Ethereal
(Network Protocol Analyzer)
2006. 5. 9
백일우
steigensonne@hufs.ac.kr
Install – Winpcap (1/2)

‘Winpcap’  ‘ethereal’ 순서로 설치


Winpcap (Windows Packet Cature Library)
http://winpcap.polito.it/
2
Install – Winpcap (2/2)
3
Install – Ethereal (1/3)

http://www.ethereal.com
4
Install – Ethereal (2/3)
5
Install – Ethereal (3/3)
6
Packet capture – Intro (1/4)

Packet sniffer structure
kernel
7
Packet capture – Intro (2/4)

Packet sniffer

Linux - tcpdump
 Shell에서 명령어 형태로 packet capture
8
Packet capture – Intro (3/4)

Ethereal
 Open source (Freeware)
 Compiled wirth GTK, Glib, libpcap
 다양한 platform 지원





MAC OS X
Windows
Linux, Fedora (OS 설치시 선택 가능)
FreeBSD
Solaris
9
Packet capture – Intro (4/4)
 Supported protocols
 ‘Help’  ‘supported protocols’
 605개의 protocol 지원
10
Ethereal (1/8)

User Interface
11
Ethereal (2/8)

Layer
Layer
Layer
Layer
User Interface (con’t)
2
3
4
7
12
Ethereal (3/8)

Menu
Save a capture file
Go to the
first packet
Open a capture file
Edit capture
filter
Stop
Find the previous
matching packet
Edit/apply
display filter
Go to the
last packet
Start a capture
Find packet
Reload this capture file
Print packet
Edit coloring
rule
Go to the
packet number
Find the next
matching packet
13
Zoom
in/out
Zoom
100%
Edit
preference
Ethereal (4/8)

Filter menu
Clear this filter string
Open the “display filter”
dialog
Add an expression to
this filter string
Enter a display filter
14
Apply this filter string
to the display
Ethereal (5/8)

Capture options
Interface 선택
Buffer size 설정
각 packet의
capture size 제한
적용할 Capture
filter 설정
Real-time으로 packet
list를 update
저장할 file name
가장 최근에 capture된
list로 auto-scrolling
MAC address의 vendor
표시
Packet capture를
멈출 조건을 설정
Network layer에서의
name resolution
Ex> domain name
15
Ethereal (6/8)

Packet capture 예제
16
Ethereal (7/8)

‘Statistics’  ‘Summary’
17
Ethereal (8/8)

‘Statistics’  ‘Protocol hierarchy statistics’
18
Follow tcp stream – (1/2)
19
Follow tcp stream – (2/2)
20
Display filter

기본 문법
정의
표현
And
&&, and
Or
||, or
Not
!, not
Equal
==, eq
Not equal
!=, ne
Greater than
>, gt
Less than
<, lt
Greater than or equal to
>=, ge
Less than or equal to
<=, le
21
22
Filter command – (1/9)

Ethernet (eth)




eth.addr : source or destination MAC address
eth.dst : destination MAC address
eth.src : source MAC address
eth.type : type (ARP : 0x0806, IP : 0x0800)
Ethernet frame format
Destination addr
Source addr
type
6 byte
6 byte
2byte
23
Filter command – (2/9)

Ethernet frame capture 예제
Ethernet frame format
Destination addr
Source addr
type
6 byte
6 byte
2byte
24
Filter command – (3/9)

IP (ip)






ip.addr : source와 destination IP address
ip.src : source IP address
ip.dst : destination IP address
ip.version : IP version
ip.protocol : next level protocol
Ip.ttl : TTL(time to live)
IP datagram header
25
Filter command – (4/9)

IP packet capture 예제
IP datagram header
26
Filter command – (5/9)

TCP (tcp)






tcp.srcport : source port
tcp.dstport : destination port
tcp.port : source/destination port
tcp.seq : sequence number
tcp.ack : acknowledgement number
tcp.len : segment length
TCP header format
27
Filter command – (6/9)

TCP packet capture 예제
TCP header format
28
Filter command – (7/9)

UDP (udp)




udp.srcport
udp.dstport
udp.port
udp.length
UDP header format
29
Filter command – (8/9)

Echo (echo)



echo.request
echo.response
MSN messenger (msnms)
30
Filter command – (9/10)

HTTP (http)


http.request
http.response
31
Filter command 예제

#1 : 220.67.124.138~220.67.124.170의 IP Packet을 capture
32
Filter command 예제

#2 : MSN messenger (login의 경우)
33