Frequently Asked Questions

Previous page
Table of content
Next page

  < Day Day Up > 


The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1. 

Why is Ethereal so slow displaying data during capture? It seems to lock up.

your version of ethereal may have been compiled without the adns (asynchronous dns) library. if so, ethereal is stopping to do a dns lookup for the source and destination ip address in each packet it decodes. it can take a long time for dns queries to time out if they fail, and during this time ethereal may lock up while waiting for those failures. to solve this problem, get a version of ethereal with adns compiled in. to work around this problem unselect enable network name resolution in the capture options dialog box when starting a capture or in the file dialog box when opening a capture file.

2. 

Why is it when I select some fields in the Protocol Tree Window I don’t see the field name in the Information field? How can I filter on the field if I can’t find out its name?

ethereal has been developed over many years by a team of volunteer programmers. many different people have written the dissectors, which decode the protocols in ethereal, at many different times. not all dissector authors associated a filterable field with each field they display in the protocol tree. you will not be able to filter on such fields. if such filtering is important to you for a particular protocol, you are encouraged to alter the source code for that dissector to include the capacity and submit it to the ethereal team for inclusion.

3. 

Why do I sometimes see an IP address or a TCP/UDP port number or a MAC address twice, once in parenthesis and once not?

when name resolution is turned off for an address type, or when no name is found for a given address, ethereal will insert the actual address into the place where the name would have gone. as a result, a place where you would have seen the name with the address in parentheses (or vice versa) will just show two copies of the address. don t worry about it j

4. 

I need more complicated capture filtering than tcpdump-style capture filters provide; can I use Ethereal’s display filters to restrict what I capture?

the short answer is no. ethereal will not allow you to use display filters to filter on capture. however, there is a sort of workaround to achieve this. while ethereal will not allow you to use display filters on capture, tethereal will. to capture from an interface -interface- to a file -savefile- filtering with a display filter string -filter string- you would execute at the command line: tethereal i -interface- -w -savefile- -r -filter string- tethereal will capture from -interface- and only save to -savefile- those packets that match -filter string-. in many cases display filter strings will not be nearly as fast as the tcpdump-style capture filters, but if only display filters will do, this hack will let you use them.

5. 

Does Ethereal really capture all the traffic arriving at an interface when capturing in promiscuous mode?

that depends. ethereal gets whatever is captured by libpcap. sometimes due to high load on the system you are capturing from, or just due to trying to capture from too high bandwidth an interface, packets may be lost for a number of reasons, including being dropped by the kernel. keep this in mind as you work.

6. 

Why am I seeing packets that aren’t addressed to or being sent by my local interface even though I’ve turned off capturing in promiscuous mode?

there may be other applications running, like snort, on the system you are capturing from that have put the interface into promiscuous mode. whether ethereal puts the interface in promiscuous mode, or some other application does, if the interface is in promiscuous mode you will see all traffic that arrives at it, not just the traffic addressed to or sent from the interface.

Answers

1. 

Your version of Ethereal may have been compiled without the ADNS (Asynchronous DNS) library. If so, Ethereal is stopping to do a DNS lookup for the source and destination IP address in each packet it decodes. It can take a long time for DNS queries to time out if they fail, and during this time Ethereal may lock up while waiting for those failures. To solve this problem, get a version of Ethereal with ADNS compiled in. To work around this problem unselect Enable Network Name Resolution in the Capture Options dialog box when starting a capture or in the File dialog box when opening a capture file.

2. 

Ethereal has been developed over many years by a team of volunteer programmers. Many different people have written the dissectors, which decode the protocols in Ethereal, at many different times. Not all dissector authors associated a filterable field with each field they display in the Protocol Tree. You will not be able to filter on such fields. If such filtering is important to you for a particular protocol, you are encouraged to alter the source code for that dissector to include the capacity and submit it to the Ethereal team for inclusion.

3. 

When name resolution is turned off for an address type, or when no name is found for a given address, Ethereal will insert the actual address into the place where the name would have gone. As a result, a place where you would have seen the name with the address in parentheses (or vice versa) will just show two copies of the address. Don’t worry about it J

4. 

The short answer is no. Ethereal will not allow you to use display filters to filter on capture. However, there is a sort of workaround to achieve this. While Ethereal will not allow you to use display filters on capture, Tethereal will. To capture from an interface <interface> to a file <savefile> filtering with a display filter string <filter string> you would execute at the command line: 

   tethereal –i <interface> -w <savefile> -R <filter string>

Tethereal will capture from <interface> and only save to <savefile> those packets that match <filter string>. In many cases display filter strings will not be nearly as fast as the tcpdump-style capture filters, but if only display filters will do, this hack will let you use them.

5. 

That depends. Ethereal gets whatever is captured by libpcap. Sometimes due to high load on the system you are capturing from, or just due to trying to capture from too high bandwidth an interface, packets may be lost for a number of reasons, including being dropped by the kernel. Keep this in mind as you work.

6. 

There may be other applications running, like Snort, on the system you are capturing from that have put the interface into promiscuous mode. Whether Ethereal puts the interface in promiscuous mode, or some other application does, if the interface is in promiscuous mode you will see all traffic that arrives at it, not just the traffic addressed to or sent from the interface.


 < Day Day Up > 


Previous page
Table of content
Next page
Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress
BUY ON AMAZON
A Practitioners Guide to Software Test Design
Introduction to 80x86 Assembly Language and Computer Architecture
Special Edition Using Crystal Reports 10
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Programming .Net Windows Applications
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy