Managing NFS and NIS, 2nd Edition - Mike Eisler [201]
5 0.001957 caramba -> mickey PORTMAP V2 GETPORT Call XID 0x39c848db
tethereal reads the packets from the /tmp/capture file specified by the -r option. Note that two new columns are added to the display. The first column displays the packet number, and the second column displays the time delta between one packet and the next in seconds. The -t d option instructs tethereal to use delta timestamps, if not specified, tethereal reports timestamps relative to the time elapsed between the first packet and the current packet. Use the -t a option to display the actual date and time the packet was captured. tethereal can also read capture files generated by other network analyzers, including snoop's capture files.
As mentioned in the snoop discussion, network analyzers are most useful when you have the ability to filter the information you need. One of tethereal 's strongest attributes is its rich filter set. Unlike snoop, tethereal uses different syntax for capture and display filters. Display filters are called read filters in tethereal, therefore we will use the tethereal terminology during this discussion. Note that a read filter can also be specified during packet capturing, causing only packets that pass the read filter to be displayed or saved to the output file. Capture filters are much more efficient than read filters. It may be more difficult for tethereal to keep up with a busy network if a read filter is specified during a live capture.
Capture filters
Packet capture and filtering is performed by the Packet Capture Library (libpcap). Use the -f option to set the capture filter expression:
# tethereal -f "dst host donald"
Capturing on hme0
schooner -> donald TCP nfsd > 1023 [PSH, ACK] Seq=1773285388 Ack=2152316770
Win=49640 Len=116
mickey -> donald UDP Source port: 934 Destination port: 61638
mickey -> donald UDP Source port: 934 Destination port: 61638
mickey -> donald UDP Source port: 934 Destination port: 61638
schooner -> donald TCP nfsd > 1023 [PSH, ACK] Seq=1773285504 Ack=2152316882
Win=49640 Len=116
The dst host filter instructs tethereal to only capture packets with a destination address equal to donald. You can specify the IP address or the hostname, and tethereal will use the name service switch to do the conversion. Substitute dst with src and tethereal captures packets with a source address equal to donald. Simply specifying host donald captures packets with either source or destination addresses equal to donald.
Use protocol capture filters to instruct tethereal to capture all network packets using the specified protocol, regardless of origin, destination, packet length, etc:
# tethereal -f "arp"
Sun_a0:33:90 -> ff:ff:ff:ff:ff:ff ARP Who has 131.40.51.7? Tell 131.40.51.125
Sun_b9:2b:f6 -> Sun_a0:33:90 ARP 131.40.51.223 is at 08:00:20:b9:2b:f6
00:90:2b:71:e0:00 -> ff:ff:ff:ff:ff:ff ARP Who has 131.40.51.77? Tell 131.40.51.17
The arp filter instructs tethereal to capture all of the ARP packets on the network. Notice that tethereal replaces the Ethernet address prefix with the Sun_ identifier (08:00:20). The list of prefixes known to tethereal can be found in /etc/manuf file located in the tethereal installation directory.
Use the and, or, and not logical operators to build complex and powerful filters:
# tethereal -w /tmp/capture -f "host 131.40.51.7 and arp"
# tethereal -r /tmp/capture
Sun_a0:33:90 -> ff:ff:ff:ff:ff:ff ARP Who has 131.40.51.7? Tell 131.40.51.125
Sun_b9:2b:f6 -> Sun_a0:33:90 ARP 131.40.51.7 is at 08:00:20:b9:2b:f6
tethereal captures all ARP requests for the 131.40.51.7 address and writes the packets to the /tmp/capture file. We should point out that the source address of the first packet is not 131.40.51.7, and highlight the fact that the destination address is the Ethernet broadcast address. You may ask then, why is this packet captured by tethereal if neither the source nor destination address match the requested host? You can use the -V option to analyze the contents of the captured packet to answer this question:
# tethereal -r /tmp/ether