Author's note: For several years I have been using Ethereal as both a troubleshooting and teaching tool and I always get the response, "Wow, I didn't know Ethereal could do that!" Ethereal rivals commercial sniffers with its abundance of features and hundreds of protocol dissectors. And best of all, it is free! Below is my list of ten Ethereal tips and tricks taken from my new book Ethereal Packet Sniffing.
The following menu and command-line options are based on Ethereal version 0.10.3, the latest at the time of this writing.
A lot of people get so excited about getting started with Ethereal that they often forget
one crucial piece of software -- the packet capture driver! Ethereal uses this driver to
pull the raw network traffic from the wire. Ethereal won't work without it. Make sure
that you download and install
libpcap (for Unix versions) or Winpcap (for Windows
libpcap can be downloaded from www.tcpdump.org
and Winpcap can be downloaded from winpcap.polito.it.
Installing Ethereal from the source code is very beneficial in a number of ways. Not only will you have all of the source code, additional documentation, and miscellaneous files to peruse, you will also have the ability to control numerous aspects of the build process. Building software from source will give you a better feel for how the whole process works and what goes on behind the scenes. What you will take away is a wealth of knowledge about the software package, programming, and operating system management.
By default, Ethereal does not update the list of packets in the Summary Window during capture, but only once the capture is stopped. If you enable the "Update list of packets in real time" checkbox in the Capture Options dialog box, Ethereal will update the Summary Window as soon as a packet is captured and processed. By default, when Ethereal is updating the Summary Window during live capture, new packets are appended to the end of the Summary Window, and the Summary window does not scroll up old packets to reveal new ones. To have the Summary Window scroll up to display the most recent packets, enable the "Automatic scrolling in live capture" checkbox in the Capture Options dialog box. Sometimes, the constant scroll of the capture makes looking at a previous packet difficult, so you can select View -> Auto Scroll in Live Capture to enable or disable this feature.
Read Online--Safari Search this book on Safari:
One of the coolest features of Ethereal is its ability to reassemble all of the packets in a TCP conversation and display the ASCII in a very easy-to-read format. This makes it easy to pick out usernames and passwords from insecure protocols such as Telnet and FTP. The data can also be viewed in EBCDIC, hex dump, and C arrays. This data can then be saved or printed. A good use for this can be to reconstruct a web page. Just follow the stream of the HTTP session and save the output to a file. You should then be able to view the reconstructed HTML content offline, without the graphics of course, in a web browser. Selecting a TCP packet in the Summary Window and then selecting Analyze -> Follow TCP Stream from the menu bar will display the Follow TCP Stream window. You can also right-click on a TCP packet in the Summary Window and choose Follow TCP Stream to display the window.
Ethereal has the ability to color packets in the Summary Window that match a given display filter string, making patterns in the capture data more visible. This can be immensely useful when trying to follow request-response protocols where variations in the order of requests or responses may be interesting. You can color such traffic into as many categories as you'd like, and will be able to see at a glance what is going on from the Summary Window instead of having to go through the Protocol Tree Window for each packet. The Coloring Rules dialog box can be displayed by selecting View -> Coloring Rules.
Ethereal contains thousands of display filter fields to allow you to sort through data
captures for exactly what you are looking for. There are several ways to list the display
filter fields for each protocol. The first method is to use the main GUI by clicking on
Help -> Supported Protocols -> Display Filter Fields. The next method is an
undocumented (until now) command-line option for both Ethereal and Tethereal. The
-G switch will produce a glossary of supported protocols and associated display field
-G option can also take a parameter. The
-G protocols option outputs a
list of supported protocols and the
-G fields option shows both the protocols and
supported fields. The glossary option output can be used to create a quick desk
reference guide! Lastly, the
man page documents the supported
protocols and associated display filter fields.
Ethereal provides an easy way to save filters and exchange them with your friends.
Capture filters are saved in a file named cfilters, and display filters are saved in a file
named dfilters. On a Unix system, those files are in your
while on a Windows system those files are in
%APPDATA%\Ethereal, or if
%APPDATA% isn't defined, in
%USERPROFILE%\Application Data\Ethereal. These
two files, cfilter and dfilter, are simple text files, with one record per line. You can
paste new entries into these files and the next time you start Ethereal, the new filters
will be available.
Most people who are familiar with Ethereal tend to use the Ethereal GUI. However,
when Ethereal is installed it also comes with several other supporting programs: the
command-line version of Ethereal, called Tethereal, and three other programs to assist
you in manipulating capture files;
text2pcap. These supporting program can be used together to provide very powerful capture file manipulation. For example, files can be captured with Tethereal, edited with
editcap, and merged into a
single packet capture file with
mergecap. They can then be viewed with Ethereal or Tethereal. The vast capabilities of these supporting programs give you granular control
when manipulating capture files.
A new feature to Tethereal beginning in version 0.10.0 is the ability to display output in
PDML format by using the
-T pdml option. PDML is a simple language to format
information related to packet decodes. The PDML data that Tethereal produces can be
used as input to a custom program or script that will perform additional packet
analysis. Combining this option with display filters allows you to create a powerful
and efficient method of data collection and analysis.
Ethereal can read and process previously saved capture files from a variety of packet
capture programs and utilities. Because Ethereal uses the popular
capture format, it interfaces easily with other products that use
libpcap. Ethereal uses a
wiretap to enable it to read a variety of other capture-file formats, as well.
Ethereal can automatically determine what type of file it is reading and can also
gzip files. It really is as easy as opening the file! Some of the supported
capture formats include
snoop, Microsoft Network Monitor, Sniffer Pro, EtherPeek, Snort, and HP-UX's
Angela D. Orebaugh is an information security technologist, scientist, and author with a broad spectrum of expertise in information assurance. She synergizes her 15 years of hands-on experiences within industry, academia, and government to advise clients on information assurance strategy, management, and technologies. She is also an Adjunct Professor for George Mason University where she performs research and teaching in intrusion detection and forensics.
Return to Security DevCenter.
Copyright © 2009 O'Reilly Media, Inc.