Supporting Programs

Previous page
Table of content
Next page

  < Day Day Up > 


Most people who are familiar with Ethereal tend to use the Ethereal GUI. However, when Ethereal is installed it also comes with several other very handy supporting programs. The command line version of Ethereal, called tethereal, and three other programs to assist you in manipulating capture files. We won’t go into too much detail here because these programs are covered in Chapter 6. However, we do want to give you an overview of these programs and why they are used.

Tethereal

Tethereal is the command line version of Ethereal. It can be used to capture live packets from the wire or to read saved capture files. By default, tethereal prints the summary line information to the screen. This is the same information contained in the top pane of the Ethereal GUI. The following shows the default tethereal output:

1.199008 192.168.100.132 -> 192.168.100.122 TCP 1320 > telnet [SYN] Seq=1102938967 Ack=0 Win=16384 Len=0 1.199246 192.168.100.132 -> 192.168.100.122 TCP 1320 > telnet [SYN] Seq=1102938967 Ack=0 Win=16384 Len=0 1.202244 192.168.100.122 -> 192.168.100.132 TCP telnet > 1320 [SYN, ACK] Seq=3275138168 Ack=1102938968 Win=49640 Len=0 1.202268 192.168.100.132 -> 192.168.100.122 TCP 1320 > telnet [ACK] Seq=1102938968 Ack=3275138169 Win=17520 Len=0 1.202349 192.168.100.132 -> 192.168.100.122 TCP 1320 > telnet [ACK] Seq=1102938968 Ack=3275138169 Win=17520 Len=0

The –V option will cause tethereal to print the protocol tree view, like the middle pane in the Ethereal GUI. This will show all of the protocols in the packet and includes the data portion at the end of the list. The following shows the more detailed protocol tree tethereal output:

Frame 5 (74 bytes on wire, 74 bytes captured)     Arrival Time: Nov  2, 2003 15:22:33.469934000     Time delta from previous packet: 0.000216000 seconds     Time relative to first packet: 1.349439000 seconds     Frame Number: 5     Packet Length: 74 bytes     Capture Length: 74 bytes Ethernet II, Src: 00:05:5d:ee:7e:53, Dst: 08:00:20:cf:5b:39     Destination: 08:00:20:cf:5b:39 (SunMicro_cf:5b:39)     Source: 00:05:5d:ee:7e:53 (D-Link_ee:7e:53)     Type: IP (0x0800) Internet Protocol, Src Addr: 192.168.100.132 (192.168.100.132), Dst Addr: 192.168.100.122 (192.168.100.122)     Version: 4     Header length: 20 bytes     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)         0000 00.. = Differentiated Services Codepoint: Default (0x00)         .... ..0. = ECN-Capable Transport (ECT): 0         .... ...0 = ECN-CE: 0     Total Length: 60     Identification: 0x160c (5644)     Flags: 0x00         .0.. = Don't fragment: Not set         ..0. = More fragments: Not set     Fragment offset: 0     Time to live: 128     Protocol: ICMP (0x01)     Header checksum: 0xda65 (correct)     Source: 192.168.100.132 (192.168.100.132)     Destination: 192.168.100.122 (192.168.100.122) Internet Control Message Protocol     Type: 8 (Echo (ping) request)     Code: 0     Checksum: 0x3c5c (correct)     Identifier: 0x0500     Sequence number: 0c:00     Data (32 bytes) 0000  61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70   abcdefghijklmnop 0010  71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69   qrstuvwabcdefghi

Finally, the –x command will cause tethereal to print a hexadecimal and ASCII dump of the packet data with either the summary line or protocol tree. The following shows the hexadecimal and ASCII output with the summary line:

  9.463261 192.168.100.122 -> 192.168.100.132 TELNET Telnet Data ... 0000  00 05 5d ee 7e 53 08 00 20 cf 5b 39 08 00 45 00   ..].~S.. .[9..E. 0010  00 9a c3 8a 40 00 3c 06 30 84 c0 a8 64 7a c0 a8   ....@.<.0...dz.. 0020  64 84 00 17 05 29 cd 5d 7d 12 4c 1d ea 76 50 18   d....).]}.L..vP. 0030  c1 e8 47 ca 00 00 4c 61 73 74 20 6c 6f 67 69 6e   ..G...Last login 0040  3a 20 53 75 6e 20 4e 6f 76 20 20 32 20 31 35 3a   : Sun Nov  2 15: 0050  34 34 3a 34 35 20 66 72 6f 6d 20 31 39 32 2e 31   44:45 from 192.1 0060  36 38 2e 31 30 30 2e 31 33 32 0d 0a 53 75 6e 20   68.100.132..Sun 0070  4d 69 63 72 6f 73 79 73 74 65 6d 73 20 49 6e 63   Microsystems Inc 0080  2e 20 20 20 53 75 6e 4f 53 20 35 2e 39 20 20 20   .   SunOS 5.9 0090  20 20 20 20 47 65 6e 65 72 69 63 20 4d 61 79 20       Generic May 00a0  32 30 30 32 0d 0a 23 20                           2002..#

When using tethereal to output to a file, by default it will output in the libpcap format. Tethereal can read the same capture files from other products that Ethereal can. Tethereal can also use display, also called read, filters and capture filters just like Ethereal. And finally, it can also decode the same protocols that Ethereal can. Basically, it has almost all of the powers of Ethereal, except the ones inherent to the GUI, in an easy to use command line version. Chapter 3 (Installation) will further elaborate on the –x and –v options.

Editcap

Editcap is a program used to remove packets from a file and to translate the format of capture files. It is similar to the Save As feature, but better. Editcap can read all of the same types of files that Ethereal can, and by default writes to libpcap format. Editcap can also write captures to standard and modified versions of libpcap, Sun snoop, Novel LANalyzer, NAI Sniffer, Microsoft Network Monitor, Visual Network traffic capture, Accellent 5Views capture and Network Instruments Observer version 9. It has the ability to specify all or just some of the packets to be translated. The following is an example of using editcap to translate the first five packets from a tethereal libpcap capture file called capture to a Sun snoop output file called capture_snoop:

C:\Program Files\Ethereal>editcap -r -v -F snoop capture capture_snoop 1-5 File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Add_Selected: 1-5 Inclusive ... 1, 5 Record: 1 Record: 2 Record: 3 Record: 4 Record: 5

Mergecap

Mergecap is used to combine multiple saved capture files into a single output file. Mergecap can read all of the same types of files that Ethereal can, and by default writes to libpcap format. Mergecap can also write the output capture file to standard and modified versions of libpcap, Sun snoop, Novel LANalyzer, NAI Sniffer, Microsoft Network Monitor, Visual Network traffic capture, Accellent 5Views capture, and Network Instruments Observer version 9. By default, the packets from the input files are merged in chronological order based on each packets timestamp. If the –a option is specified, packets will be copied directly from each input file to the output file regardless of timestamp. The following is an example of using mergecap to merge four capture files (capture1, capture2, capture3, and capture4) into a single Sun snoop output file called merge_snoop, it will keep reading packets until the end of the last file is reached: 

C:\Program Files\Ethereal>mergecap -v -F snoop -w merge_snoop capture1 capture2 capture3 capture4 mergecap: capture1 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture2 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture3 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture4 is type libpcap (tcpdump, Ethereal, etc.). mergecap: opened 4 of 4 input files mergecap: selected frame_type Ethernet (ether) Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed

Text2pcap

Text2pcap reads in ASCII hexadecimal dump captures and writes the data into a libpcap output file. It is capable of reading hexdumps with multiple packets in them, and building a capture file of multiple packets. Text2pcap can also read in hexdumps of application level data only, by inserting dummy Ethernet, IP, and UDP or TCP headers. The user can specify which of these headers to add. This way Ethereal and other sniffers can read the full data. The following is an example of the type of hexadecimal dump that text2pcap can recognize:

0000  00 05 5d ee 7e 53 08 00 20 cf 5b 39 08 00 45 00   ..].~S.. .[9..E. 0010  00 9a 13 9e 40 00 3c 06 e0 70 c0 a8 64 7a c0 a8   ....@.<..p..dz.. 0020  64 84 00 17 05 49 0e a9 91 43 8e d8 e3 6a 50 18   d....I...C...jP. 0030  c1 e8 ba 7b 00 00 4c 61 73 74 20 6c 6f 67 69 6e   ...{..Last login 0040  3a 20 53 75 6e 20 4e 6f 76 20 20 32 20 31 37 3a   : Sun Nov  2 17: 0050  30 36 3a 35 33 20 66 72 6f 6d 20 31 39 32 2e 31   06:53 from 192.1 0060  36 38 2e 31 30 30 2e 31 33 32 0d 0a 53 75 6e 20   68.100.132..Sun 0070  4d 69 63 72 6f 73 79 73 74 65 6d 73 20 49 6e 63   Microsystems Inc 0080  2e 20 20 20 53 75 6e 4f 53 20 35 2e 39 20 20 20   .   SunOS 5.9 0090  20 20 20 20 47 65 6e 65 72 69 63 20 4d 61 79 20       Generic May 00a0  32 30 30 32 0d 0a 23 20                           2002..#

The following is an example of using text2pcap to read the previously shown hexadecimal dump, hex_sample.txt, and output it to the libpcap_output file:

C:\Program Files\Ethereal>text2pcap hex_sample.txt libpcap_output Input from: hex_sample.txt Output to: libpcap_output Wrote packet of 168 bytes at 0 Read 1 potential packets, wrote 1 packets


  < Day Day Up > 


Previous page
Table of content
Next page
Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Image Processing with LabVIEW and IMAQ Vision
Adobe After Effects 7.0 Studio Techniques
The Java Tutorial: A Short Course on the Basics, 4th Edition
PMP Practice Questions Exam Cram 2
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy