What is ethereal?

Quote from the description on www.ethereal.com:

Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

If you want to see what ethereal looks like, check out screen shots from www.ethereal.com.

How to run ethereal on Linux machines in 547 PGH?

To run ethereal, just type "ethereal" at your command prompt. If you get "command not found", try "/usr/sbin/ethereal".

To capture packets, you need to have root privilege to that machine which you probably don't have it. So I have written a wrapper for ethereal to capture packets. Run "wp_ethereal" or "/usr/local/bin/wp_ethereal" from the prompt (you have to provide proper parameters, see below for detail.) For example, you type this following command on Linux machine "redhat00".

    /usr/local/bin/wp_ethereal -c 200 -w outputfile -f "'host redhat00'"
  

Please note that the filter should be enclosed by double quote (") and then use single quote (') to enclose the filter expression. The reason is first pair of double quote (") will be stripped by wrapper program and then ethereal will pick up the filter expression enclosed by single quote ('). I know it's awkward. But at lease it works.

You can also reverse the order of single quote and double quote, e.g.,

    /usr/local/bin/wp_ethereal -c 200 -w outputfile -f '"host redhat00"'
  

This will capture 200 packets (-c 200) and save the output to "outputfile" (-w outputfile) and capture filter is set to capture the packets to and from redhat00 (-f "'host redhat00'"). You can also add "-n" if you want to do name resolve (which will give you hostname, instead of IP address).

If you get "/bin/touch: outputfile: Permission denied", don't panic. There is a problem with suid program (wp_ethereal) trying to write mounted file system (your directory). All you have to do is change directory to /tmp (cd /tmp) and repeat the process. Remind you to move output file(s) to your home directory after you are done, or delete it (them). Sorry for the inconvenience.

How to view the captured packets?

You can use (-f "'host redhat00'") (assume you are running on "redhat00") which will only capture packets to and from "redhat00". If you want get rid of ARP also, you can use (-f "'host redhat00 and not arp'").

The syntax for capture filter can be found in tcpdump(8). And there is also a display filter and the syntax can be found in ethereal(1).

How can I print out the packets that I captured?

Under the "File" menu, choose "Print". I would suggest you to "Print summary" only, otherwise it would be very very long (since all packets are expeneded by default). Most lines in summary are longer than 80 characters, so you can either save it to a file first (use "enscript -r filename" to print) or put "enscript -r" in the command field.

If you just want to print out on packet, under "File" menu, choose "Print Packet".

Where can I get ethereal and run it at my PC?

You can download from ethereal's official site to your Linux box. If you are using RedHat, you will need ethereal-*.i386.rpm and libpcap-*ethereal.i386.rpm, and ucd-snmp*.i386.rpm from your RedHat CD.

For those who using Windows 98/NT, you can get Win32 binary distribution. You should get ethereal-*-capture.zip and gtk-libs*.zp, and WinPcap.

Where can I get more information about ethereal?

• ethereal's official site
.
• FAQ from www.ethereal.com.
• ethereal's man page.
• You can find over 20 interesting samples from www.ethereal.com (including IPv6, IMAP, ATM/IP, and crack traces).

Other similar packet sniffer programs:

• tcpdump
• IPTraf
• EtherApe
• ntop - network top
• WinDump - tcpdump for Windows
• You can find lots of network monitoring utilities from SecurityFocus.com
.

Last modified: November 1, 2000.
tihuang at cs . uh . edu