Section 16.12 Monitoring Attacks with Ethereal

   


16.12 Monitoring Attacks with Ethereal

Ethereal is a well-designed and easy-to-use GUI-based program for sniffing an Ethernet interface for packets and making sense of them. It is the program of choice for this task. Ethereal maps IP addresses, MAC addresses, and high- and low-level protocol fields to symbolic names for easier interpretation. It allows an interpretive look at any part of a packet, but avoids showing you the overwhelming but normally uninteresting portions of a packet. It has a very powerful filtering capability that understands even such application-level protocols as DNS, SMTP, NFS, SMB (CIFS), and Quake. If you get spoiled by its easy interface and presentation format, fear not, because it will interpret the binary formats of many other sniffers that run on many platforms. Among the many nonnative dump formats it can read are those of Microsoft Network Monitor, Cisco Secure Intrusion Detection System, pppd, and many more, listed in the man page.

Ethereal will assemble IP packets into the higher-level TCP packets, for example, and show you the ASCII or hex data that is being transferred. Unlike tcpdump's naive refusal to show the data in packets, Ethereal can be used for both good and evil. There are so many easily obtainable cracker tools for examining packet data that there is not a reason for not providing such tools to SysAdmins. (Kindly, do not read other people's mail, though.)

16.12.1 Building Ethereal

Download Ethereal from

www.ethereal.com

The tarball will look something like ethereal-0.9.5.tar.gz. Extract the tarball's contents and change it to the newly created directory by using the following commands.

 
 tar -xzof ethereal-0.9.5.tar.gz cd ethereal-0.9.5 

Ethereal needs at least version 1.2 of GTK (development version) and version 1.2 of glib. These libraries come standard with the workstation versions of most distributions. To see if you lucked out, which is likely, issue the following two commands:

 
 gtk-config --version glib-config --version 

If your system does not have them, they can be downloaded from:

www.gtk.org

Configure and build Ethereal for your platform, thusly. To capture packets with Ethereal (like, who wouldn't), you will need the libpcap library that comes with tcpdump. It, too, comes with many distributions and can be downloaded from:

www.tcpdump.org

Ethereal has README* and INSTALL files that you can read for more information. Configure it for your platform and build it with:

 
 ./configure make 

Use the su command to become root and issue the following commands to install:

 
 make install make install-man 

16.12.2 Using Ethereal

The following will do a basic "sniff everything from eth0 and show the results in real time":

 
 ethereal -k -l -S -i eth0& 

The -k flag starts packet capture immediately, -l causes scrolling, and -S causes immediate display of received packets. The -i flag specifies the interface, of course. It defaults to the first nonloopback interface, which probably will be eth0. Ethereal will show the text data in the first captured packet and it will show source and destination addresses of all packets. Be sure to respect your users' privacy and privacy laws. Experimenting on your home system or on an isolated test network is recommended.

Note that the time, in seconds, since capture began (with resolution down to the microsecond range), source and destination, protocol, and details of each packet are shown in the top pane of the main window. The middle pane shows the different logical components of each packet. IP addresses, MAC addresses, DNS, NFS, SMTP, Quake, and other high-level protocols' components are interpreted, etc. Clicking on any one of these components will expand it into its constituent components. These too may be expanded. At each level the data is interpreted.

For example, if you click on a DNS reply, you will see what host names and IP addresses match a given query. The bottom pane of the main window shows a dump in ASCII and hex of the packet being examined. Ethereal will decompress TCP sessions and dumps automatically. Its filter syntax is based on tcpdump(8) and may be used during capture, display, or both. Keep in mind that if your monitoring system is on a switch, you will not see traffic unless it is going to or from your system or it is broadcast (see "Hacking Switches" on page 147 for more details).


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net