Ethereal Guide for Windows
Sniffing the glue that holds
the Internet together™
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
Ethereal is a free network protocol analyzer for UNIX and Windows.
It allows you to examine data from a live network or from a capture
file on disk. You can interactively browse the capture data, viewing
summary and detail information for each packet. Ethereal has several
powerful features, including a rich display filter language and the
ability to view the reconstructed stream of a TCP session.
This resource can be obtained from as a 7.3mb [approx] download.
Currently it can be implemented on the following platforms: - AIX, Compaq (formerly
Digital) Tru64 Unix, Debian GNU/Linux, FreeBSD, HP-UX, Irix, LinuxPPC, Linux
Mandrake, MacOS X, NetBSD, OpenBSD, Red Hat Linux, s/390 (Linux), SCO
UnixWare 7, Solaris/Intel, Solaris/SPARC, Slackware Linux, SuSE Linux and Windows
OT/NT (95/98/ME, NT4/2000/XP).
Installation for Windows
The following page is
1. You must visit
to download and install the WinPCap
driver. Ethereal requires this to capture
packets sent via your NIC.
2. Download and install the Ethereal
©All rights
Pack produced by
[email protected]
Page 2 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
How does a Packet Sniffer Work
“If, he thought to himself, such a machine is a virtual impossibility, then it must logically be a finite improbability. So all I
have to do in order to make one is to work out exactly how improbable it is, feed that figure into the finite improbability
generator, give it a fresh cup of really hot tea ... and turn it on!” Douglas Adams, Hitch Hikers Guide to the Galaxy
Packet Sniffer
[Capture Driver]
NIC or other
Interface Device
Operating System
application of OSI layers
7 down to 2
The packet sniffer uses the probe to act as a ‘buffer’ to capture a copy of data packets on
normal transit, to and from the computer.
It has no direct impact on the normal running of the computer and the network,
effectively acting as a parasite.
“A program and/or device that monitors data travelling over a network. Sniffers can be
used both for legitimate network management functions and for stealing information off a
network. Unauthorized sniffers can be extremely dangerous to a network's security
because they are virtually impossible to detect and can be inserted almost anywhere. This
makes them a favourite weapon in the hacker's arsenal.”
©All rights
Pack produced by
[email protected]
Page 3 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
Familiarisation with Ethereal
Ethereal is comprised of three main windows, or panes.
1. The top pane is the packet
list pane. It displays a
summary of each packet
captured. By clicking on
packets in this pane your
control what is displayed
in the other two panes.
2. The middle pane is the tree
view pane. It displays the
packet selected in the top
pane in more detail.
3. The bottom pane is the
data view pane. It displays
the data from the packet
selected in the top pane,
and highlights the field
selected in the tree view
In addition to the three main panes, there are four elements of interest on the bottom of
the Ethereal main window.
A. The lower leftmost button labeled "Filter:" can be clicked to bring up the filter
construction dialog.
B. The left middle text box provides an area to enter or edit filter strings. This is also
where the current filter in effect it displayed. You can click on the pull down
arrow to select past filter string from a list.
C. The right middle button labeled "Reset" clears the current filter.
D. The right text box displays informational messages. These message may indicate
whether or not you are capturing, what file you have read into the packet list pane
if you are not capturing. If you have selected a protocol field from the tree view
pane and it is possible to filter on that field then the filter label for that protocol
field will be displayed.
©All rights
Pack produced by
[email protected]
Page 4 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
Starting a Capture Session
Firstly and almost obviously select
If you have a computer with more
than one network interface device [for
example; networks interface card and
Control size of packets [especially
useful when avoiding HTTP traffic]
normally this is not set.
Set session termination options if
Use DNS or another service to resolve
names to addresses where possible, if
Click OK! To start
©All rights
Pack produced by
[email protected]
Page 5 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
Whilst traffic-capture is taking place
Not the most exciting part of the process.
Time taken can be based on either how
many packets you want to analyse or how
much time you wish to take.
Network administrators can leave ethereal
running for hours.
Click on Stop when you have over 100
If your system is not
generating useful traffic.
Open a DOS/Command
window and type > ping -t
©All rights
Pack produced by
[email protected]
Page 6 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
So what do we get from a traffic-capture?
"Come on," he droned, "I've been ordered to take you down to the bridge. Here I am, brain the size
of a planet and they ask me to take you down to the bridge. Call that job satisfaction? ‘Cos I don't."
Marvin the Paranoid Android
The packet list pane
since the
start of the
Source address
[from whence it
Destination Address
[to where it goes]
Protocol = what
type of packet it
A brief summary of
the contents/role of
the packet
©All rights
Pack produced by
[email protected]
Page 7 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
The tree view pane
Hardware [MAC] address of
device packet is going to
Hardware [MAC] address of
device that packet originated
Network layer protocol
Specific protocol of data packet
Destination Network Layer [3]
address of packet [note ethereal
attempts name resolution]
Source Network Layer [3]
address of packet.
Its worth noting
that I have
captured an ICMP
[Ping!] packet
©All rights
Pack produced by
[email protected]
Page 8 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
The data view pane
Symbolic hexadecimal dump
of ‘binary’ data bits sent in the
data packet.
TIP: Click on one of the
numbers and its counterpart in
the tree view window will be
An ASCII dump of a data packet.
Many network services operate a
‘plain text’ transmission process. This
means that we can see the contends of
many data packets
The windows version of
Ping! Sends the ASCII
alphabet A-W
©All rights
Pack produced by
[email protected]
Page 9 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
So what protocols does ethereal support?
Currently [23/08/2002] ethereal supports 280 protocols: 802.1q Virtual LAN
802.1x Authentication
Address Resolution Protocol
Ad hoc On-demand Distance Vector
Routing Protocol
Ad hoc On-demand Distance Vector
Routing Protocol v6
Aggregate Server Access Protocol
Andrew File System (AFS)
AOL Instant Messenger
Apache JServ Protocol v1.3
Appletalk Address Resolution
AppleTalk Filing Protocol
AppleTalk Session Protocol
AppleTalk Transaction Protocol
Async data over ISDN (V.120)
ATM LAN Emulation
Authentication Header
BACnet Virtual Link Control
Banyan Vines
Banyan Vines Fragmentation
Banyan Vines SPP
Blocks Extensible Exchange
Boot Parameters
Bootstrap Protocol
Border Gateway Protocol
Building Automation and Control
Network APDU
Building Automation and Control
Network NPDU
Cisco Auto-RP
Cisco Discovery Protocol
Cisco Group Management Protocol
Cisco HDLC
Cisco Hot Standby Router Protocol
Cisco Interior Gateway Routing
Cisco ISL
Common Open Policy Service
Common Unix Printing System
(CUPS) Browsing Protocol
Datagram Delivery Protocol
Data Link SWitching
Data Stream Interface
DCE/RPC Conversation Manager
DCE/RPC Endpoint Mapper
DCE/RPC Remote Management
DCOM OXID Resolver
DCOM Remote Activation
DEC Spanning Tree Protocol
Diameter Protocol
Distance Vector Multicast Routing
Distributed Checksum
Clearinghouse Protocol
Domain Name Service
Dynamic DNS Tools Protocol
Encapsulating Security Payload
Enhanced Interior Gateway Routing
Extensible Authentication Protocol
Fiber Distributed Data Interface
File Transfer Protocol (FTP)
Frame Relay
FTP Data
GARP Multicast Registration
GARP VLAN Registration Protocol
General Inter-ORB Protocol
Generic Routing Encapsulation
Gnutella Protocol
GPRS Tunneling Protocol
GPRS Tunneling Protocol v0
GPRS Tunneling Protocol v1
Hummingbird NFS Daemon
Hypertext Transfer Protocol
ICQ Protocol
IEEE 802.11 wireless LAN
IEEE 802.11 wireless LAN
management frame
Inter-Access-Point Protocol
Internet Cache Protocol
Internet Content Adaptation
Internet Control Message Protocol
Internet Control Message Protocol
Internet Group Management
Internet Message Access Protocol
Internet Printing Protocol
Internet Protocol
Internet Protocol Version 6
Internet Relay Chat
Internet Security Association and
Key Management Protocol
Internetwork Packet eXchange
IP Payload Compression
IPX Message
IPX Routing Information Protocol
ISDN Q.921-User Adaptation Layer
ISDN User Part
ISO 10589 ISIS InTRA Domain
Routeing Information Exchange
ISO 8073 COTP ConnectionOriented Transport Protocol
ISO 8473 CLNP ConnectionLess
Network Protocol
ISO 8602 CLTP ConnectionLess
Transport Protocol
ISO 9542 ESIS Routing Information
Exchange Protocol
ITU-T Recommendation H.261
Java RMI
Java Serialization
Kernel Lock Manager
Label Distribution Protocol
Layer 2 Tunneling Protocol
Lightweight Directory Access
Line Printer Daemon Protocol
Link Access Procedure Balanced
Ethernet (LAPBETHER)
Link Access Procedure Balanced
Link Access Procedure, Channel D
Link Aggregation Control Protocol
Link Management Protocol (LMP)
Linux cooked-mode capture
Local Management Interface
LocalTalk Link Access Protocol
Logical-Link Control
Lucent/Ascend debug output
Message Transfer Part Level 2
Message Transfer Part Level 3
Microsoft Distributed File System
Microsoft Exchange MAPI
Microsoft Local Security
Microsoft Network Logon
Microsoft Registry
Microsoft Security Account Manager
Microsoft Server Service
Microsoft Spool Subsystem
Microsoft Telephony API Service
Microsoft Windows Browser
Microsoft Windows Lanman Remote
API Protocol
Microsoft Windows Logon Protocol
Microsoft Workstation Service
MMS Message Encapsulation
Mobile IP
Mount Service
MSNIP: Multicast Source
Notification of Interest Protocol
MS Proxy Protocol
MTP2 Peer Adaptation Layer
MTP 2 Transparent Proxy
MTP 2 User Adaptation Layer
MTP 3 User Adaptation Layer
©All rights
Pack produced by
[email protected]
Page 10 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
Multicast Router DISCovery
Multicast Source Discovery Protocol
MultiProtocol Label Switching
Name Binding Protocol
Name Management Protocol over
NetBIOS Datagram Service
NetBIOS Name Service
NetBIOS over IPX
NetBIOS Session Service
NetWare Core Protocol
Network Data Management Protocol
Network File System
Network Lock Manager Protocol
Network News Transfer Protocol
Network Status Monitor CallBack
Network Status Monitor Protocol
Network Time Protocol
NIS+ Callback
OpenBSD Packet Filter log file
Open Shortest Path First
Point-to-Point Protocol
Point-to-Point Tunnelling Protocol
Post Office Protocol
PPP Bandwidth Allocation Control
PPP Bandwidth Allocation Protocol
PPP Callback Control Protocol
PPP Challenge Handshake
Authentication Protocol
PPP Compressed Datagram
PPP Compression Control Protocol
PPP IP Control Protocol
PPP Link Control Protocol
PPP Multilink Protocol
PPP Multiplexing
PPPMux Control Protocol
PPP-over-Ethernet Discovery
PPP-over-Ethernet Session
PPP Password Authentication
PPP VJ Compression
Pragmatic General Multicast
Protocol Independent Multicast
Quake III Arena Network Protocol
Quake II Network Protocol
Quake Network Protocol
QuakeWorld Network Protocol
Qualified Logical Link Control
Radio Access Network Application
Radius Protocol
Raw packet data
Real Time Streaming Protocol
Real-time Transport Control
Real-Time Transport Protocol
Remote Procedure Call
Remote Quota
Remote Shell
Remote Wall protocol
Resource ReserVation Protocol
RFC 2250 MPEG1
Rlogin Protocol
Routing Information Protocol
Routing Table Maintenance Protocol
RPC Browser
RX Protocol
Secure Socket Layer
Sequenced Packet eXchange
Service Advertisement Protocol
Service Location Protocol
Session Announcement Protocol
Session Description Protocol
Session Initiation Protocol
Short Message Peer to Peer
Signalling Connection Control Part
Simple Mail Transfer Protocol
Simple Network Management
Sinec H1 Protocol
Skinny Client Control Protocol
SliMP3 Communication Protocol
SMB MailSlot Protocol
SMB Pipe Protocol
SMB (Server Message Block
SNMP Multiplex Protocol
Socks Protocol
Spanning Tree Protocol
SS7 SCCP-User Adaptation Layer
Stream Control Transmission
Syslog message
Systems Network Architecture
Time Protocol
Time Synchronization Protocol
Token-Ring Media Access Control
Transmission Control Protocol
Transparent Network Substrate
Trivial File Transfer Protocol
Universal Computer Protocol
User Datagram Protocol
Virtual Router Redundancy Protocol
Virtual Trunking Protocol
Web Cache Coordination Protocol
Wellfleet Compression
Wireless Session Protocol
Wireless Transaction Protocol
Wireless Transport Layer Security
X.25 over TCP
X Display Manager Control Protocol
Yahoo Messenger Protocol
Yellow Pages Bind
Yellow Pages Passwd
Yellow Pages Service
Yellow Pages Transfer
Zebra Protocol
©All rights
Pack produced by
[email protected]
Page 11 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
What can I do with my captured traffic?
“It says that the effect of a Pan Galactic Gargle Blaster is like having your brains smashed out by a
slice of lemon wrapped round a large gold brick.” A quote from the guide.. Hitch Hikers Guide to
the Galaxy
Like all good applications select File/Save
The traffic you have captured can be
saved in many other sniffer formats. All
of them readable in an ASCII text editor
[notepad for example].
Save as mytraffic.txt in a location
you have read/write rights
©All rights
Pack produced by
[email protected]
Page 12 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
Open the file mytraffic.txt in Notepad ………….…..
Whilst the file will
appear to be ‘garbage’
you can see the A-W
plain text from each
ICMP packet.
Many hackers use this
technique to locate
plain text passwords
and logins.
Try this on a web surfing exercise and you will find the HTML source code for the web
©All rights
Pack produced by
[email protected]
Page 13 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
Other features
This guide like many only scrapes the surface of the power of this application please visit where you will find up to date guides and information on this
Ethereal can be run in a command line environment and is supported by Tethereal and
[ -B byte view height ] [ -c count ] [ -f filter expression ] [ -h ]
[ -i interface ] [ -k ] [ -m font ] [ -n ] [ -o preference setting ] ... [ -p ]
[ -P packet list height ] [ -Q ] [ -r infile ] [ -R filter expression ] [ -S ]
[ -s snaplen ] [ -T tree view height ] [ -t time stamp format ] [ -v ]
[ -w savefile]
©All rights
Pack produced by
[email protected]
Page 14 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
©All rights
Pack produced by
[email protected]
Page 15 of 16
Ethereal Guide for Windows
Sniffing the glue that holds the Internet together™
©All rights
Pack produced by
[email protected]
Page 16 of 16

Ethereal Packet Sniffer pack for visualising OSI model