Unformatted text preview: Ethereal> Protocol Analyzer
Computer Networks BITS C481 First Semester 20082009 BITS C 481 1 What is Ethereal? Ethereal is a network analyzer. It reads packets from the network, decodes them, and presents them in an easy to understand format. BITS C 481 2 What is behind the name? According to the book "Computer Networks" by A.Tannenbaum, Ethernet was named after the "luminiferous ether" which was once thought to carry EM radiation. Taking that into consideration, Ethereal seemed like an appropriate name for something that started out as an Ethernet analyzer. BITS C 481 3 Who can use? To trouble shoot network problems Examine security problems Debug protocol implementations Network protocol internals Normal User Developers Security Engineers Network Administrator BITS C 481 4 History Gerald Combs first developed Ethereal in 1997 The first version, 0.2.0, was released in July 1998. A development team, including Gilbert Ramirez, Guy Harris, and Richard Sharpe, quickly formed to provide patches, enhancements, and additional dissectors.
BITS C 481 5 Features1 It is maintained under the GNU General Public License (GPL). It works in promiscuous and nonpromiscuous modes. In promiscuous mode lets you see all the packets that the interface can see, even those destined for other machines. Nonpromiscuous mode captures only let you see packets destined for your machine, which includes broadcast packets and multicast packets if your machine is part of a multicast group.
BITS C 481 6 Features2 It can capture data from the network or read from a capture file It has an easy to read, and very configurable GUI It has rich display filter capabilities It has a nice feature that reconstructs a TCP session and displays it in ASCII or EBCDIC, hexadecimal dump, or C arrays.
BITS C 481 7 Features3 It can save capture files in a variety of formats including libpcap (packet capture library), Network Associates Sniffer, Microsoft Network Monitor, and Sun snoop. It can capture data from a variety of media including Ethernet,TokenRing, 802.11 Wireless, and more.
BITS C 481 8 Features4 It includes a command line version of the network analyzer called tethereal. Terminal oriented version of ethereal It includes a variety of supporting programs such as editcap, mergecap, and txt2pcap. Output can be saved or printed as plain text or PostScript.
BITS C 481 9 Features5 It runs on over 20 platforms, both UNIXbased and Windows. It supports over 759 protocols, and because it is open source, new ones are contributed very frequently. It can read capture files from over 20 different products.
BITS C 481 10 The Tool GUI Interface Packet Capturing Packet Analyzing Packet Statistics
BITS C 481 11 Ethereal's GUI BITS C 481 12 GUI Interface Overview of Packet Info Click on one of these lines or fields and watch the packet being highlighted below. Details about header of Packet highlighted. Info about packet and Its contents. BITS C 481 13 GUI: Capture Options BITS C 481 14 Packet Capturing Needs Administrative privileges to capture Choose right network interface Capture at the right place in the network BITS C 481 15 Incorrect way to capture Packets BITS C 481 16 Correct way to Capture Packets BITS C 481 17 Analyzing Packets Display Filters Enabled Protocols Display TCP Stream Decode Protocol
BITS C 481 18 Statistics on Packets Summary Protocol Hierarchy Conversations IO Graphs E.g. traffic between specific IP addresses. Visualizing the number of packets wrt time Between request and response of some protocols
BITS C 481 Service Response time 19 What Ethereal can't do? It is not an intrusion detection system. It can not manipulate things on the network; it can measure only. Ethereal doesn't send packets on the network or do other active things. BITS C 481 20 ...
View Full Document
- Fall '08
- Computer network, Ethereal