Ethereal Part #I Sung Kyun Kwan University HIT Lab. Jung-yoon Kim (jykim@hit.skku.edu) Copyright ⓒ Sungkyunkwan University 2 Contents Introduction Set up Ethereal What is Traffic Characterization? What is Packet Capturing? What is Ethereal? Set up ‘libpcap’ (Portable Packet Capturing Library) Set up ‘Ethereal’ Ethereal menu overview Using basic function of Ethereal Using advanced function of Ethereal Demo 3 Introduction What is Traffic Characterization? [1] Scheduling of network traffic, traffic shaping, flow control, and congestion control. Emerging high-bandwidth, real-time applications. Exponentially increasing Internet population. Packet Capturing [2] How much analysis or interpretation is provided after a packet is captured, Packet sniffers Protocol analyzers Providing the greatest level of interpretation. Packet analyzers Generally doing the least amount of analysis. Typically lying somewhere in between Packet sniffers and Protocol analyzers. Traffic monitors Typically being more concerned with collecting statistical information. 4 Introduction What is Ethereal? It is one of Protocol analyzers. Open source Packet capturing tool. Supporting UNIX, Linux, Mac OS X, Solaris, Windows, etc. It requires libpcap (Portable Packet Capturing Library). It provides Packet sniffing, parsing, statistical informations. 5 Set up Ethereal Set up ‘libpcap’ [3, 4, 5] ‘libpcap’ is the application programming interface for capturing packets. 6 Set up Ethereal Set up ‘Ethereal’ Start WinPcap service “NPF” at startup If it is checked, Users without Admin privileges can capture packets. 7 Ethereal menu overview Start Ethereal 8 Ethereal menu overview Menu File Results are saved to files. Results are loaded from files. 9 Ethereal menu overview Menu Edit Find the packet by filtering rules or hex values or strings. Marking current packet. Setting environment (GUI environment). 10 Ethereal menu overview Menu View Setting coloring rules (colored by filtering rules). Zoom in, Zoom out. Setting toolbar. 11 Ethereal menu overview Menu 12 Ethereal menu overview Menu Go Finding the packet by packet number. Going to the first packet or last packet. 13 Ethereal menu overview Menu Capture Selecting interfaces to capture. Setting options to capture. Starting or stopping or restarting capturing. Managing capturing filters. 14 Ethereal menu overview Menu Analyze Displaying capturing filters. Enabling / Disabling protocols. Expert informations (Error, Warning, Notes, Chats). Following TCP stream. 15 Ethereal menu overview Menu Statistics Summary. Graphs. Protocol Hierarchy statistics. Statistical informations by packets. 16 Ethereal menu overview Menu Help Supported protocols. Online manual links. Filtering rules manuals. 17 Using basic function of Ethereal Capture Selecting interfaces 18 Using basic function of Ethereal Capture Setting options 19 Using basic function of Ethereal 20 Using basic function of Ethereal 21 Using basic function of Ethereal 22 Using advanced function of Ethereal Filtering rules eth.dst eq ff:ff:ff:ff:ff:ff ip.dst eq www.mit.edu ip.src == 192.168.1.1 ip.addr == 129.111.0.0/16 tcp.port == 80 and ip.src == 192.168.2.1 http.request.method == "POST" eth.src[0:3] == 00:00:83 http.content_type[0:4] == "text" 23 Using advanced function of Ethereal Filtering rules 24 Using advanced function of Ethereal Analyze Following TCP stream 25 Using advanced function of Ethereal Following TCP stream 26 Using advanced function of Ethereal Analyze Expert Info 27 Using advanced function of Ethereal Expert Info 28 Using advanced function of Ethereal Statistics Summary 29 Using advanced function of Ethereal Statistics Summary 30 Using advanced function of Ethereal Statistics Conversations 31 Using advanced function of Ethereal Statistics Conversations 32 Using advanced function of Ethereal Statistics Flow Graph 33 Using advanced function of Ethereal Statistics Flow Graph 34 Using advanced function of Ethereal Statistics Flow Graph 35 Demo Ethereal Demo 36 Reference [1] http://public.lanl.gov/feng/research/ntc.html [2] http://www.unix.org.ua/orelly/networking_2ndEd/tshoot/c h05_01.htm [3] http://www.tcpdump.org/pcap.htm [4] http://joinc.co.kr/modules.php?name=News&file=article &sid=112 [5] http://www.winpcap.org/install/default.htm