fixed code so Plug-ins without any actions could still maintain Summary Statistics values.
• "Save All Packets to Text" now adds a ‘\r’ after the column headers.
• Fixed logical address filters for ARP and AARP.
• Fixed the bug which caused timestamps to fail after 1h 11m 34s when capturing using OpenTransport.
• Start Triggers based on time now work when capturing on PCI PowerMacintoshes.
EtherPeek 3.5 New Features and Enhancements
• New Summary Statistics window for baselining and periodically monitoring key traffic elements. See the Release Notes for more information on how to use Summary Statistics.
• Support for native OpenTransport packet capture with DLPI drivers.
• Support for the built-in interface on desktop G3 PowerMacintosh systems.
• Support for the new PowerBook G3 Series.
• Name Resolver that resolves names for Hardware addresses.
• Live scrolling for Main window, decode windows, and log window.
• A prompt to save before discarding packets has been added as an option in the Capture Buffer Dialog.
• Launch time has been cut significantly.
• Expanded ProtoSpecs and Decoders.
• Keyboard navigation added to log and decoded packet windows added.
• Percent Utilization option added to the graph in the Network Statistics window.
• A simulated geiger counter sound option for each incoming packet.
• If live scrolling is deactivated in the Main window by packet line selection, scrolling resumes after 6 seconds.
• Entry in Destination and Dual Statistics windows for All Multicasts.
• Flickering in the main packet window drastically reduced.
• "Clear All Packets" command implemented for use while capturing.
• "Hide Unselected" command added to the Edit menu.
• Packet List header and memory usage graph present at all times.
• Main window now uses a standard window type.
• Saves window size and position on quit, restoring them on launch.
IMPORTANT! EtherPeek and MacOS 8.0
Versions of EtherPeek prior to 3.5 did not provide the ability to capture packets through built-in ports on PCI machines using MacOS 8.0. With EtherPeek 3.5, we have included an application that surmounts the issue of no name being returned by the built-in port on PCI machines, preventing the selection of a hardware interface for packet capture. This application patches the System file under MacOS 8.0, causing the operating system to use the Ethernet Shim on PCI PowerMacs. With this modification, EtherPeek can collect packets through the built-in port when you select the "Slot 0:..." option from EtherPeek's Select Ethernet dialog. If you need to run this patch, please use the EtherPeek Installer to do a custom install and select the "EtherPeek MacOS 8.0 Patch".
Note: The operating system patch is not needed on machines running MacOS 8.1.
If you need to restore the system back to the way it was before the patch was applied, the patch can be run a second time.
OT Module
EtherPeek 3.5.2 ships with a file named "EtherPeek OT Module". This module works with PCI based PowerMacintosh computers to significantly enhance capture performance. If you run the installer, a copy of this Module will be placed in your extensions folder and, when EtherPeek is run on a machine that supports it, EtherPeek will attempt to use this module. If the module is not present, EtherPeek will still be able to capture, but there will be no performance boost. This module can be used with the following:
- supported PCI cards (see list below)
- the built-in interface on Desktop G3 PowerMacintoshes
- the built-in interface on the PowerBook G3 Series
- the built-in interface on the iMac
- the internal interface on the PowerBook G3 (Domestic only)
- the internal interface on the PowerBook 3400 (Domestic only)
- PC cards on the PowerBook G3 Series, G3, 3400, and 2400 (see list below)
Compatibility Issues
AsantéFAST 10/100 card
In order to capture packets properly with the AsantéFAST 10/100 PCI card, network services must be using the card. For instance, configuring AppleTalk services to use the card will allow for accurate packet capture. Asanté has a beta driver which addresses this issue. For more information on how to receive the beta driver, please contact techsupport@aggroup.com.
DEC Fast EtherWORKS PCI10/100 DE500
Using this card for network services such as AppleTalk and TCP/IP while capturing may cause your machine to lock up. Configuring AppleTalk and TCP/IP to use other cards will avoid the problem. We are working with DEC to resolve this driver issue.
G3 Desktop PowerMacintosh Built-in Interface
EtherPeek supports capture on the built-in interface on desktop G3 PowerMacintosh systems. To use the built-in interface on these systems, select the "MotherBoard:..." interface.
Note: This interface may not work without network services using the built-in interface. If you experience difficulties, try configuring AppleTalk services to use this interface while capturing. This is a problem with the ethernet driver currently supplied by Apple. We are working with Apple to resolve this issue.
PowerBook G3
There are actually two separate products known as the PowerBook G3, there is a new PowerBook G3 Series and the old PowerBook G3 which is based on the PowerBook 3400. If you are not sure which PowerBook G3 you have, check on the cover of the PowerBook. If there is a big, white Apple logo, you have the new PowerBook G3 Series. If you have a small, color Apple logo, you have the older PowerBook G3. For instructions on the older PowerBook G3, please see the notes on the PowerBook 3400. On the new PowerBook G3 Series, when selecting an interface, select the "MotherBoard:..." option, not the "Slot 0:..." option.
iMac
EtherPeek 3.5.2 contains preliminary support for the iMac, although we have not had an opportunity to do any thorough testing. To capture on an iMac, select the "MotherBoard:..." option, not the "Slot 0:..." option.
PowerBook 3400 Internal Card - Special Drivers Required
In order to use the factory-supplied internal card shipped with all domestic versions of the PowerBook 3400 for EtherPeek's packet capture, you must first obtain an updated version of the DLPI drivers for the card. These drivers, are included in MacOS 8.1, or can be obtained separately from: <ftp://ftp.apple.com/Apple_Support_Area/Apple_Software_Updates/US/Macintosh/Unsupported/>.
Once you have the driver installed, run EtherPeek and select the "PCI:..." interface option from the Select Ethernet dialog.
PowerBook 3400 International Internal Card
In order to use the factory-supplied internal card shipped with the international version of the PowerBook 3400 for EtherPeek's packet capture, you must first obtain an updated driver that Apple will release with MacOS 8.5. The driver is still in the alpha-testing phase as of the writing of this document. Until MacOS 8.5 ships, please contact techsupport@aggroup.com for information on how to obtain a pre-release version of this driver.
Note: This information is subject to change. Please contact techsupport@aggroup.com for the latest info.
PCI Interfaces
EtherPeek provides support for an expanded list of PCI cards, including:
AsanteFast 10/100 PCI
Digital Fast EtherWORKS PCI 10/100 DE500
Kingston KNE100 PCI Fast Ethernet
Kingston KNE40 PCI Ethernet
Please check the Technical Support section at www.aggroup.com for interface support updates.
PCMCIA Interfaces for the PowerBook 2400, 3400, G3, & G3 Series
Global Village PowerPort Platinum Pro PC card
Global Village 56K Flex/Ethernet combo PC card
Kingston KNE-PC2 EtheRx IC PC Card
For a list of PC cards that will work on older PowerBooks, see http://www.aggroup.com/support/epmacreqs.htmy#pcmcia.
Note: You may need to contact your card vendor, or visit their web site, to download their most current drivers in order for EtherPeek to recognize and work with your NIC.
Please check the technical support section of www.aggroup.com for PC Card interface support updates.
Built-in Interfaces and Error Packet Capture
The built-in interface on NuBus and PCI Macintoshes do not process error packets and pass them on to EtherPeek currently. If you need to see an accurate representation of error packets on your network, please install a second supported interface in your machine and use that interface for EtherPeek's capture.
DLPI Drivers, FCS and Padding Bytes
DLPI drivers do not return the FCS (Frame Check Sequence) for any packets nor do they return the padding bytes for 802.3 packets that are less than 64 bytes. When EtherPeek decodes these packets, the FCS and padding bytes will show up as zeroes. Please note that this is NOT a bug in EtherPeek, and that the major portion of each packet is being provided by the program - only the padding bytes and FCS are missing. This does not affect byte counts or utilization statistics. The data is available from the Ethernet wire, but the DLPI driver doesn't pass that data to EtherPeek.
Network Speed Options
Portions of EtherPeek have been rewritten to better handle Ethernet cards with network rates of more or less than 10 megabits per second. A Network Speed dialog allows you to enter a value that reflects the card’s capabilities, such as 100 megabits per second.
Please check our web site for the most current list of supported 10/100 Fast Ethernet hardware interfaces.
Automatic Name Resolution
The 3.0 release of EtherPeek introduced the name resolution utility that looks up addresses for IP devices from a Domain Name Server and AppleTalk devices with names, and inserts them into the Name Table. With version 3.5 or later, when the program has resolved names, two entries are added into the Name Table, one for the logical address and one for the physical address.
The Resolve Names feature reports only on devices that respond within an allotted time frame. If some nodes don’t respond, you may need to query the network again, or change the time-out values using the Name Lookup Options dialog from the Special menu.
The Resolve Names utility will not be able to resolve all names on the network, particularly special names such as AppleTalk or IP broadcast and Ethernet loopback addresses. For these names, add entries to the Name Table manually.
Plug-Ins
The following is a list of all 3.5.2 EtherPeek Plug-ins with descriptions.
AppleTalk Details
Keeps track of and displays information about:
AARP requests
AARP responses
AARP probes
unanswered AARP requests
Keeps track of the number of AppleTalk multicasts
Checksums
Many network error detection and correction techniques are based on"checksums". When a sender transmits information (as bytes of data), a running total adding up all of the bytes sent is kept and then transmitted at the end of the data transmission. The receiver computes the total of the data received and compares it to the total transmitted. If a difference exists between the total bytes received and the total bytes computed, the data or the total is corrupted. The sender is then asked to retransmit the data.
The Checksums Plug-In verifies checksums and keeps track of the total number of invalid checksums for:
IP Headers
IP Data, including:
ICMP
IGMP
TCP
UDP
AppleTalk DDP (Data Delivery Protocol)
Invalid checksums are then displayed in EtherPeek's main packet list and log.
Duplicate Address
Displays and logs instances when two or more network devices are using the same IP address.
FTP Analysis
Displays a message when an FTP transfer occurs, showing the name of the file being downloaded. Keeps counts of transfers started, failed, and completed.
ICMP
ICMP (Internet Control Message Protocol) is defined as a maintenance protocol that handles error messages to be sent when packets are discarded or when systems experience congestion.
For instance, the classic TCP/IP test command is PING. It sends an ICMP Echo Request to a remote system's IP protocol. If the system responds, the link is operational. If it fails to respond to repeated pings, something is wrong.
Another key function of ICMP is to provide a dynamic means to ensure that your system has an up-to-date routing table. ICMP is part of any TCP/IP implementation and is enabled automatically. ICMP messages provide many functions, including route redirection.
If your workstation forwards a packet to a router, for example, and that router is aware of a shorter path to your destination, the router sends your workstation a "redirection" message informing it of a shorter route.
The ICMP Plug -In keeps track of and displays information about:
ICMP destination unreachable
ICMP redirects
ICMP address mask replies
ICMP source quench
More!
The Plug-In also displays ICMP type and code in EtherPeek's main packet list.
IP Details
Keeps track of and displays information about:
ARP requests
ARP responses
RARP Requests
RARP Responses
DNS requests, responses
Sequence and Ack numbers
Land Attack
Warns of Land Attacks. A Land Attack occurs when someone sends an IP packet with the same source and destination addresses. This confuses the device that receives the packet, causing the device to respond to itself. In the case of a client-server request, a client sends an IP packet with the same source and destination address, causing an endless response loop, preventing the server from responding to other requests.
Newsgroup Watcher
Displays and logs accesses to newsgroups
Oversize IP
Displays and logs IP Packets, such as Ping of Death packets, that are outside the legal size limit of an IP packet
SMTP Analysis
Displays the contents of SMTP sessions in the packet list.
Telnet
Displays the contents of telnet sessions
Web URL
Displays and logs accesses to URLs
EtherHelp
EtherHelp is a blind packet capture application specifically designed to help people who design, build, manage and support networks get a better idea of what is happening on a LAN or WAN without having to visit that location. Licensed owners of EtherPeek may freely distribute EtherHelp to users at remote locations and instruct them to capture and save packet traces to be returned for analysis. EtherHelp may be downloaded from <ftp://ftp.aggroup.com/public/support/EtherPeek/>.
