Exploring the Main Window
|
| < Day Day Up > |
|
It is important for us to define a common set of labels for the different components of the Main Window so that we can speak clearly about them. Figure 4.1 shows the Main Window of Ethereal with its major components labeled.
Figure 4.1: Main Window
The Main Window components are described in Table 4.1:
| Window Component | Description |
|---|---|
| Menu Bar | A typical application menu bar containing drop-down menu items. |
| Tool Bar | A toolbar containing buttons for some commonly used functions of Ethereal. The Tool Bar icons have tool tips that are displayed when you pause the mouse pointer over them. |
| Summary Window | A window providing a one-line summary for each packet in the capture. |
| Protocol Tree Window | A window providing a detailed decode of the packet selected in the Summary Window. |
| Data View Window | A window providing a view of the raw data in the packet selected in the Summary Window. |
| Filter Bar | A tool for applying filters to the Summary Window to restrict which packets in the capture are displayed, based upon their attributes. |
| Information Field | A small display area to provide information about the capture or field selected in the Protocol Tree Window. |
Summary Window
The Summary Window displays a summary of each packet in the capture, one per line. One or more columns of summary data for each packet will be displayed. Typical columns are shown in Table 4.2.
| Column Name | Description |
|---|---|
| No. | Frame number within the capture. |
| Time | The time from beginning of the capture to the time when the packet was captured (in seconds). |
| Source | Highest level source address. This will frequently be the IP (Internet Protocol) source address, but may also be the Media Access Control (MAC) address for layer 2 (L2) Ethernet protocols (see the Ethereal Name Resolution sidebar for a discussion of MAC addresses), or other address types for other protocols (IPX, AppleTalk, etc ). |
| Destination | Highest level destination address. This will frequently be the IP destination address, but may also be the MAC address for L2 Ethernet protocols, or other address types for other protocols (IPX, AppleTalk, etc). |
| Protocol | Typically the highest level protocol decoded. Examples include user level protocols such as HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP). |
| Info | This field contains information that was determined by the highest level decode to be useful or informative as part of a summary for this packet. |
You can use the Preferences feature to select which columns are displayed in the Summary Window (select Edit | Preferences from the Menu Bar).
The summary information for the packet selected in the Summary Window in Figure 4.1 is shown in Table 4.3.
| Column Name | Value |
|---|---|
| No. | 8 |
| Time | 8.004042 seconds since the capture started |
| Source | IP number 192.168.0.15 |
| Destination | IP number 192.168.0.33 |
| Protocol | BGP (Border Gateway Protocol) |
| Info | OPEN Message |
We can immediately see that this is a packet carrying a message for opening a Border Gateway Protocol session between 192.168.0.15 and 192.168.0.33. More information on Border Gateway Protocol is available in RFC (Request for Comment) 1771 at www.ietf.org/rfc/rfc1771.txt?number=1771. RFCs are the documents that describe the protocols in use on the Internet. Many RFCs define protocol standards (although not all RFCs do).
You can select packets in the Summary Window by clicking on the row summarizing a given packet. The information for the selected packet will then be displayed in the Protocol Tree Window and the Data View Window. Once you have selected a packet in the Summary Window you can use the Protocol Tree Window to drill down into it in greater detail.
Protocol Tree Window
We can conceptualize a packet as a tree of fields and subtrees. For each protocol there is a tree node summarizing the protocol, which can be expanded to provide the values in that protocol’s fields. Within some protocols there may be tree nodes summarizing more complicated data structures in the protocol. These tree nodes can be expanded to show those data structures. For any given node that has a subtree, we can expand it’s subtree to reveal more information, or collapse it to only show the summary. The Protocol Tree Window allows you to examine the tree created by Ethereal from decoding a packet.
We’ll take a moment now to drill down through the Protocol Tree Window into the packet we selected in the previous example (Figure 4.2).
Figure 4.2: Protocol Tree Window Collapsed
In the Protocol Tree Window, you can see that for each layer in the protocol stack for this packet we have a one-line summary of that layer (see Table 4.4).
| Layer | Protocol | Description |
|---|---|---|
| Packet Meta Data | Frame | 83 bytes on wire, 83 bytes captured |
| Datalink ( Layer 2/L2 ) | Ethernet II | Src Addr: 00:c0:4f:23:c5:95, Dst Addr: 00:00:0c:35:0e:1c |
| Network ( Layer 3 / L3 ) | Internet Protocol (IP) | Src Addr: 192.168.0.15, Dst Addr: 192.168.0.33 |
| Transport ( Layer 4/ L4) | Transmission Control Protocol (TCP) | Src Port: 2124, Dst Port: bgp(179), Seq: 2593706850, Ack... |
| Application Layer ( Layer 7 /L7) | Border Gateway Protocol (BGP) |
Each of these layers have little boxed plus (+) signs next to them indicating that they have a subtree that can be expanded to provide more information about that particular protocol.
In Figure 4.3, we have expanded the Border Gateway Protocol tree to reveal that it contains one OPEN Message, and further expanded that OPEN Message to reveal the fields contained within it.
Figure 4.3: Protocol Tree Window Expanded
By selecting the Type field in the Protocol Tree Window, we’ve caused the Information field in the lower right corner to display the message BGP message type (bgp.type), 1byte. This indicates the long name of this field (BGP message type) and the display filter field name used to identify this field for filtering and colorization (bgp.type), as well as the size of this field in the packet (1 byte).
Data View Window
The Data View Window contains a series of rows, as show in Figure 4.4. Each row begins with a four-digit number representing the number of bytes the first octet (an octet is eight bits or one byte or two hexadecimal – also known as hex - digits) in that row is offset from the beginning of the packet. This offset is then followed by sixteen two-character hexadecimal bytes. The last item in each row is a series of sixteen ASCII (American Standard Code for Information Interchange, a common character encoding) characters representing the same 16 bytes from the packet. Not all bytes are conveniently displayable in ASCII. For those bytes a period (.) is substituted as a placeholder.
Figure 4.4: Data View Window
When a field in the Protocol Tree Window is selected, the bytes corresponding to that field are highlighted in the Data View Window. In our example we have selected the BGP message type field in the Protocol Tree Window. In the Data View Window we find that byte highlighted in the row with offset 0040 representing 0x40 hex or 64 bytes into the packet. The ninth byte in the row is highlighted, and has a value of 01 hex. In the ASCII representation we have a period (.) because the value 0x01 is not conveniently represented in ASCII.
When you click on a hex byte or ASCII character in the Data View Window, Ethereal will highlight the field in the Protocol Tree Window corresponding to the selected byte, and all bytes in the Data View Window associated with that Protocol field.
In Figure 4.5 we’ve clicked on the 7d at the beginning of row 0030. It just so happens that the 48th byte (0030 or hex 0x30) is the first byte of the two-byte Transmission Control Protocol (TCP) Window Size field. As a result, the TCP tree was automatically expanded and the Window size field was highlighted. Additionally the second byte, with value 78 hex, in the 0030 row, was also selected, since TCP Window Size is a two-byte field.
Figure 4.5: Data View Window Byte Selection
This feature of Ethereal makes it very easy to use the Protocol Tree Window and the Data View Window together to obtain a solid grasp of the relationships between the fields in a protocol and the actual bits on the wire.
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 105