Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ipspy and tcpdump

6 views
Skip to first unread message

Pierre Jelenc

unread,
Sep 3, 2008, 6:19:16 PM9/3/08
to

How exactly do ipspy and tcpdump work? The readme for tcpdump says to
install according to the readme for ipspy, but that contains no
instructions, only what appears to be a list of available functions in the
dll.

If I put them all together in one directory and start tcpdump all I see is
an error message:

tcpdump.exe
IpSpy Version: 01.40.00 on device lan0
tcpdump.exe: IpSpy_QueryReceiveMode error: Cannot open IPSPY.OS2

These seem to be the relevant files (from Hobbes)
29,696 404 ipspy.dll
2,048 0 ipspy.lib
2,905 208 ipspy.os2
33,792 61 iptest.exe
38,400 61 iptracx.exe
182,536 359 tcpdump.exe

Also, how does this compare with iptrace? I've been asked to do a tcpdump
for diagnosis purposes but I wonder is iptrace would yield the same info.

Thanks,

Pierre
--
Pierre Jelenc
The Gigometer www.web-ho.com/gigs.html
The NYC Beer Guide www.nycbeer.org

Paul Ratcliffe

unread,
Sep 4, 2008, 8:51:02 AM9/4/08
to
On Wed, 3 Sep 2008 22:19:16 +0000 (UTC), Pierre Jelenc <rc...@panix.com> wrote:

> tcpdump.exe
> IpSpy Version: 01.40.00 on device lan0
> tcpdump.exe: IpSpy_QueryReceiveMode error: Cannot open IPSPY.OS2

You need to add "DEVICE=d:\path\IPSPY.OS2" to CONFIG.SYS and reboot.

> Also, how does this compare with iptrace? I've been asked to do a tcpdump
> for diagnosis purposes but I wonder is iptrace would yield the same info.

Probably. I don't know what the raw data formats are or whether they are
compatible. You get a text listing of IPTRACE's dump file using IPFORMAT.

Pierre Jelenc

unread,
Sep 4, 2008, 3:40:02 PM9/4/08
to
Paul Ratcliffe <abus...@orac.clara.co.uk> writes:
>
> You need to add "DEVICE=d:\path\IPSPY.OS2" to CONFIG.SYS and reboot.

Ah, indeed; it's buried in the middle of the file, I totally missed it.

> Probably. I don't know what the raw data formats are or whether they are
> compatible. You get a text listing of IPTRACE's dump file using IPFORMAT.

Apparently that format is too intricate. I was told that the traces are
hard to deal with, and to see if I could provide them in "pcap format"
that would make diagnosis much simpler. That would be the tcpdump format,
I gather.

Thanks, I'll reboot and try again.

Pierre Jelenc

unread,
Sep 4, 2008, 6:07:43 PM9/4/08
to
Pierre Jelenc <rc...@panix.com> writes:
> Paul Ratcliffe <abus...@orac.clara.co.uk> writes:
> >
> > You need to add "DEVICE=d:\path\IPSPY.OS2" to CONFIG.SYS and reboot.
>
> Ah, indeed; it's buried in the middle of the file, I totally missed it.
>
> > Probably. I don't know what the raw data formats are or whether they are
> > compatible. You get a text listing of IPTRACE's dump file using IPFORMAT.
>
> Apparently that format is too intricate. I was told that the traces are
> hard to deal with, and to see if I could provide them in "pcap format"
> that would make diagnosis much simpler. That would be the tcpdump format,
> I gather.
>
> Thanks, I'll reboot and try again.

Well, another problem. I get a trap during config.sys:

Exception in module IPSPY
trap 000d
[...]
internal revision 14.100c_W4

Can someone verify that the file is dated 1998/05/31 and is 2905 bytes?

Thanks,

Paul Ratcliffe

unread,
Sep 6, 2008, 12:15:09 PM9/6/08
to
On Thu, 4 Sep 2008 22:07:43 +0000 (UTC), Pierre Jelenc <rc...@panix.com> wrote:

> Well, another problem. I get a trap during config.sys:
>
> Exception in module IPSPY
> trap 000d
> [...]
> internal revision 14.100c_W4

I think I got that as well.

> Can someone verify that the file is dated 1998/05/31 and is 2905 bytes?

Mine is.

Bob Eager

unread,
Sep 6, 2008, 1:44:15 PM9/6/08
to
On Wed, 3 Sep 2008 22:19:16 UTC, rc...@panix.com (Pierre Jelenc) wrote:

> Also, how does this compare with iptrace? I've been asked to do a tcpdump
> for diagnosis purposes but I wonder is iptrace would yield the same info.

IPTRACE will only monitor data to/from the machines own interfaces (e.g.
lo0 and lan0). IPSPY will (if the card/driver support it) allow
promiscuous mode, and monitoring of everything on the LAN (assuming it
isn't connected via a switch, which it probably is).


Bob Eager

unread,
Sep 6, 2008, 1:44:16 PM9/6/08
to
On Thu, 4 Sep 2008 22:07:43 UTC, rc...@panix.com (Pierre Jelenc) wrote:

> Well, another problem. I get a trap during config.sys:
>
> Exception in module IPSPY
> trap 000d
> [...]
> internal revision 14.100c_W4

Did you actually configure it using MPTS?


Pierre Jelenc

unread,
Sep 6, 2008, 5:41:46 PM9/6/08
to

Er, no. Am I supposed to? There's no mention of that in the docs, only to
add the DEVICE line in config.sys, and add 3 lines to \IBMCOM\PROTOCOL.INI

[IPSPY_NIF]
drivername = IPSPY$
bindings = [MAC address]

I put the MAC as netstat -n prints it (that's the "physical address",
right?) without ":" or "-" or "0x".

Rebooted and trapped. I REM'd the DEVICE line in config.sys and haven't
done anything since.

Bob Eager

unread,
Sep 6, 2008, 6:30:24 PM9/6/08
to
On Sat, 6 Sep 2008 21:41:46 UTC, rc...@panix.com (Pierre Jelenc) wrote:

> Bob Eager <rd...@spamcop.net> writes:
> > On Thu, 4 Sep 2008 22:07:43 UTC, rc...@panix.com (Pierre Jelenc) wrote:
> >
> > > Well, another problem. I get a trap during config.sys:
> > >
> > > Exception in module IPSPY
> > > trap 000d
> > > [...]
> > > internal revision 14.100c_W4
> >
> > Did you actually configure it using MPTS?
>
> Er, no. Am I supposed to?

No...just checking.

> There's no mention of that in the docs, only to
> add the DEVICE line in config.sys, and add 3 lines to \IBMCOM\PROTOCOL.INI
>
> [IPSPY_NIF]
> drivername = IPSPY$
> bindings = [MAC address]
>
> I put the MAC as netstat -n prints it (that's the "physical address",
> right?) without ":" or "-" or "0x".

No, it doesn't tell you to use the MAC address. Read carefully:

" You must add the following 3 lines at the end of the file
[IPSPY_NIF]
drivername = IPSPY$
bindings = MYMAC
where MYMAC is the section name of the MAC adapter driver
you want to use.(only one adapter is supported) "

So, if you had a BroadCom B57 NIC and driver, as I have, you'd already
have (probably near the bottom):

[B57_nif]
DriverName = B57$

In which case you'd need, for your 'bindings' line:

bindings = B57_nif

Pierre Jelenc

unread,
Sep 6, 2008, 8:00:14 PM9/6/08
to
Bob Eager <rd...@spamcop.net> writes:
> So, if you had a BroadCom B57 NIC and driver, as I have, you'd already
> have (probably near the bottom):
>
> [B57_nif]
> DriverName = B57$
>
> In which case you'd need, for your 'bindings' line:
>
> bindings = B57_nif

Ah, I totally misunderstood it. Thanks, now it works.

noname

unread,
Sep 8, 2008, 8:37:34 AM9/8/08
to

Actually, the later IPTRACE WILL do promiscuous mode. Just start

IPTRACE -p

Also, IPFORMAT will output the trace in Sniffer format (that
can be read by ETHEREAL/Wireshark).

IPFORMAT -x

These options work VERY well.

Bob Plyler

0 new messages