Ethereal.

1
Ethereal.

• Freeware sniffing tool.
• Captures live network traffic.
• The user interface separates it from other
  sniffers.

2
Download Instruction.

• Need to download two components.
• WinPcap.
• www.ethereal.com/distribution/win32/
• http//winpcap.polito.it/install/default.htm
• Ethereal (main program).
• http//www.ethereal.com/distribution/win32/
  

3
Brief Technical Details.

• Ethereal can read files of other software that is
  used for sniffing. (Tcpdump, Microsoft's Network
  Monitor etc.)
• Can show 442 different protocols in a user
  friendly way. This means that you dont have to
  know all the protocols. (you can click your way
  to find the TTL for example)

4
First look at Ethereal.

1. Shows the packets that have been captured.
2. Shows details of a selected packet.
3. The packets data in HEX.

5
Starting with Ethereal.
6
The second window.
7
Using options while capturing.

1. Captures first 68 bytes of the packet by default.
   This can be changed to allow variation.
2. This allows you to capture all the packets in the
   wire. If it is not set then Ethereal will only
   capture packet going from or to this machine. If
   the option is set off and interface is in
   promiscuous you will still catch the network
   traffic.
3. Allows to save the captured data in a specified
   file. The file name is entered in the space
   indicated by 15.
4. Rotates Captured file by the amount time
   specified in the space marked 17.

8
Using options while capturing.

• This specifies that the packets captured should
  be in the first window as soon as they are picked
  up.
• Scroll down the first window to keep up with the
  latest packet.
• Specifies the number of packet the user wants to
  capture in the space marked 18.
• Specifies the kilobytes(s) the user wants to
  capture in the space marked 19.
• Specifies the time for which the user wants to
  capture in the space marked 20.

9
Using options while capturing.

1. Translates the MAC address to specify the name of
   the manufacturer.
2. Specifies the IP address into domain names.
3. Translates the port into protocol names.
4. Specify the name of the interface that you want
   to capture packets. Usually there is only one
   name except for multi-homed machine.
5. The user can write down the preference here in
   this space while capturing packets

10
FILTERING COMMAND.

• Allows the user to enter specific command on
  what packets to capture.

11
srcdst host lthostgt

• Specifies the host whose packets to capture.
• Examplehost 192.168.2.100

12
srcdst port ltportgt

• This allows ethereal to capture packet from or to
  the port specified.
• Example port 139

13
srcdst net ltnetgt mask ltmaskgtlen ltlengt

• This allows you to filter on network numbers.In
  addition, you can specify either the netmask or
  the CIDR prefix for the network if they are
  different from your own.
• Example net 192.168.2.0 mask 255.255.255

14
lessgreater ltlengthgt

• This allows you to filter on packets whose length
  was less than or equal to the specified length,
  or greater than or equal to the specified length,
  respectively.
• Example greater 40

15
etherip broadcastmulticast

• This allows you to filter on either Ethernet or
  IP broadcasts or multicasts.
• Example ip broadcast.

16
ipether proto ltprotocolgt

• This primitive allows you to filter on the
  specified protocol at either the Ethernet layer
  or the IP layer.
• Exampleip proto ICMP

17
Ethereal features.

• Ethereal has lots of cool features to aid the
  user in analyzing the packets captured.
• Filters after capturing.
• Visual effects.

18
Filtering after capture.

• Ethereal has option of filtering the captured
  data. This is specially useful since the amount
  of data captured is large. There are a large
  number of filters most of them can be figured out
  by clicking the Add Expression button.
• For example sake I have shown few of the filter
  in the next few slides.

19
Filters.

• Ip.addr ltIP Addressgt
• Shows only the packets from or to the IP
  Address specified.
• Example Ip.addr 192.168.2.102

20
Filters.

• Frame.pkt._len gt ltsizegt
• Shows packets greater than the size specified.
  This can be used with as also less than (lt).
• Example Frame.pkt._len gt 70

21
Filters.

• Tcp.flags.ltnamegt
• Shows packets the flag bit set.
• EXAMPLE Tcp.flags.ack

22
Filters.

• You can make a complex filter by adding AND, OR,
  XOR, NOT.
• Example ip.addr 192.168.2.102 and
  tcp.flags.ack
• There are some other operators called substring
  operators. There functions are
• xy specifies the range.
• x specifies the range starting from x
  to the end of the sequence.
• x,y,z specifies compound range.
• Exampleeth.src03,1-2,4,4,2
  000083008300008300202083

23
Visual effects.

• You can specific filters to colour the type of
  packets you are interested. To do this you have
  to click view-gtcoloring rules.

24
Visual effects.

• For example I have chosen the packets with ack
  bit set. I want them to noticeable. Then all I do
  is.
• View-gt coloring rules -gt new -gt add expression.
  After adding the expression. Press OK. Set the
  colours (I have set it to green). Then the result
  would look like something like this.

25
Visual effects. (The results)
26
Following TCP streams.

• If you want to see the data on a TCP session
  without you trying to figure them out. You can
  start by clicking analyze-gtfollow tcp stream

27
SUMMARY

• I have learnt the basic use of ethereal.
• All the test here was in a private network. So
  nothing very interesting.
• One should understand this only a tool not a
  means.
• One needs vast knowledge and dedication for the
  proper use of this kind of tools.

28
Questions

• Kazi Nasim Faisal
• 1st march 2004