• Choose a category
• All
• Classic-Fiction

By Root 417 0

for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. It is very similar in functionality to snoop, although perhaps providing more powerful and diversified filters. At the time of this writing, ethereal is beta software and its developers indicate that it is far from complete. Although new features are continuously being added, it already has enough functionality to be useful. We use version 0.8.4 of ethereal in this book. Some of the functionality, as well as look-and-feel may have changed by the time you read these pages.

In addition to providing powerful display filters, ethereal provides a very nice Graphical User Interface (GUI) which allows you to interactively browse the captured data, viewing summary and detailed information for each packet. The official home of the ethereal software is http://www.zing.org. You can download the source and documentation from this site and build it yourself, or follow the links to download precompiled binary packages for your environment. You can download precompiled Solaris packages from http://www.sunfreeware.com. In either case, you will need to install the GTK+ Open Source Free Software GUI Toolkit as well as the libpcap packet capture library. Both are available on the ethereal website.

tethereal is the text-only functional equivalent of ethereal. They both share a large amount of the source code in order to provide the same level of data capture, filtering, and packet decoding. The main difference is the user interface: tethereal does not provide the nice GUI provided by ethereal. Due to its textual output, tethereal is used throughout this book.[9] Examples and discussions concerning tethereal also apply to ethereal. Many of the concepts will overlap those presented in the snoop discussion, though the syntax will be different.

In its simplest form, tethereal captures and displays all packets present on the network interface:

# tethereal

Capturing on hme0

caramba -> schooner NFS V3 GETATTR Call XID 0x59048f4a

schooner -> caramba NFS V3 GETATTR Reply XID 0x59048f4a

caramba -> schooner TCP 1023 > nfsd [ACK] Seq=2139539358 Ack=1772042332

Win=24820 Len=0

concam -> 224.12.23.34 UDP Source port: 32939 Destination port: 7204

mp-broadcast -> 224.12.23.34 UDP Source port: 32852 Destination port: 7204

narwhal -> 224.12.23.34 UDP Source port: 32823 Destination port: 7204

vm-086 -> 224.0.0.2 HSRP Hello (state Active)

caramba -> mickey YPSERV V2 MATCH Call XID 0x39c4533d

mickey -> caramba YPSERV V2 MATCH Reply XID 0x39c4533d

By default tethereal displays only a summary of the highest level protocol. The first column displays the source and destination of the network packet. tethereal maps the IP address to the hostname when possible, otherwise it displays the IP address. You can use the -n option to disable network object name resolution and have the IP addresses displayed instead. Each line displays the packet type, and the protocol-specific parameters. For example, the first line displays an NFS Version 3 GETATTR (get attributes) request from client caramba to server schooner with RPC transaction ID 0x59048f4a. The second line reports schooner 's reply to the GETATTR request. You know that this is a reply to the previous request because of the matching transaction IDs.

Use the -w option to have tethereal write the packets to a data file for later display. As with snoop, this allows you to apply powerful filters to the data set to reduce the amount of noise reported. Use the -c option to set the number of packets to read when capturing data:

# tethereal -w /tmp/capture -c 5

Capturing on hme0

10

Use the -r option to read packets from a capture file:

# tethereal -r /tmp/capture -t d

1 0.000000 caramba -> mickey PORTMAP V2 GETPORT Call XID 0x39c87b6e

2 0.000728 mickey -> caramba PORTMAP V2 GETPORT Reply XID 0x39c87b6e

3 0.00077 caramba -> mickey NFS V3 NULL Call XID 0x39c87b6f

4 0.000416 mickey -> caramba NFS V3 NULL