Ethereal Packet Sniffing

Angela Orebaugh
with
Greg Morris
Ed Warnicke
Gilbert Ramirez Technical Editor

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress: The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. The Ethereal logo is a registered trademark of Ethereal, Inc.

PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370

Ethereal Packet Sniffing

Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-932266-82-8

Acquisitions Editor: Christine Kloiber
Technical Editor: Gilbert Ramirez
Page Layout and Art: Patricia Lupien
Cover Designer: Michael Kavish
Copy Editor: Amy Thomson
Indexer: Julie Kawabata

Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada.

Acknowledgments

We would like to acknowledge the following people for their kindness and support in making this book possible.

Many thanks to Gerald Combs and the rest of the Ethereal development team for creating and mainatining a tool as dynamic and innovative as Ethereal, and for all of their support for this book.

Syngress books are now distributed in the United States by O’Reilly & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market: Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop, Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, and to all the others who work with us.

The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope.

David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada.

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines.

To all the folks at Malloy who have made things easy for us and especially to Beth Drake and Joe Upton.

Author

Angela Orebaugh (CISSP, GCIA, GCFW, GCIH, GSEC, CCNA) has worked in information technology for 10 years. She is currently an Associate at Booz Allen Hamilton in the Washington, DC metro area. Her focus is on perimeter defense, secure architecture design, vulnerability assessments, penetration testing, and intrusion detection. Angela is an expert in many commercial and Open Source intrusion detection and analysis tools including: Ethereal, Snort, Nessus, and Nmap. She is a graduate of James Madison University with a masters in computer science, and she is currently pursuing her PhD with a concentration in information security at George Mason University. Her GCFW practical received honors recognition and was used as a case study in the book Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Network Intrusion Detection by Stephen Northcutt (ISBN: 0735712328). Angela is a researcher, writer, and speaker for the SANS Institute, where she has helped to develop and revise SANS course material and also serves as the Senior Mentor Coach for the SANS Local Mentor Program.

Contributors

Greg Morris (5-CNA, 5-CNE, 3-MCNE, Linux+, LPIC-1) is a Senior Resolution Engineer for Novell Technical Services in Provo, UT. Originally from Oklahoma, Greg has spent over 25 years in the computer industry. Although Greg has a degree in management, his passion is to be creative. This is what the software development process provides. His vast experience includes hardware and software troubleshooting on mainframe, midrange, and PC computers. Greg’s early roots in software development was in database technologies, dabbling in C and assembly, but mostly working with a language called Clipper by Nantucket. Greg’s work on Ethereal began in November of 2000. Since that time he has made a significant number of contributions to the Ethereal project. This would include new dissectors (NCP, NDS, NDPS) as well as new features (Extended Find capabilities). Greg has made a number of modifications to many other dissectors and is currently developing Novell Modular Authentication Services (NMAS), Novell SecretStore Services (SSS), Novell International Cryptographic Infrastructure (NICI), and a host of other Novell specific decodes. Greg has actively developed customer and internal training programs for a number of different Novell products. One of his most unique programs was developed to teach internal users the skills necessary to analyze packet traces. Greg started working with packet traces many years ago with Novell’s LANalyzer product. From there Greg migrated to Network Associates Sniffer product. But, since working with Ethereal to add complete Novell NCP/NDS packet support, Greg would use nothing else. He currently develops on Windows 2000 with Microsoft’s Visual C++, but has plans to move to SuSe Linux and the GNU compiler for future Ethereal development.

Ed Warnicke (CCIE #9466) has worked for almost four years at Cisco Systems doing network testing. Prior to joining Cisco he worked as the acting Senior Systems Administrator for the physics department at Rutgers University. Ed holds a masters degree in physics from Rutgers University and bachelors degrees in physics and mathematics from Purdue University where he holds the record for the largest number of credit hours successfully completed in a single semester: 34. Prior to attending college Ed dropped out of high school in a fit of boredom. Ed has contributed code to the Ethereal project and he also performed the last revision of the Ethereal User’s guide.

Gilbert Ramirez was the first contributor to Ethereal after it was announced to the public and is known for his regular updates to the product. He has contributed protocol dissectors as well as core logic to Ethereal. He is a systems engineer at a large company with network-related products, where he works on tools and software build systems. Gilbert is a family man, a want-to-be chef, and a student of tae kwon do. His degree is in linguistics, but his first love is programming computers, which he has been doing since childhood.

Technical Editor and Contributor Series Editor

Jay Beale is a security specialist focused on host lockdown and security audits. He is the Lead Developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X, a member of the Honeynet Project, and a core participant in the Center for Internet Security. A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat and LinuxWorld conferences, among others. A senior research scientist with the George Washington University Cyber Security Policy and Research Institute, Jay makes his living as a security consultant through the DC-based firm Intelguardians, LLC. Jay wrote the Center for Internet Security’s Unix host security tool, currently in use worldwide by organizations from the Fortune 500 to the Department of Defense. He maintains the Center’s Linux Security benchmark document and, as a core participant in the non-profit Center’s Unix team, is working with private enterprises and US agencies to develop Unix security standards for industry and government.

Aside from his CIS work, Jay has written a number of articles and book chapters on operating system security. He is a columnist for Information Security Magazine and previously wrote a number of articles for SecurityPortal.com and SecurityFocus.com. He authored the Host Lockdown chapter in Unix Unleashed, served as the security author for Red Hat Internet Server, and co-authored Snort 2.0 Intrusion Detection (Syngress Publishing, ISBN: 1-931836-74-4). In addition, he is the editor of the “Jay Beale Open Source Security Series” from Syngress. Jay is currently finishing a Linux lockdown book focused on Bastille entitled, ‘Locking Down Linux.’ Formerly, he served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution. He now works to further the goal of improving operating system security. To read Jay’s past articles and learn about his past and future conference talks, take a look at his site at www.bastille-linux.org/jay.

Technical Reviewer

Robert J. Shimonski (TruSecure TICSA, Cisco CCDP, CCNP, Symantec SPS, NAI Sniffer SCP, Nortel NNCSS, Microsoft MCSE, MCP+I, Novell Master CNE, CIP, CIBS, CNS, IWA CWP, DCSE, Prosoft MCIW, SANS.org GSEC, GCIH, CompTIA Server+, Network+, Inet+, A+, e-Biz+, Security+, HTI+) is a Network Manager for a leading manufacturing company, Danaher Corporation. At Danaher, Robert is responsible for leading the IT department within his division into implementing new technologies, standardization, upgrades, migrations, high-end project planning and designing infrastructure architecture. Robert is also part of the corporate security team responsible for setting guidelines and policy for the entire corporation worldwide. In his role as a Lead Network Engineer, he has designed, migrated, and implemented very large-scale Cisco- and Nortel-based networks. In addition, Robert maintains a role as a part time technical trainer at a local computer school, teaching classes on networking and systems administration whenever possible.

Robert is also a part-time author who has worked on over 25 book projects as both an author and technical editor. He has written and edited books on a plethora of topics with a strong emphasis on network security. Robert has designed and worked on several projects dealing with cutting edge technologies for Syngress Publishing, including the only book dedicated to the Sniffer Pro protocol analyzer, Sniffer Pro Network Optimization & Troubleshooting Handbook (Syngress, ISBN: 1-931836-57-4).

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening.

Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations.

Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features:

• One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters.

• “Ask the Author” customer query forms that enable you to post questions to our authors and editors.

• Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material.

• Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics.

Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase.

Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

www.syngress.com/solutions