The Ethereal Packet sniffer
Ethereal is wonderful. It might at first hand be
thought of as a hackers tool perhaps, but I have never
used it as such and find it vastly useful. I have used
it to diagnose all kinds of maladies in distributed
applications, as well as to reverse engineer poorly
documented protocols in network enabled products.
There is no end to the things you might want to do with
it.
Filters
Almost the first thing you will want to do, once you begin
looking at packet traffic is to use a filter to limit what
you are looking at. The first thing to avoid being confused
by is the fact that ethereal has two kinds of filters with
different syntax (Ugh!), namely capture filters and display
filters. I typically fiddle with capture filters.
Capturing Packets
You will need to run ethereal as root (this is essential because
the ability to put the network card into promiscuous mode and
capture all traffic is limited to root). Also if you are on
a switched network you will see only the traffic that the switch
thinks you need to see, an old fashioned shared media hub and
a few cables can be handy for many experiments you might want
to perform. Click capture->start and you will be looking at
a Capture Options popup. I essentially always click the option
to Update list of packets in real time and go. The set a
capture filter, there is a little entry box in this window to
do so.
Example Capture Filters
- host 128.196.105.17
- host clamdigger
- src host clamdigger
- dst host clamdigger
- ip proto \udp
- udp
- udp && dst host clamdigger
- host clamdigger && port 25
Feedback? Questions?
Drop me a line!
Uncle Tom's Computer Info / tom@mmto.org