Ethereal. Freeware sniffing tool. Captures live network traffic. The user interface separates it from other sniffers. 1 Download Instruction. Need to download two components. WinPcap. www.ethereal.com/distribution/win32/ http://winpcap.polito.it/install/default.htm Ethereal (main program). http://www.ethereal.com/distribution/win32/ 2 Brief Technical Details. Ethereal can read files of other software that is used for sniffing. (Tcpdump, Microsoft's Network Monitor etc.) Can show 442 different protocols in a user friendly way. This means that you don’t have to know all the protocols. (you can click your way to find the TTL for example) 3 First look at Ethereal. 1. Shows the packets that have been captured. 2. Shows details of a selected packet. 3. The packet’s data in HEX. 4 Starting with Ethereal. 5 The second window. 6 Using options while capturing. 1. 2. 3. 4. Captures first 68 bytes of the packet by default. This can be changed to allow variation. This allows you to capture all the packets in the wire. If it is not set then Ethereal will only capture packet going from or to this machine. If the option is set off and interface is in promiscuous you will still catch the network traffic. Allows to save the captured data in a specified file. The file name is entered in the space indicated by 15. Rotates Captured file by the amount time specified in the space marked 17. 7 Using options while capturing. 5. 6. 7. 8. 9. This specifies that the packets captured should be in the first window as soon as they are picked up. Scroll down the first window to keep up with the latest packet. Specifies the number of packet the user wants to capture in the space marked 18. Specifies the kilobytes(s) the user wants to capture in the space marked 19. Specifies the time for which the user wants to capture in the space marked 20. 8 Using options while capturing. 10. Translates the MAC address to specify the name of the manufacturer. 11. Specifies the IP address into domain names. 12. Translates the port into protocol names. 13. Specify the name of the interface that you want to capture packets. Usually there is only one name except for multi-homed machine. 14. The user can write down the preference here in this space while capturing packets 9 FILTERING COMMAND. Allows the user to enter specific command on what packets to capture. 10 [src|dst] host <host> Specifies the host whose packets to capture. Example:host 192.168.2.100: 11 [src|dst] port <port> This allows ethereal to capture packet from or to the port specified. Example port 139 12 [src|dst] net <net> [{mask <mask>}|{len <len>}] This allows you to filter on network numbers.In addition, you can specify either the netmask or the CIDR prefix for the network if they are different from your own. Example :net 192.168.2.0 mask 255.255.255 13 less|greater <length> This allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively. Example: greater 40 14 ether|ip broadcast|multicast This allows you to filter on either Ethernet or IP broadcasts or multicasts. Example: ip broadcast. 15 ip|ether proto <protocol> This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer. Example:ip proto ICMP 16 Ethereal features. Ethereal has lots of cool features to aid the user in analyzing the packets captured. Filters after capturing. Visual effects. 17 Filtering after capture. Ethereal has option of filtering the captured data. This is specially useful since the amount of data captured is large. There are a large number of filters most of them can be figured out by clicking the Add Expression button. For example sake I have shown few of the filter in the next few slides. 18 Filters. Ip.addr == <IP Address> Shows only the packets from or to the IP Address specified. Example: Ip.addr == 192.168.2.102 19 Filters. Frame.pkt._len > <size> Shows packets greater than the size specified. This can be used with as also less than (<). Example: Frame.pkt._len > 70 20 Filters. Tcp.flags.<name> Shows packets the flag bit set. EXAMPLE : Tcp.flags.ack 21 Filters. You can make a complex filter by adding AND, OR, XOR, NOT. Example: ip.addr == 192.168.2.102 and tcp.flags.ack There are some other operators called substring operators. There functions are: [x:y] specifies the range. [x:] specifies the range starting from x to the end of the sequence. [x,y,z] specifies compound range. Example:eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83 22 Visual effects. You can specific filters to colour the type of packets you are interested. To do this you have to click view>coloring rules. 23 Visual effects. For example I have chosen the packets with ack bit set. I want them to noticeable. Then all I do is. View-> coloring rules > new -> add expression. After adding the expression. Press OK. Set the colours (I have set it to green). Then the result would look like something like this. 24 Visual effects. (The results) 25 Following TCP streams. If you want to see the data on a TCP session without you trying to figure them out. You can start by clicking analyze->follow tcp stream 26 SUMMARY I have learnt the basic use of ethereal. All the test here was in a private network. So nothing very interesting. One should understand this only a tool not a means. One needs vast knowledge and dedication for the proper use of this kind of tools. 27 Questions Kazi Nasim Faisal 1st march 2004 28