Home

A Guided Tour of Ethereal

Issue 118

From Issue #118
February 2004

Feb 01, 2004  By Brad Hards
 in
Learn exactly what's in all those packets flying by on your network with this essential development and administration tool.

Resources

For more information on Ethereal, start with www.ethereal.com. This page includes links to the Ethereal manual, downloads and mailing lists.

To understand better what Ethereal is showing you, you need the appropriate documentation on the network protocol. Those protocols, codified by the Internet Engineering Task Force, are available at www.rfc-editor.org.

rsync is an efficient network file transfer application originally developed by Andrew Tridgell (of Samba fame). See rsync.samba.org.

zcip is a tool for automatic assignment (zeroconf) of IPv4 addresses, without needing a DHCP server. See zeroconf.sourceforge.net.

Service Location Protocol is a way for clients to find servers in a network-efficient way. See www.srvloc.org for more details on the protocol, or refer to RFC 2608, RFC 2609, RFC 2610 and RFC 2614, available from www.rfc-editor.org. A free implementation, mainly developed by Matt Peterson, is available at www.openslp.org.

The capturing capabilities of Ethereal depend on libpcap, developed by the TCPDUMP Group. You need libpcap to build Ethereal, although most distributions ship with libpcap packages. See www.tcpdump.org.

The Windows version of libpcap is WinPcap. See winpcap.polito.it for more information and to download the installer package.

IMAP (Internet Message Access Protocol) is a server-based e-mail protocol, in many ways superior to the Post Office Protocol (POP) that is widely used. For more details, get RFC 2060 from www.rfc-editor.org.

distcc is a distributed compilation application developed by Martin Pool that uses various network machines to participate in building C code. See distcc.samba.org.

Brad Hards is the technical director for Sigma Bravo, a small professional services company in Canberra, Australia. In addition to Linux, his technical foci include aircraft system integration and certification, GPS and electronic warfare. Comments on this article may be sent to bradh@frogmouth.net.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

application would

software free's picture
Submitted by software free (not verified) on Wed, 01/11/2006 - 06:55.

That application would be the ethereal GUI.

This way:
-no need for X on router
-no need to install ethereal on client
-no need to transmit all the packets over the wire, minimal network impact (packet processing would be server-side)

Re: A Guided Tour of Ethereal

bsilva's picture
Submitted by bsilva (not verified) on Sat, 01/10/2004 - 03:00.

Regarding the ability to capture packets remotely:
While it's true that Ethereal cannot do this dynamically, i.e.; with an agent on the remote end, Ethereal can read packet captures from command line tools such as tcpdump and snoop.

I use both of these tools to capture packets from Firewalls, Routers, servers, etc. I also use a beat-up Pentium-90 laptop as a network monitor that I can leave at a customer site. Once the data is collected I can analyse it with Ethereal. Ethereal will also read packet captures from commercial tools such as NAI's Sniffer tools.

Ethereal is a tool that just keeps getting a little better each year. I've used it to solve a variety of problems, but I've also used it to teach networking protocols. It's the best tool I know of to show students exactly how protocols are encapsulated in each other and to demonstrate exactly how data gets across the network.

On a slightly different note, it's interesting that I'm posting this comment on January 10th 2004, but the article claims to have been posted on Feburary 1st, 2004.

Thanks for the Article,
Brad Silva

tethereal

Anonymous's picture
Submitted by Anonymous on Tue, 10/12/2004 - 02:00.

I use SSH + tethereal from the command line to do remote captures

Sure that's what i do but it'

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 05/05/2005 - 10:04.

Sure that's what i do but it's so much nicer to see live rolling capture in the ethereal GUI.

Re: A Guided Tour of Ethereal

Anonymous's picture
Submitted by Anonymous on Sat, 01/10/2004 - 03:00.

I think the date reflects the publishing date for the magazine, not for the article.

I agree with the remote capture comments, and some work on remote capture has been done, but when you are working with the Ethereal GUI, it would sometimes be nice to do "now show me what that remote machine is seeing, in real time". That needs more work.

Brad Hards

Re: A Guided Tour of Ethereal

Anonymous's picture
Submitted by Anonymous on Tue, 01/20/2004 - 03:00.

Isn't that was remote (secure) X display is for? Which is tremendously less overhead, potentially, than sending the entire packet contents across the wire to the "local" monitoring app?

Well ideally you would naviga

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 05/05/2005 - 10:24.

Well ideally you would navigate to a webpage that would contain a java application.
That application would be the ethereal GUI.

This way:
-no need for X on router
-no need to install ethereal on client
-no need to transmit all the packets over the wire, minimal network impact (packet processing would be server-side)

Negative aspects:
-More CPU usage on router
-We need is someone to implement this!

An X display on a router is a

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 05/05/2005 - 10:07.

An X display on a router is a waste of resources, especially since you'll probably end up doing all your work in shell windows inside X!

Re: A Guided Tour of Ethereal

Anonymous's picture
Submitted by Anonymous on Tue, 03/16/2004 - 03:00.

Actually, the RMON (and RMON2) protocol is substantially thinner than remote X. Ethereal just needs an RMON/RMON2 interface.

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions