ETHEREAL
| | ||
Ethereal is a nice, graphical front end to packet-capture files created by several different packet sniffers, including tcpdump and WinDump. It also has built-in packet-sniffing capabilities based on the pcap library. By using Ethereal on previously created capture data files, you can navigate through the details of the captured session and analyze higher protocols such as SMB, SMTP, and even different types of SSH sessions.
Ethereal is freely available for both Windows, Linux, Unix, and Mac OS X. It is downloadable from http://www.ethereal.com/. It requires that you have a pcap library already installed. It also requires that you have GIMP Toolkit (GTK) libraries installed, because it uses GTK for its graphical user interface. Windows users are fortunate as the GTK DLLs now come with the binary. Except for the tool installation options, installs for both operating systems are pretty standard, so we'll skip straight to the implementation.
| Note | Ethereal consists of several built-in tools that are installed by default in both Unix and Windows installations. You can choose to skip installation of some of these components , but doing so may disable certain capabilities of the Ethereal tool. |
Implementation
The easiest way to run Ethereal is on a packet-capture file that has already been created using tcpdump -w capture.dump (or WinDump). In that case, we can open the dump file (choose File Open). The Open Capture File dialog box, shown here, opens:
In this dialog box, you can choose a file to open as well as specify such options as name resolution and additional packet filters. Ethereal packet filters can be specified when reading in capture files or performing live captures. (Packet filters are covered more in a moment.)
Let's open the file capture.dump and see how Ethereal displays the data. Figure 16-1 shows the file display.
Figure 16-1: View network traffic with Ethereal.
As you can see, due to the graphical nature, Ethereal is a much cleaner interface than tcpdump or WinDump. The top pane contains information similar to the other two tools, but we can actually navigate through the data here. In Figure 16-1, the fourth packet of the connection is selected. In the middle pane, we can view detailed information about each header of the packet, including TCP, IP, and Ethernet header information. If the packet is part of an application-level protocol (such as HTTP), you can view specific application protocol information. In Figure 16-1, Ethereal translates and decodes some of those telnet options we've discussed in previous chapters. The third pane contains a hex and ASCII dump of the actual contents of the packet. By pointing and clicking, we can obtain any bit of information we want about any packet in the connection, including the data.
Packet Filters
Ethereal's GUI makes it easy to create packet filters either for live captures (via Capture Capture Filters) or packet-capture files (via the Filter button). Clicking this button brings up the Display Filter dialog box, where you can filter data from the currently displayed dump file.
You can name your filters and save them for later use, so you can load them again later by simply pointing and clicking. Type in a name for your filter, then type in your filter string, and click the New button to add it to your list of filters. After you learn Ethereal's filter syntax, you will be able to type filter strings directly in this dialog box. Until you know Ethereal's filter syntax, however, you can click the +Expression button to create filters graphically in the Filter Expression dialog box shown in Figure 16-2.
Figure 16-2: Create a display filter.
Ethereal becomes much more powerful than tcpdump and WinDump with its ability to filter against almost any packet characteristic (including many application-level protocols such as FTP) and any value using drop-down lists. In the Filter Expression dialog box, we look for only TCP SYN packets (beginnings of TCP connections). We can use Boolean expressions and and or to combine these filters.
Ethereal Filter Strings
If you need to use Ethereal filters to focus on particular packets in a dump, you'll have to learn a different syntax from the one you're used to with tcpdump or WinDump. While this can be annoying, Ethereal makes up for it by giving you many more filtering options from which to choose. The following table shows you some example Ethereal filter strings as well as their tcpdump counterparts.
| Goal | Tcpdump Command Line | Ethereal Filter String |
|---|---|---|
| Show us everything but SSL web traffic | tcpdump not port 443 | tcp.port != 443 |
| Show us all outgoing web traffic from 192.168.1.100 | tcpdump src host | ip.src == 192.168.1.100 |
| Show us all UDP packets with a length (packet size ) of 24 bytes (8 bytes for header, 16 for data) | tcpdump | udp.length==24 |
| Show us all outgoing TCP packets from 192.168.1.100 with the SYN flag set | tcp.flags.syn == 1 and | tcpdump 'tcp[13] & 2 |
From the last two examples in particular, you can see how tcpdump's syntax requires substantial knowledge about TCP and UDP header structure to filter on characteristics of the TCP or UDP headers. Ethereal tries to obfuscate all these details by using symbolic names and a hierarchy based on protocols. Notice how much cleaner Ethereal's tcp.flags.syn syntax is than tcpdump's binary mathematics!
Another advantage Ethereal has over tcpdump is the ability to include applicationlayer protocols in their filter string syntax. For example, FTP passwords are passed in clear text using the PASS command. If you wanted to see only FTP packets containing a USER or PASS request command, you could use this filter string:
ftp.request.command == "PASS" or ftp.request.command == "USER"
You'd end up with something like this:
Or, if you wanted to do something similar with basic web server authentication, you could use this filter string:
http.authbasic
This checks for HTTP packets containing authentication information. If you select a packet and expand the "Hypertext Transfer Protocol" and "Authorization" information, you can see the user's username and password.
Ethereal Tools
Ethereal offers many additional tools in the package. Choose Analyze Follow TCP Stream to piece together a telnet session, as shown in Figure 16-3.
Figure 16-3: Following a TCP stream
In the Stream Content window, we can re-create parts of the actual TCP session. We can use ASCII or hex decoding, we can view the entire conversation or a specific side of the conversation, and we can save it all to a file or printer. (Although you can't see the color in Figure 16-3, the blue text in this session window comes from the server and the red text comes from the client.)
You can attempt to decode the packet by using one of the many available protocols. Normally there's no need to do this, as Ethereal detects the protocol and does the decoding automatically for most captures.
From the Statistics menu, you can also perform a TCP stream analysis on throughput, round-trip time, and TCP sequence numbers. Figure 16-4 shows an analysis using time and sequence numbers. This gives you an idea of how much data were sent at which points in the connection, because sequence numbers increase by the size of the data packet.
Figure 16-4: Time/sequence number graph
In the throughput graph shown in Figure 16-5, we can observe how the data in this connection were distributed throughout the connection.
Figure 16-5: Throughput graph
Each graph shown in Figures 16-4 and 16-5 has multiple options including zoom and orientation.
We can also access a Summary dialog box, shown in Figure 16-6, that provides a breakdown of the connection, including the length of the connection in seconds, the number of packets, the filter used to capture the packets, and speed information. To open this dialog box, choose Statistics Summary.
Figure 16-6: The Summary dialog box
The Protocol Hierarchy Statistics dialog box, shown here, tells you detailed packet and byte information for each type of packet involved in the connection. You access this dialog by choosing Statistics Protocol Hierarchy Statistics.
More Preferences
You can change several default preferences in Ethereal, including protocol preferences, GUI layout, and name resolution. You can see a list of supported protocols by right-clicking certain packet characteristics. You can change the way the data is formatted and print it to hard copy. You can use the Mark and Prepare options (accessible via right-clicks on packets or from the Edit menu) to filter based on particular characteristics. Choose Mark if you want to create and execute a filter based on the match you select, or choose Prepare if you just want to see the filter statement that gets created and perhaps modify it yourself. For example, if you're browsing through a session and you see a particular protocol that interests you, left-click the packet in the top pane to bring up detailed information on the packet in the middle pane. Right-click that packet's protocol in the middle pane, choose Prepare, and then choose Selected to prepare a filter string for all packets of that protocol. Choose Not Selected if you want to see all packets except packets of that protocol. You can use the And and Or options to combine your prepared filter strings with other strings already being used. When you're ready to view the results from your filter string, click the Apply button at the bottom.
With Ethereal, you have a powerful tool for investigating every detail of a network communication. The power of Ethereal lies in its protocol dissectors. Ethereal can dissect most protocols, from esoteric X.25 to HTTP to FTP to SSH. For example, Figure 16-7 shows the details that Ethereal can display about an SSH session, even though it cannot decrypt the communication.
Figure 16-7: SSH session details
Ethereal also includes a command-line program identical to tcpdump. It also provides some utilities for managing binary capture files, such as merging and splitting multiple files.
| | ||
EAN: 2147483647
Pages: 175