Security DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement




Top Ten Ethereal Tips and Tricks

by Angela D. Orebaugh, author of Ethereal Packet Sniffing
05/20/2004

Author's note: For several years I have been using Ethereal as both a troubleshooting and teaching tool and I always get the response, "Wow, I didn't know Ethereal could do that!" Ethereal rivals commercial sniffers with its abundance of features and hundreds of protocol dissectors. And best of all, it is free! Below is my list of ten Ethereal tips and tricks taken from my new book Ethereal Packet Sniffing.

The following menu and command-line options are based on Ethereal version 0.10.3, the latest at the time of this writing.

1. Installing the Packet Capture Driver

A lot of people get so excited about getting started with Ethereal that they often forget one crucial piece of software -- the packet capture driver! Ethereal uses this driver to pull the raw network traffic from the wire. Ethereal won't work without it. Make sure that you download and install libpcap (for Unix versions) or Winpcap (for Windows versions). libpcap can be downloaded from www.tcpdump.org and Winpcap can be downloaded from winpcap.polito.it.

2. Building Ethereal from Source

Installing Ethereal from the source code is very beneficial in a number of ways. Not only will you have all of the source code, additional documentation, and miscellaneous files to peruse, you will also have the ability to control numerous aspects of the build process. Building software from source will give you a better feel for how the whole process works and what goes on behind the scenes. What you will take away is a wealth of knowledge about the software package, programming, and operating system management.

3. Viewing Packets While Capturing

By default, Ethereal does not update the list of packets in the Summary Window during capture, but only once the capture is stopped. If you enable the "Update list of packets in real time" checkbox in the Capture Options dialog box, Ethereal will update the Summary Window as soon as a packet is captured and processed. By default, when Ethereal is updating the Summary Window during live capture, new packets are appended to the end of the Summary Window, and the Summary window does not scroll up old packets to reveal new ones. To have the Summary Window scroll up to display the most recent packets, enable the "Automatic scrolling in live capture" checkbox in the Capture Options dialog box. Sometimes, the constant scroll of the capture makes looking at a previous packet difficult, so you can select View -> Auto Scroll in Live Capture to enable or disable this feature.

4. Following the TCP Stream

Related Reading

Ethereal Packet Sniffing
Everything You Need to Know to Analyze Your Network
By Angela D. Orebaugh, Gilbert Ramirez,CISSP


Read Online--Safari Search this book on Safari:
 

Code Fragments only

One of the coolest features of Ethereal is its ability to reassemble all of the packets in a TCP conversation and display the ASCII in a very easy-to-read format. This makes it easy to pick out usernames and passwords from insecure protocols such as Telnet and FTP. The data can also be viewed in EBCDIC, hex dump, and C arrays. This data can then be saved or printed. A good use for this can be to reconstruct a web page. Just follow the stream of the HTTP session and save the output to a file. You should then be able to view the reconstructed HTML content offline, without the graphics of course, in a web browser. Selecting a TCP packet in the Summary Window and then selecting Analyze -> Follow TCP Stream from the menu bar will display the Follow TCP Stream window. You can also right-click on a TCP packet in the Summary Window and choose Follow TCP Stream to display the window.

5. Adding Some Color to Your Packet Captures

Ethereal has the ability to color packets in the Summary Window that match a given display filter string, making patterns in the capture data more visible. This can be immensely useful when trying to follow request-response protocols where variations in the order of requests or responses may be interesting. You can color such traffic into as many categories as you'd like, and will be able to see at a glance what is going on from the Summary Window instead of having to go through the Protocol Tree Window for each packet. The Coloring Rules dialog box can be displayed by selecting View -> Coloring Rules.

6. Getting a List of Display Filter Field Names

Ethereal contains thousands of display filter fields to allow you to sort through data captures for exactly what you are looking for. There are several ways to list the display filter fields for each protocol. The first method is to use the main GUI by clicking on Help -> Supported Protocols -> Display Filter Fields. The next method is an undocumented (until now) command-line option for both Ethereal and Tethereal. The -G switch will produce a glossary of supported protocols and associated display field names. The -G option can also take a parameter. The -G protocols option outputs a list of supported protocols and the -G fields option shows both the protocols and supported fields. The glossary option output can be used to create a quick desk reference guide! Lastly, the ethereal-filter man page documents the supported protocols and associated display filter fields.

7. Sharing Your Filters

Ethereal provides an easy way to save filters and exchange them with your friends. Capture filters are saved in a file named cfilters, and display filters are saved in a file named dfilters. On a Unix system, those files are in your $HOME/.ethereal directory, while on a Windows system those files are in %APPDATA%\Ethereal, or if %APPDATA% isn't defined, in %USERPROFILE%\Application Data\Ethereal. These two files, cfilter and dfilter, are simple text files, with one record per line. You can paste new entries into these files and the next time you start Ethereal, the new filters will be available.

8. Efficiently Collecting and Manipulating Data

Most people who are familiar with Ethereal tend to use the Ethereal GUI. However, when Ethereal is installed it also comes with several other supporting programs: the command-line version of Ethereal, called Tethereal, and three other programs to assist you in manipulating capture files; editcap, mergecap, and text2pcap. These supporting program can be used together to provide very powerful capture file manipulation. For example, files can be captured with Tethereal, edited with editcap, and merged into a single packet capture file with mergecap. They can then be viewed with Ethereal or Tethereal. The vast capabilities of these supporting programs give you granular control when manipulating capture files.

9. Creating XML-Compatible Protocol Dissection Output

A new feature to Tethereal beginning in version 0.10.0 is the ability to display output in PDML format by using the -T pdml option. PDML is a simple language to format information related to packet decodes. The PDML data that Tethereal produces can be used as input to a custom program or script that will perform additional packet analysis. Combining this option with display filters allows you to create a powerful and efficient method of data collection and analysis.

10. Using Ethereal to Process Other Sniffer Capture Files

Ethereal can read and process previously saved capture files from a variety of packet capture programs and utilities. Because Ethereal uses the popular libpcap-based capture format, it interfaces easily with other products that use libpcap. Ethereal uses a library called wiretap to enable it to read a variety of other capture-file formats, as well. Ethereal can automatically determine what type of file it is reading and can also uncompress gzip files. It really is as easy as opening the file! Some of the supported capture formats include tcpdump, Windump, snoop, Microsoft Network Monitor, Sniffer Pro, EtherPeek, Snort, and HP-UX's nettl.

Angela D. Orebaugh is an information security technologist, scientist, and author with a broad spectrum of expertise in information assurance. She synergizes her 15 years of hands-on experiences within industry, academia, and government to advise clients on information assurance strategy, management, and technologies. She is also an Adjunct Professor for George Mason University where she performs research and teaching in intrusion detection and forensics.


Return to Security DevCenter.




Sponsored by: