Ethereal

1
Ethereal

• Fundamentals of Network Security
• College of DuPage CIT 2251
• Joanne Wagner, Instructor
• Jim Keegan, Presenter

2
Overview

• Ethereal a network protocol analyzer
• libpcap a packet capture library
• libnet a packet construction library
• Demonstration

3
libpcap

• libpcap is a packet capture library from the
  Network Research Group at Lawrence Berkeley
  National Laboratory in Berkeley, California
• Now maintained by The Tcpdump Group
• Source code is freely available at
  http//www.tcpdump.org
• Works with Windows and UNIX variants

4
libpcap

• Problems
• It is difficult to write programs from scratch
  that can read network traffic.
• Once you write such a program, it needs to be
  rewritten for each different vendors interfaces.
• Solution
• libpcap provides a C Language Application
  Programming Interface (API) that facilitates
  capturing packets. It is a system-
  interface-independent API.

5
libpcap

• pcap_findalldevs() constructs a list of network
  devices that can be opened with pcap_open_live().
• pcap_open_live() is used to obtain a packet
  capture descriptor.
• pcap_open_offline() is used to open a savefile
  for reading.
• pcap_dispatch() is used to collect and process
  packets.
• pcap_next() is used to collect and process one
  packet.
• pcap_dump_open() is used to open a savefile for
  writing.
• pcap_dump() outputs a packet to the savefile
  opened with pcap_dump_open().
• Many, many more functions are available.

6
libnet
libpcap

• libnet is a mirror image of functionality
  provided by libpcap.
• libpcap is used to extract packets off the wire.
• libnet is used to inject packets onto the wire.

7
libnet

• libnet is a packet creation and injection library
  from Mike D. Schiffman, a (former?) employee of
  Cisco.
• Source code is freely available at
  http//www.packetfactory.net/libnet.
• Works with Windows and UNIX variants

8
libnet

• Problems
• It is difficult to write programs from scratch
  that can write network traffic.
• Once you write such a program, it needs to be
  rewritten for each different vendors interfaces.
• Solution
• libnet provides a C Language Application
  Programming Interface (API) that facilitates
  sending packets. It is a system-
  interface-independent API.

9
libnet

• Libnet_init() creates the libnet environment.
• Libnet_init_packet() allocates memory for a
  packet.
• Libnet_open_raw_sock() opens a raw IP socket.
• Libnet_build_IP() builds an IP packet.
• Libnet_build_icmp() builds an ICMP packet.
• Libnet_do_checksum() calculates the checksum for
  a packet.
• Libnet_write_ip() write an IP packet to the
  network.
• Many, many more functions are available.

10
Ethereal

• Ethereal is a tool for troubleshooting network or
  application problems, network analysis, security
  monitoring, software and protocol development,
  and education.
• Ethereal is free and compares favorably to
  commercial equivalents such as Etherpeek.
• Source code is freely available at
  http//www.ethereal.com.
• Works with Windows and UNIX variants

• Ethereal is a tool for troubleshooting network or
  application problems, network analysis, security
  monitoring, software and protocol development,
  and education.
• Ethereal is free and compares favorably to
  commercial equivalents such as Etherpeek.
• Source code is freely available at
  http//www.ethereal.com.
• Works with Windows and UNIX variants

11
Ethereal

• Ethereal is available as a GUI or as a command
  line tool (tethereal).
• Ethereal is a user interface to much of the
  functionality provided by libpcap. It reads
  packets off the network, writes and reads save
  files, isolates the user from system-dependent
  requirements.
• Ethereal provides a filtering language to allow
  focus on desired traffic.

12
Ethereal

• Many different protocols (706, so far) are
  dissected and displayed. This includes almost
  all standards-based protocols and many uncommon
  ones as well.
• Protocols not supported can be coded and built
  into a private version of Ethereal.
• Private changes may be submitted for
  consideration to be included in the next official
  release of Ethereal.

13
Ethereal

• Captured packets are displayed in a simple user
  interface but a variety of formats that permits
  drilling down to an informative byte level
  display as well as revealing summaries of network
  traffic.
• The user interface is intuitive enough, there is
  little learning curve to make the tool relatively
  useful and productive.

14
When first initialized, Ethereal will assist the
user in finding the correct interface with which
to do network packet capturing. While the
packets are being captured, a display of the
number of packets of various protocols is shown.
A packet capture may be timed, only last for a
given number of packets or simply run until the
user clicks the stop button.
15
1
2
This is a display of traffic captured of a home
network. The top of the screen (1) is a typical
Windows title bar, menu bar, tool bar and search
bar. The next section (2) is a color-coded, one
line per packet, high-level summary. This
section (3) shows each header in an OSI
layer-like order. Plus signs expand to reveal
data structures and variable names and contents
presented in an informative manner. The bottom
section (4) displays a hex dump of the packet.
3
4
16
Enter a search key in the filter field. In the
example here, entering arp in the filter field
removed over 1400 packets that didnt match the
search key, leaving only the packets of interest.
This is a very simple example of a sophisticated
filtering mechanism.
This packet is an Address Resolution Protocol
reply message with an Ethernet header placed in a
frame. Clicking the plus signs next to the
header or protocol names opens the next level
down to show information or the contents of the
structure.
17
This is the same ARP packet as on the previous
slide but after the plus signs have been clicked
to show what information and contents may be
displayed.
18
The end.