What is Ethereal?

Simply put, Ethereal is a network analyzer. It reads packets from the network, decodes them, and presents them in an easy to understand format. We have already mentioned some of the most important aspects of Ethereal: that it is open source, actively maintained, and free. Let’s take a moment to mention some of the other important aspects of Ethereal:

• It is maintained under the GNU General Public License (GPL).

• It works in promiscuous and non-promiscuous modes.

• It can capture data from the network or read from a capture file.

• It has an easy to read, and very configurable GUI.

• It has rich display filter capabilities.

• It supports Tcpdump format capture filters.

• It has a nice feature that reconstructs a TCP session and displays it in ASCII or Extended Binary Coded Decimal Interchange Code (EBCDIC), hexadecimal dump, or C arrays.

• It is available in precompiled binaries and source code.

• It runs on over 20 platforms, both UNIX-based and Windows.

• It supports over 480 protocols, and because it is open source, new ones are contributed very frequently.

• It can read capture files from over 20 different products.

• It can save capture files in a variety of formats including libpcap, Network Associates Sniffer, Microsoft Network Monitor, and Sun snoop.

• It can capture data from a variety of media including Ethernet, Token-Ring, 802.11 Wireless, and more.

• It includes a command line version of the network analyzer called tethereal.

• It includes a variety of supporting programs such as editcap, mergecap, and text2pcap.

• Output can be saved or printed as plain text or PostScript.

History of Ethereal

Gerald Combs first developed Ethereal in 1997 because he was expanding his knowledge of networking and needed a tool for network troubleshooting. The first version, 0.2.0, was released in July 1998. A development team, including Gilbert Ramirez, Guy Harris, and Richard Sharpe, quickly formed to provide patches, enhancements, and additional dissectors. Dissectors are what allow Ethereal to decode individual protocols and present them in readable format. Since then, a large number of individuals have contributed specific protocol dissectors that they needed and other enhancements to Ethereal. This continues to be a great way to become involved, so if you need support for a particular protocol, start writing a dissector for it! This will not only benefit the project, but yourself and other users as well. You can view the list of authors at www.ethereal.com/introduction._html#authors. Because of the overwhelming development support and the large user base, Ethereal’s capabilities and popularity continue to grow every day.

The GNU Project (pronounced “guh-NEW”) was originally developed in 1984 to provide a free Unix-like operating system. This operating system is known as a “GNU/Linux” system because it uses the GNU utilities and a Linux kernel. The GNU Project is run and sponsored by the Free Software Foundation (FSF). Richard Stallman wrote the GNU General Public License (GPL) in 1989, for the purpose of distributing programs released as part of the GNU project. It is a copyleft, free software license and is based on similar licenses used for early versions of GNU Emacs. It has become one of the most widely used free software licenses due to its purpose of giving the public more freedom instead of less.

Copyleft became a term from the phrase “Copyleft—all rights reversed”. It is the application of copyright law to ensure public freedom to manipulate, improve, and redistribute a work of authorship and all derivative works. This means that the copyright holder grants an irrevocable license to all recipients of a copy, permitting the redistribution and sale of possibly further modified copies, under the condition that all those copies carry the same license and are made available in a form which also facilitates modification. This is a key feature in free and open source software to keep the work free and open. There are legal consequences to face if a licensee fails to distribute the work under the same license. If the licensee distributes copies of the work, the source code and modification must be made available. Sure you can make private modifications to GPL software, just don’t distribute it to anyone!

The GPL software license itself cannot be modified. You can copy and disitribute it as much as you want, but don’t change the text of the GPL. Other licenses created by the GNU project include the GNU Lesser General Public License and the GNU Free Documentation License.

There remains an ongoing dispute about the GPL and whether or not non-GPL software can link to GPL libraries. Although derivative works of GPL code must abide by the license, it is not clear whether an executable that links to a GPL library is considered a derivative work. The FSF states that such executables are derivatives to the GPL work, but others in the software community disagree. To date, there have not been any court decisions to resolve this conflict.

Compatibility

As we previously stated, Ethereal can read and process capture files from a number of different products including other sniffers, routers, and network utilities. Because Ethereal uses the popular libpcap-based capture format, it interfaces easily with other products that use libpcap. It also has the capability of reading captures in a variety of other formats as well. Ethereal can automatically determine what type of file it is reading and can also uncompress gzip files. The following list shows the products from which Ethereal can read capture files:

• Tcpdump

• Sun snoop and atmsnoop

• Microsoft Network Monitor

• Network Associates Sniffer (compressed or uncompressed) and Sniffer Pro

• Shomiti/Finisar Surveyor

• Novell LANalyzer

• Cinco Networks’ NetXRay

• AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek

• RADCOM’s WAN/LAN analyzer

• Visual Networks’ Visual UpTime

• Lucent/Ascend router debug output

• Toshiba’s ISDN routers dump output

• Cisco Secure IDS iplog

• AIX’s iptrace

• HP-UX nettl

• ISDN4BSD project’s i4btrace output

• pppd logs (pppdump-format)

• VMS’s TCPIPtrace utility

• DBS Etherwatch VMS utility

• CoSine L2 debug

• Accellent’s 5Views LAN agent output

• Endace Measurement Systems’ ERF capture format

• Linux Bluez Bluetooth stack “hcidump –w” traces

• Network Instruments Observer version 9

Supported Protocols

When a network analyzer reads data from the network it needs to know how to interpret what it is seeing and display the output in an easy to read format. This is known as protocol decoding. Often, the number of protocols a sniffer can read and display determines its strength, thus most commercial sniffers can support several hundred protocols. Ethereal is very competitive in this area with its current support of over 480 protocols. New protocols are constantly being added by various contributors to the Ethereal project. Protocol decodes, also known as dissectors, can be added directly into the code or included as plugins. The following list shows the 483 protocols that are currently supported at the time of this writing, no doubt by the time you read this there will be more:

802.11 MGT, AAL1, AAL3_4, AARP, ACAP, ACN, AFP, AFS (RX), AH, AIM, AJP13, ALCAP, ANS, ANSI BSMAP, ANSI DTAP, ANSI IS-637-A Teleservice, ANSI IS-637-A Transport, ANSI IS-683-A (OTA (Mobile)), ANSI MAP, AODV, ARCNET, ARP/RARP, ARTNET, ASAP, ASF, ASN1, ASP, ATM, ATM LANE, ATP, ATSVC, Auto-RP, AVS WLANCAP, BACapp, BACnet, BEEP, BFD Control, BGP, BICC, Boardwalk, BOFL, BOOTP/DHCP, BOOTPARAMS, BOSSVR, BROWSER, BSSAP, BSSGP, BUDB, BUTC, BVLC, CCSDS, CDP, CDS_CLERK, cds_solicit, CFLOW, CGMP, CHDLC, CLDAP, CLEARCASE, CLNP, CLTP, CONV, COPS, COSEVENTCOMM, CoSine, COSNAMING, COTP, CPFI, CPHA, cprpc_server, CUPS, Data, DCCP, DCE_DFS, dce_update, DCERPC, DDP, DDTP, DEC_STP, DFS, DHCPv6, Diameter, DISTCC, DLSw, DNS, DNSSERVER, DOCSIS, DOCSIS BPKM-ATTR, DOCSIS BPKM-REQ, DOCSIS BPKM-RSP, DOCSIS DSA-ACK, DOCSIS DSA-REQ, DOCSIS DSA-RSP, DOCSIS DSC-ACK, DOCSIS DSC-REQ, DOCSIS DSC-RSP, DOCSIS DSD-REQ, DOCSIS DSD-RSP, DOCSIS MAC MGMT, DOCSIS MAP, DOCSIS REG-ACK, DOCSIS REG-REQ, DOCSIS REG-RSP, DOCSIS RNG-REQ, DOCSIS RNG-RSP, DOCSIS TLVs, DOCSIS UCC-REQ, DOCSIS UCC-RSP, DOCSIS UCD, DOCSIS VSIF, DRSUAPI, DSI, DTSPROVIDER, DTSSTIME_REQ, DVMRP, EAP, EAPOL, ECHO, EDONKEY, EIGRP, ENC, ENIP, ENTTEC, EPM, EPM4, ESIS, ESP, ETHERIP, Ethernet, FC, FC ELS, FC FZS, FC-dNS, FC-FCS, FC-SB3, FC-SP, FC-SWILS, FC_CT, FCIP, FCP, FDDI, FIX, FLDB, FR, Frame, FTP, FTP-DATA, FTSERVER, FW-1, GIOP, GMRP, GNUTELLA, GPRS NS, GRE, Gryphon, GSM BSSMAP, GSM DTAP, GSM MAP, GSM RP, GSM SMS, GSS-API, GTP, GVRP, H.261, H.263, H1, H225, H245, H4501, HCLNFSD, HPEXT, HSRP, HTTP, HyperSCSI, IAPP, IB, ICAP, ICL_RPC, ICMP, ICMPv6, ICP, ICQ, IEEE 802.11, IGAP, IGMP, IGRP, ILMI, IMAP, INITSHUTDOWN, IP, IPComp, IPFC, IPMI, IPP, IPv6, IPX, IPX MSG, IPX RIP, IPX SAP, IPX WAN, IRC, ISAKMP, iSCSI, ISDN, ISIS, ISL, iSNS, ISUP, IUA, Jabber, KADM5, KLM, Kpasswd, KRB5, KRB5RPC, L2TP, LACP, LANMAN, LAPB, LAPBETHER, LAPD, Laplink, LDAP, LDP, LLAP, LLC, LMI, LMP, LPD, LSA, LSA_DS, Lucent/Ascend, LWAPP, LWAPP-CNTL, LWAPP-L3, LWRES, M2PA, M2TP, M2UA, M3UA, Malformed packet, MAPI, MDS Header, MEGACO, Messenger, MGCP, MGMT, MIPv6, MMSE, Mobile IP, Modbus/TCP, MOUNT, MPEG1, MPLS, MRDISC, MS Proxy, MSDP, MSNIP, MSNMS, MTP2, MTP3, MTP3MG, MySQL, NBDS, NBIPX, NBNS, NBP, NBSS, NCP, NDMP, NDPS, NetBIOS, NETLOGON, NFS, NFSACL, NFSAUTH, NIS+, NIS+ CB, NLM, NLSP, NMPI, NNTP, NSPI, NTLMSSP, NTP, Null, OAM AAL, OSPF, OXID, PCLI, PCNFSD, PER, PFLOG, PFLOG-OLD, PGM, PIM, POP, Portmap, PPP, PPP BACP, PPP BAP, PPP CBCP, PPP CCP, PPP CDPCP, PPP CHAP, PPP Comp, PPP IPCP, PPP IPV6CP, PPP LCP, PPP MP, PPP MPLSCP, PPP PAP, PPP PPPMux, PPP PPPMuxCP, PPP VJ, PPPoED, PPPoES, PPTP, Prism, Q.2931, Q.931, Q.933, QLLC, QUAKE, QUAKE2, QUAKE3, QUAKEWORLD, RADIUS, RANAP, Raw, Raw_SIP, RDM, REMACT, REP_PROC, RIP, RIPng, Rlogin, RMCP, RMI, RMP, roverride, RPC, RPC_BROWSER, RPC_NETLOGON, RPL, rpriv, RQUOTA, RS_ACCT, RS_ATTR, RS_BIND, rs_misc, RS_PGO, RS_PLCY, rs_prop_acct, RS_REPADM, RS_REPLIST, RS_UNIX, rsec_login, RSH, RSTAT, RSVP, RSYNC, RTCFG, RTCP, RTMP, RTNET, RTP, RTP Event, RTSP, RWALL, RX, SADMIND, SAMR, SAP, SCCP, SCCPMG, SCSI, SCTP, SDLC, SDP, SEBEK, SECIDMAP, Serialization, SES, sFlow, SGI MOUNT, Short frame, SIP, SKINNY, SLARP, SliMP3, SLL, SMB, SMB Mailslot, SMB Pipe, SMPP, SMTP, SMUX, SNA, SNA XID, SNAETH, SNMP, Socks, SONMP, Spnego, SPNEGO-KRB5, SPOOLSS, SPRAY, SPX, SRVLOC, SRVSVC, SSCOP, SSH, SSL, STAT, STAT-CB, STP, STUN, SUA, SVCCTL, Syslog, T38, TACACS, TACACS+, TAPI, TCAP, TCP, TDS, TELNET, TEREDO, TFTP, TIME, TKN4Int, TNS, Token-Ring, TPCP, TPKT, TR MAC, TSP, TZSP, UBIKDISK, UBIKVOTE, UCP, UDP, UDPENCAP, Unreassembled fragmented packet, V.120, Vines ARP, Vines Echo, Vines FRP, Vines ICP, Vines IP, Vines IPC, Vines LLC, Vines RTP, Vines SPP, VLAN, VRRP, VTP, WBXML, WCCP, WCP, WHDLC, WHO, WINREG, WKSSVC, WSP, WTLS, WTP, X.25, X.29, X11, XDMCP, XOT, XYPLEX, YHOO, YMSG, YPBIND, YPPASSWD, YPSERV, YPXFR, ZEBRA, ZIP

Ethereal’s User Interface

Ethereal’s graphical user interface is very configurable and easy to use. We will be covering the interface in detail in Chapter 4, however we want to touch on some of the highlights here. Like other network analyzers, Ethereal displays capture information in three main window panes. Figure 2.1 shows what a typical Ethereal capture looks like in each of its panes. Each of the panes is adjustable in size by clicking on the row of dots between the panes and dragging up or down. The upper-most pane is the summary pane that displays a one–line summary of the capture. Ethereal’s default fields include: packet number, time, source address, destination address, and the name and information about the highest-layer protocol. These columns are configurable and new ones can be added under Preferences. You can also click on the column heading to sort ascending and descending by each field.

The middle pane is the protocol detail view. This pane provides all of the details for each of the layers contained inside the captured packet in a tree-like structure. Clicking on various parts of the protocol tree will highlight corresponding hexadecimal and ASCII output in the bottom pane. The bottom displays the raw captured data both in hexadecimal and ASCII format. Clicking on various parts of this data will also highlight the corresponding fields in the protocol tree in the middle pane. Figure 2.1 shows the Ethereal interface and an example of a network SYN scan. Notice that highlighting the source MAC address in the middle, protocol view pane, automatically highlights that portion of the hexadecimal dump in the bottom data pane.

One of the coolest features of Ethereal is its ability to reassemble all of the packets in a TCP conversation and display the ASCII in a very easy to read format. It can also be viewed in EBCDIC, Hex dump, and C arrays. This data can then be saved or printed. A good use for this can be to reconstruct a web page. Just follow the stream of the HTTP session and save the output to a file. You should then be able to view the reconstructed HTML offline, without graphics of course, in a web browser. Figure 2.2 shows the TCP stream output of a Telnet session. Notice how easy it is to read the username and password in cleartext. Some text, such as “root” and “exit” includes double letters because it is displaying the sending of the character and the ACK response of the character from the server. This is a good example of why you would never want to Telnet as root!

Figure 2.1: Ethereal’s GUI

Filters

Filtering packets helps you find what you are looking for without sifting through numerous other distracting packets. Ethereal has the ability to use both capture filters and display filters. The capture filter syntax follows the same syntax that Tcpdump uses from the libpcap library. This is used on the command line or in the Capture Filter dialog box to capture certain types of traffic. Display filters provide a powerful syntax to sort on traffic that is already captured. As the number of protocols grows, the number of protocol fields for display filters grow as well. However, not all protocols that Ethereal currently supports have display filters. Also, some protocols provide display filter field names for some of their fields, but not all of their fields. Hopefully as the product matures and users contribute to the development process this will change. Table 2.1 shows an example of a supported protocol and its display filters:

Figure 2.2: Follow the TCP Stream

Once you have implemented a display filter, all of the packets that meet this requirement are displayed in the packet listing in the summary pane. You can use the filters to compare fields within a protocol against a value, such as ip.src == 192.168.1.1, or to compare fields to fields, such as ip.src == ip.dst, or just to check the existence of specified fields or protocols. Filters are also used by statistical features and to colorize the packets.

Suppose you would like to create a simple filter to search for a certain protocol or field. For example, if you want to see all of the HTTP packets, simply type http. To see just HTTP request packets, such as GET, POST, and HEAD, type http.request. Filter fields can also be compared against values, such as http.request.method==“GET”, to see just the HTTP GET requests. . The comparison operators can be expressed using the following abbreviations or symbols:

Equal: eq, ==

Not equal: ne, !=

Greater than: gt, >

Less Than: lt, <

Greater than or Equal to: ge, >=

Less than or Equal to: le, <=

Display and capture filters are explained in detail in Chapter 5. We just wanted to give you an overview of just how powerful this Ethereal feature is. As you can see, filters offer a great deal of flexibility when troubleshooting network problems or trying to pinpoint issues. Anything that makes the administrator’s job easier is certainly welcomed!

The Concurrent Version System (CVS) is a versioning system that allows many developers to work on the same project simultaneously, while keeping track of what changes have been made, who made them, and most importantly, what versions exist and keeping them separated. You will generally find many versions of a project in a CVS tree.

You will find that CVSs exist on many websites for almost every open-source project. For example, SourceForge (www.sourceforge.net) has CVS repositories for all of the projects it contains. To browse most CVS trees, you will need a CVS client application. However, SourceForge has a Web interface for browsing as well, which is a nice feature if you need to quickly get some information or code from a CVS tree. Here are a couple of GUI applications for CVS:

• If you would like a CVS front-end app for Linux, VisualCVS (www.scentech.ch/products/visualcvs) is a client worth checking out.

• If you would like a CVS application for Windows, WinCVS (www.wincvs.org) is a pretty good client.

  The Ethereal CVS listing is maintained at www.ethereal.com/_development.html. There are several ways to obtain the CVS source code for Ethereal:

• Command line You can use the CVS command line client (www.cvshome.org) to anonymously log in and download the development source.

• Nighly snapshots You can also download gzipped tarballs containing nightly snapshots of the development source tree.

• CVS Web Interface You can download the source tree via the Ethereal web interface. Here you can view each file and differences between versions of each file.

• CVSGrab You can use the Java CVS client that uses the ViewCVS web interface to download the latest versions of each file. This method tends to be slower than the others.

  When using CVS versions of Ethereal or other open source products, remember that they are considered beta code and could have bugs. Also, these development versions tend to not be supported yet.

Great Resources!

Some of the best resources for Ethereal information and support include the five e-mail distribution lists. You can subscribe by visiting www.ethereal.com/lists and filling out the appropriate form. One thing to note is that the form asks for a password, which is occasionally e-mailed to you in cleartext. You don’t want to pick the same password that you use for other valuable accounts, because anyone sniffing the network traffic can easily see the cleartext password when it is e-mailed! There are some great conversations on these lists, and a lot of good information is revealed about the source code, new developments, installation issues and more.

• Ethereal-announce includes announcements on new releases, bug fixes, and general issues about Ethereal. Any general Ethereal user should subscribe to this list to remain current on important topics. This list tends to be low-volume with just a few messages per month. To post a message, send an email to ethereal-announce@ethereal.com.

• Ethereal-users includes general information and help on using Ethereal. Any general Ethereal user should subscribe to this list to share ideas and suggestions. It contains moderate traffic, typically several messages per day. To post a message, send an e-mail to ethereal-users@ethereal.com.

• Ethereal-dev includes developer related information about Ethereal. This list contains a lot of information about the inner workings of Ethereal and is intended for those who are interested in contributing to the development of Ethereal. Even if you aren’t the programmer type, this list has lots of great information. Be prepared, however, because this list receives a higher volume of traffic with many messages per day. To post a message, send an e-mail to ethereal-dev@ethereal.com.

• Ethereal-doc includes documentation-related information about Ethereal. It is intended for those who wish to be involved in the documentation development process. This list tends to be low-volume with just a few messages per month. To post a message, send an e-mail to ethereal-doc@ethereal.com.

• Ethereal-cvs includes developer-related information to monitor changes to the Ethereal source tree. It is useful for developers to know when changes are made, and what the changes are. The CVS repository sends e-mails to this list every time code is committed to the Ethereal CVS repository. It receives a higher volume of traffic with many messages per day. Users do not post directly to this list and replies to messages on this list should be sent to ethereal-dev@ethereal.com.

When subscribing to the mailing lists you can choose to have your e-mail batched in a daily digest. This is great for high volume lists, to cut down on the amount of traffic and messages. However, you won’t get the attachments that may be included with the e-mails. All of the messages from the mailing lists are also archived on the Ethereal website, as well as a few mirror sites. Messages are categorized by month as far back as 1998. When troubleshooting a problem, a great strategy is to perform a search to see if someone else may have the answer already.

Another great source of information is the Ethereal User’s Guide, by Richard Sharpe, located at www.ethereal.com/docs/user-guide. It is a bit outdated, based on version 0.9.7, but it still contains some great information. It is also available in PDF format at www.ethereal.com/distribution/docs/user-guide.pdf, however, this document seems to be based on version 0.8.19. Beware, when you print out the entire document, it is 454 pages! The first 102 pages include a great deal of good information about installing and using Ethereal. The rest of the document is a list of the hundreds of supported protocols and their associated display filter fields.

As always, the Ethereal web page, www.ethereal.com, has a lot of good information as well. The links page www.ethereal.com/links.html, has some great reference websites. This includes information on protocols, RFCs, networking, port spanning, and other tools. The sample captures page, www.ethereal.com/sample, contains packet traces of various network traffic that can be downloaded and viewed with Ethereal for analysis. This is a great way to learn to use Ethereal and its features, as well as learning about various protocols.