Tethereal

 < Day Day Up > 



Tethereal is the command line version of Ethereal. It can be used to capture, decode, and print to screen live packets from the wire or to read saved capture files. Some of the same features apply to both Tethereal and Ethereal as they use the same capture library, libpcap, and most of the same code. Tethereal can read all of the same packet capture formats as Ethereal, and will automatically determine the type. If Tethereal is compiled with the zlib library, it can automatically uncompress and read files that have been compressed with gzip. The advantage to using Tethereal is that it is highly scriptable.

The following information is the usage output for the Tethereal program, also notice the various types of formats in which Tethereal can save files by using the –F option:

[root@localhost ethereal-0.10.0a]# tethereal -h This is GNU tethereal 0.10.0a Compiled with GLib 2.2.1, with libpcap 0.7.2, with libz 1.1.4, with libpcre 4.5,with Net-SNMP 5.0.9, with ADNS. Running with libpcap (version unknown) on Linux 2.4.20-6 tethereal [ -vh ] [ -DlLnpqSVx ] [ -a <capture autostop condition> ] ...         [ -b <number of ring buffer files>[:<duration>] ] [ -c <count> ]         [ -d <layer_type>==<selector>,<decode_as_protocol> ] ...         [ -f <capture filter> ] [ -F <output file type> ] [ -i <interface> ]         [ -N <resolving> ] [ -o <preference setting> ] ... [ -r <infile> ]         [ -R <read filter> ] [ -s <snaplen> ] [ -t <time stamp format> ]         [ -T pdml|ps|text ] [ -w <savefile> ] [ -y <link type> ]         [ -z <statistics string> ] Valid file type arguments to the "-F" flag:         libpcap - libpcap (tcpdump, Ethereal, etc.)         rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)         suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)         modlibpcap - modified libpcap (tcpdump)         nokialibpcap - Nokia libpcap (tcpdump)         lanalyzer - Novell LANalyzer         ngsniffer - Network Associates Sniffer (DOS-based)         snoop - Sun snoop         netmon1 - Microsoft Network Monitor 1.x         netmon2 - Microsoft Network Monitor 2.x         ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1         ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x         visual - Visual Networks traffic capture         5views - Accellent 5Views capture         niobserverv9 - Network Instruments Observer version 9         default is libpcap

The following command line options are used to control Tethereal’s data capture and output:

  • –a test:value This option is used when capturing to a file. It specifies to Tethereal when to stop writing to the file. The criterion is in the form of test:value, where test is either duration or file size. Duration will stop writing to a file when the specified number of seconds have elapsed, and file size will stop writing to a file after a size of value kilobytes have been reached.

  • –b number of ring buffer files [:duration] This option is used with the –a option, and causes Tethereal to continue capturing data to successive files. This is known as ring buffer mode and it will keep saving files up to the number specified within the option. When the first file reaches the maximum size, as specified with the –a option, Tethereal will begin writing to the next file. When all files are full, it will continue to write new files as it removes the older ones. However, if the number of files is specified as 0, the number of files that Tethereal writes to will be unlimited, and will only be restricted to the size of the partition. An optional duration parameter can also be specified so that Tethereal will switch to the next file when the instructed number of seconds has elapsed. This will happen even if the current file is not yet full. The file names that are created are based on the number of the file and the creation date and time. You can only save files in the libpcap format when this option is used.

  • –c count This option sets the default number of packets to read when capturing data. For example, if you only want to capture 100 packets you would specify –c 100.

  • –d layer type==selector, decode-as protocol This option allows you to specify the way in which traffic is decoded. The parameters denote that if the layer type has a specified value then packets should be decoded as the specified protocol. For example –d tcp.port==8080, http would decode all traffic to and from Transmission Control Protocol (TCP) port 8080 as HyperText Transfer Protocol (HTTP) traffic. This is valuable for applications that allow you to run services on non-standard ports.

  • –D This option instructs Tethereal to print a list of available interfaces on the system. It will print the interface number, name, and description and then return to the command prompt. You can then supply the number or the name to the –i flag to specify an interface on which to capture data. Specifying this option causes Tethereal to actually open and attempt to capture on each interface that it finds. It will only display the interfaces on which this was successful. Also, if you need to be logged in as root to run Tethereal but are not, this option will not display any available interfaces.

  • –f capture filter expression This option allows you to set the filter expression to use when capturing data. For example tethereal -f tcp port 80 will only capture incoming and outgoing HTTP packets.

  • –F type This option is used to set the format of the output of the capture file. For example, if you want to save a file in the Sun snoop format so that snoop can read the capture file, you would use the –F snoop option.

  • –h This option prints the version of Tethereal in use and the help options, then exits.

  • –i interface This option specifies the interface that you want to use to capture data. The –D option can be used to find out the names of your network interfaces. You can use the number or the name as a parameter to the –i option. If you run Tethereal without the –i option it will search the list of interfaces and choose the first non-loopback interface that it finds. If it doesn’t find any non-loopback interfaces, it will use the first loopback interface. If this doesn’t exist ether, Tethereal will exit with an error.

  • l This option flushes the standard output after each packet is printed instead of waiting until it fills up. It is normally used when piping a capture to a script so that the output for each packet is sent as soon as it is read and dissected.

  • L This option lists the data link types that are supported by an interface and then exits. You can specify an interface to use or Tethereal will choose the first one it finds as stated in the –i option information.

  • n This option is used to disable network object name resolution, such as host names and port names.

  • N resolving flags This option is used to enable name resolving for specified address types and port numbers. The m flag enables MAC address resolution, the n flag enables network address resolution, and the t flag enables transport-layer port number resolution. The C flag enables concurrent (asynchronous) Domain Name System (DNS) lookups if Tethereal is compiled with Asynchronous DNS (ADNS). The –N option overrides the –n option.

  • o prefname:value This option allows you to set a preference value that will override any default value or value read from a preference file. The parameter to this option is in the format of prefname:value, where prefname is the name of the preference as it would appear in the preference file and value is the value to which it should be set.

  • p This option tells Tethereal to not put the interface in promiscuous mode. This will cause Tethereal to only read traffic sent to and from the system on which Tethereal is running, broadcast traffic, and multicast traffic.

  • q This option allows you to turn off the packet count when capturing network packets to a file. The count will still be displayed at the end of the capture. On some systems, such as various BSD systems, that support the SIGINFO signal, typing control-T will cause the current count status to be displayed.

  • –r file This option reads and processes a saved capture file.

  • R filter This option causes a read filter to be applied before displaying or writing the packets to a file. Packets that do not match the filter will be discarded.

  • –s snaplen This option allows you to set the default snapshot length to use when capturing data. The parameter snaplen specifies the length, in bytes, of each network packet that will be read or saved to disk.

  • t format This option allows you to set the format of the packet timestamp that is displayed on the summary line. The format parameter will specify the method used to display the data. Relative time is specified by the r parameter and displays the time elapsed between the first packet and the current packet. Absolute time is specified by the a parameter and is the actual time the packet was captured. The absolute date and time is specified by the ad parameter and is the actual time and date the packet was captured. The delta time is specified by the d parameter and displays the time since the previous packet was captured. By default, the time is specified as relative.

  • T pdml|ps|text This option allows you to set the display format to use when viewing packet data. When using the Packet Details Markup Language (PDML) option, the protocol data tree is always displayed.

  • v This option prints the Tethereal version information and then exits.

  • V This option displays the capture in protocol tree form instead of the default summary packet form.

  • –w file This option writes the packets to the file name specified following the option. If the option specified is - then standard output is used.

  • –x This option displays the capture in a hexadecimal and ASCII dump format along with the summary or protocol tree view.

  • –y type This option allows you to set the data link type to use while capturing packets. You can use the –L option to lists the data link types that are supported by an interface.

  • –z statistics This option will enable Tethereal to collect various types of statistics about the data that is being captured. The results will be displayed after reading the capture file.

By default, Tethereal will display packets to the screen in summary line form. These are the same lines that are displayed in the Ethereal summary pane. However, it does not print the frame number field when capturing and displaying real time. The –V option can be used to print detailed information about the packets instead of just a summary. Tethereal can also read saved data capture files, and print the information in either summary (default) or detailed form (–V). This method will display the frame numbers with the saved packets. Finally, the –x command will cause Tethereal to print a hexadecimal and ASCII dump of the packet data with either the summary line or detailed protocol tree. Tethereal has a very strong display filter language and can also use the TCPDump filter syntax as well. These can be used to narrow down the type of traffic that you want to capture.

When using Tethereal to write a capture to a file, the file will be written in libpcap format by default. It will write all of the packets and all of the detail about the packets to the output file, thus the –V and the –x options aren’t necessary. Since Tethereal and Ethereal are compatible with many other sniffers, you can also write the output in several different formats. The –F option can be used to specify a format in which to write the file.

The following is a basic example of using Tethereal to perform a capture and display the output in a protocol tree view along with the associated hexadecimal and ASCII output:

C:\Program Files\Ethereal>tethereal -V -x Capturing on \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F} Frame 1 (114 bytes on wire, 114 bytes captured)     Arrival Time: Nov 28, 2003 22:14:16.221349000     Time delta from previous packet: 0.000000000 seconds     Time since reference or first frame: 0.000000000 seconds     Frame Number: 1     Packet Length: 114 bytes     Capture Length: 114 bytes IEEE 802.3 Ethernet     Destination: ff:ff:ff:ff:ff:ff (Broadcast)     Source: 00:05:5d:ee:7e:53 (D-Link_ee:7e:53)     Length: 100 Logical-Link Control     DSAP: NetWare (0xe0)     IG Bit: Individual     SSAP: NetWare (0xe0)     CR Bit: Command     Control field: U, func = UI (0x03)         000. 00.. = Unnumbered Information         .... ..11 = Unnumbered frame Internetwork Packet eXchange     Checksum: 0xffff     Length: 96 bytes     Transport Control: 0 hops     Packet Type: PEP (0x04)     Destination Network: 0x00000000 (00000000)     Destination Node: ff:ff:ff:ff:ff:ff (Broadcast)     Destination Socket: SAP (0x0452)     Source Network: 0x00000000 (00000000)     Source Node: 00:05:5d:ee:7e:53 (D-Link_ee:7e:53)     Source Socket: Unknown (0x4008) Service Advertisement Protocol     General Response     Server Name: TARGET1!!!!!!!!A5569B20ABE511CE9CA400004C762832         Server Type: Microsoft Internet Information Server (0x064E)         Network: 00 00 00 00         Node: 00:05:5d:ee:7e:53         Socket: Unknown (0x4000)         Intermediate Networks: 1 0000  ff ff ff ff ff ff 00 05 5d ee 7e 53 00 64 e0 e0   ........].~S.d.. 0010  03 ff ff 00 60 00 04 00 00 00 00 ff ff ff ff ff   ....`........... 0020  ff 04 52 00 00 00 00 00 05 5d ee 7e 53 40 08 00   ..R......].~S@.. 0030  02 06 4e 54 41 52 47 45 54 31 21 21 21 21 21 21   ..NTARGET1!!!!!! 0040  21 21 41 35 35 36 39 42 32 30 41 42 45 35 31 31   !!A5569B20ABE511 0050  43 45 39 43 41 34 30 30 30 30 34 43 37 36 32 38   CE9CA400004C7628 0060  33 32 00 00 00 00 00 00 05 5d ee 7e 53 40 00 00   32.......].~S@.. 0070  01 01                                             

The following is an example of using Tethereal to capture traffic on interface 4 and output the data to a file called output. The output files will have a maximum file size of 5 kilobytes each and when they are full a new output file will be created. This will continue up to a maximum of 10 output files. The following example is the command used to perform this capture:

C:\Program Files\Ethereal>tethereal -i4 -a filesize:5 -b 10 -w output

The output files generated are appended with the file number, date, and timestamp. You will see the following 10 output files start at number 43 because they have begun to drop the oldest file as they create new files, so that a maximum of 10 files exist at all times:

output_00043_20031128212900 output_00044_20031128212900 output_00045_20031128212900 output_00046_20031128212900 output_00047_20031128212901 output_00048_20031128212903 output_00049_20031128212958 output_00050_20031128213045 output_00051_20031128213211 output_00052_20031128213316

The following is an example of using a Tethereal capture filter to capture all traffic except packets to and from HTTP port 80:

C:\Program Files\Ethereal>tethereal -f "tcp port !80" Capturing on \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F}   0.000000 D-Link_ed:3b:c6 -> Broadcast    ARP Who has 192.168.100.40?  Tell 192.168.100.5   0.000026 D-Link_ee:7e:53 -> D-Link_ed:3b:c6 ARP 192.168.100.40 is at 00:05:5d:ee:7e:53   0.000066 D-Link_ee:7e:53 -> D-Link_ed:3b:c6 ARP 192.168.100.40 is at 00:05:5d:ee:7e:53  10.089720 00000000.00055dee7e53 -> 00000000.ffffffffffff IPX SAP General Response 10.089763 00000000.00055dee7e53 -> 00000000.ffffffffffff IPX SAP General Response

The following is an example of using a Tethereal read filter to output the Telnet data packets from a file called capture:

C:\Program Files\Ethereal>tethereal -r capture -R "telnet"   7  10.071157 192.168.100.122 -> 192.168.100.132 TELNET Telnet Data ...   8  10.071464 192.168.100.132 -> 192.168.100.122 TELNET Telnet Data ...   9  10.071515 192.168.100.132 -> 192.168.100.122 TELNET Telnet Data ...  11  10.076114 192.168.100.132 -> 192.168.100.122 TELNET Telnet Data ...  12  10.076155 192.168.100.132 -> 192.168.100.122 TELNET Telnet Data ...  14  10.089546 192.168.100.122 -> 192.168.100.132 TELNET Telnet Data ...  15  10.089672 192.168.100.132 -> 192.168.100.122 TELNET Telnet Data ...

The following is an example of using Tethereal to read a libpcap capture file called capture2 and output it to a file called netmon_output in the Microsoft Network Monitor 2.x format; editcap can also be used to perform this function:

C:\Program Files\Ethereal>tethereal -r capture2 -w netmon_output -F netmon2

The following is an example of using the Tethereal statistics function to display a report of all bytes and frames for each protocol detected during the capture, the statistics will display after you end the capture by typing Ctrl + C:

C:\Program Files\Ethereal>tethereal –z io,phs <cntrl-c> =================================================================== Protocol Hierarchy Statistics Filter: frame frame                                    frames:560 bytes:115233   eth                                    frames:560 bytes:115233     ip                                   frames:558 bytes:115005       udp                                frames:53 bytes:10383         dns                              frames:21 bytes:3215         data                             frames:8 bytes:496         isakmp                           frames:24 bytes:6672       tcp                                frames:505 bytes:104622         http                             frames:107 bytes:81798     llc                                  frames:2 bytes:228       ipx                                frames:2 bytes:228         ipxsap                           frames:2 bytes:228 ===================================================================

The following is an example of using the Tethereal statistics function to display a report of all TCP conversations that take place during the capture, the statistics will display after you end the capture by typing Ctrl + C:

C:\Program Files\Ethereal>tethereal –z conv,tcp <cntrl-c> ============================================================================ TCP Conversations Filter:<No Filter>                                                |       <-      | |       ->  | |     Total     |                                            | Frames  Bytes | | Frames  Bytes  | | Frames  Bytes | 192.168.100.40:2077  <-> 64.12.26.97:http      18      1934      36      368 4      54      5618 192.168.100.40:2078  <-> 205.188.1.95:http      4       216       8       48 0      12       696 ============================================================================

Tethereal Statistics

Included are some additional examples and supplementary information to the following Tethereal man (short for manual) page statistics information:

COMMAND -z dcerpc,rtt,uuid,major.minor[filter]

DESCRIPTION Collect call and reply Response Time Test (RTT) data for Distributed Computing Environment Remote Procedure Call (DCE RPC) interface uuid, version major.minor. Data collected is the number of calls for each procedure, MinRTT, MaxRTT and AvgRTT. If the optional filterstring is provided, the statistics will only be calculated on those calls

that match that filter. Current supported DCE RPC programs are: ATSVC, BOSSVR, BUTC, CDS_CLERK, CONV, DEC_DFS, DFS, DNSSERVER, DRSUAPI, DTSPROVIDER, DTSSTIME_REQ, EPM, FLDB, FTSERVER, INITSHUTDOWN, KRB5RPC, LSA, LSA_DS, MAPI, MGMT, Messenger, NSPI, OXID, REMACT, REP_PROC, RPC_Browser, RPC_NETLOGON, RS_ACCT, RS_ATTR_RS_BIND, RS_PGO, RS_REPADM, RS_REPLIST, RS_UNIX, SAMR, SECIDMAP, SPOOLSS, SRVSVC, SVCCTL, TAPI, TKN4lnt, UBIKDISK, UBIKVOTE, WINREG, WKSSVC, cds_solicit, cprpc_server, dce_update, roverride, rpriv, re_misc, rsec_login.

EXAMPLE 1 -z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0 will collect data for the Microsoft Security Account Manager (SAMR) interface.

EXAMPLE 2 _-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,_1.0ip.addr==192.168.100.40 will collect SAMR RTT statistics for the host 192.168.100.40. Notice that there is no comma between the major.minor and filter. The Tethereal man page example shows that a comma is placed between these parameters, however this will cause Tethereal to report an error and exit.

NOTES This option can be used multiple times on the command line.

COMMAND -z io,phs[,filter]

DESCRIPTION Creates protocol hierarchy statistics listing both number of frames and bytes. If no filter is specified the statistics will be calculated for all frames. If a filter is specified, statistics will be only calculated for those packets that match the filter.

EXAMPLE 1 -z io,phs will generate statistics for all traffic.

EXAMPLE 2 -z io,phs,ip.addr==192.168.100.40 will generate statistics for all traffic to and from the host 192.168.100.40.

NOTES This option can be used multiple times on the command line.

COMMAND -z io,stat,interval[,filter][,filter][,filter]...

DESCRIPTION Collects frame and bytes statistics for the capture in intervals of interval seconds. Intervals can be specified either as whole or fractional seconds. Interval can be specified in microsecond (ms) resolution. If no filter is specified the statistics will be calculated for all frames. If one or more filters are specified, statistics will be calculated for all filters and presented with one column of statistics for each filter. io,stat can also calculate COUNT() SUM() MIN() MAX() and AVG() using a slightly different filter syntax: [COUNT|SUM|MIN|MAX|AVG](<field>)<filter>. One important thing to note here is that the field that the calculation is based on must also be part of the filter string or else the calculation will fail. Also, be aware that a field can exist multiple times inside the same packet and will then be counted multiple times in those packets. COUNT(<field>) can be used on any type which has a display filter name. It will count how many times this particular field is encountered in the filtered packet list. SUM(<field>) can only be used on named fields of integer type. This will sum together every occurrence of this field’s value for each interval. MIN/MAX/AVG(<field>) can only be used on named fields that are either integers or relative time fields. This will calculate the maximum, minimum or average that is seen in each interval. If the field is a relative time field the output will be presented in seconds and three digits after the decimal point. The resolution for time calculations is 1ms; anything smaller will be truncated.

EXAMPLE 1 -z io,stat,1,ip.addr==192.168.100.40 will generate 1 second statistics for all traffic to and from host 192.168.100.40.

EXAMPLE 2 -z io,stat,0.001,“http&&ip.addr==192.168.100.40” will generate 1ms statistics for all HTTP frames to and from host 192.168.100.40.

EXAMPLE 3 -z io,stat,0.010,AVG(smb.time)smb.time will calculate the average time for Server Message Block (SMB) frames during each 10ms interval.

EXAMPLE 4 -z io,stat,0.010,COUNT(http.request)http.request will count the total number of HTTP requests seen in each 10ms interval.

EXAMPLE 5 -z io,stat,0.010,SUM(frame.pkt_len)frame.pkt_len will report the total number of bytes seen in all the frames within a 10ms interval.

EXAMPLE 6 -z io,stat,0.010,“smb.time&&ip.addr_==192.168.100.40”,MIN(smb.time) “smb.time&&ip.addr==_192.168.100.40”,MAX(smb.time)“smb.time&&ip.addr==192.168.100.40”,AVG(smb.time)“smb.time&&ip.addr==192.168.100.40” will calculate statistics for all SMB response times we see to and from host 192.168.100.40 in 10ms intervals. The output will be displayed in 4 columns; number of frames/bytes, minimum response time, maximum response time, and average response time.

NOTES This option can be used multiple times on the command line.

COMMAND -z conv,type[,filter]

DESCRIPTION Creates a table that lists all conversations that could be seen in the capture. type specifies which type of conversation we want to generate the statistics for, currently the supported ones are “eth” Ethernet, “fc” Fibre Channel, “fddi” FDDI, “ip” IP addresses, “ipx” IPX addresses, “tcp” TCP/IP socketpairs, “tr” TokenRing, and “udp” UDP/IP socketpairs. Both IPv4 and IPv6 are supported. If the optional filter string is specified, only those packets that match the filter will be used in the calculations. The table is presented with one line for each conversation and displays number of frames/bytes in each direction as well as total number of frames/bytes. The table is sorted according to total number of bytes.

EXAMPLE -z conv,ip,ip.addr==192.168.100.40 will list IP conversations for host 192.168.100.40.

NOTES None.

COMMAND -z proto,colinfo,filter,field

DESCRIPTION Appends all field values for the packet to the COL_INFO information line. This feature can be used to append arbitrary fields to the COL_INFO line in addition to the normal content of the COL_INFO line. field is the display filter name of a field which

value should be placed on the COL_INFO line. filter is a filter string that controls for which packets the field value will be presented on COL_INFO line. field will only be presented on the COL_INFO line for the packets which match filter. In order for Tethereal to be able to extract the field value from the packet, field MUST be part of the filter string. If not, Tethereal will be unable to extract its value.

EXAMPLE 1 -z proto,colinfo,tcp.len,tcp.len will add the TCP segment length, “tcp.len”, field to COL_INFO for all packets containing the “tcp.len” field.

EXAMPLE 2 _-z proto,colinfo,“tcp.len&&ip.src==192.168.100.40”,tcp.len will put “tcp.len” on COL_INFO but only for packets coming from host 192.168.100.40.

NOTES This option can be used multiple times on the command line.

COMMAND -z rpc,rtt,program,version[,filter]

DESCRIPTION Collects call and reply RTT data for program/version. The data collected is the number of calls for each procedure, MinRTT, MaxRTT and AvgRTT. If the optional filter string is provided, the statistics will only be calculated on those calls that match that filter.

EXAMPLE 1 -z rpc,rtt,100003,3 will collect data for Network File System (NFS) v3.

EXAMPLE 2 -z rpc,rtt,100003,3,nfs.fh.hash==0x12345678 will collect NFS v3 RTT statistics for a specific file.

NOTES This option can be used multiple times on the command line.

COMMAND -z rpc,programs

DESCRIPTION Collects call and reply RTT data for all known ONC-RPC programs/versions. Data collected is the number of calls for each protocol/version, MinRTT, MaxRTT and AvgRTT.

EXAMPLE -z rpc,programs will collect data for all known ONC-RPC programs/versions.

NOTES This option can only be used once on the command line.

COMMAND -z smb,rtt[,filter]

DESCRIPTION Collects call and reply RTT data for SMB. The data collected is the number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT. The data will be presented as separate tables for all normal SMB commands, all Transaction2 commands and all NT Transaction commands. Only those commands that are seen in the capture will have its statistics displayed. Only the first command in a “xAndX” command chain will be used in the calculation. So for common “SessionSetupAndX + TreeConnectAndX” chains, only the “SessionSetupAndX” call will be used in the statistics. This is a flaw that might be fixed in the future. If the optional filter string is provided, the stats will only be calculated on those calls that match that filter.

EXAMPLE 1 -z smb,rtt will collect all SMB statistics.

EXAMPLE 2 -z smb,rtt,ip.addr==192.168.100.40 will only collect statistics for SMB packets exchanged by the host at IP address 192.168.100.40.

NOTES This option can be used multiple times on the command line.

COMMAND -z smb,sids

DESCRIPTION When this feature is used Tethereal will print a report with all the discovered Security Identifiers (SIDs) and account name mappings. Only those SIDs where the account name is known will be presented in the table. For this feature to work you will need to either to enable “Edit|Preferences|Protocols|SMB|Snoop SID to name mappings” in the preferences or you can override the preferences by specifying –o smb.sid_name_snooping:TRUE on the Tethereal command line.

EXAMPLE -o smb.sid_name_snooping:TRUE -z smb,sids will enable the mapping preference and report all discovered SMB SIDs.

NOTES The current methods used by Tethereal to find the SID. Name mapping is relatively restricted but is hoped to be expanded in the future.

COMMAND -z mgcp,rtd[,filter]

DESCRIPTION Collects requests and response Response Time Delay (RTD) data for Media Gateway Control Protocol (MGCP). This is similar to -z smb,rtt. The data collected is the number of calls for each known MGCP Type, MinRTD, MaxRTD and AvgRTD. Additionally you get the number of duplicate requests/responses, unresponded requests, responses that don’t match with any request. If the optional filter string is provided, the stats will only be calculated on those calls that match that filter.

EXAMPLE 1 -z mgcp,rtd will collect all statistics for all MGCP traffic.

EXAMPLE 2 -z mgcp,rtd,ip.addr==192.168.100.40 will collect statistics for MGCP packets exchanged by the host at IP address 192.168.100.40.

NOTES This option can be used multiple times on the command line.

COMMAND -z h225,counter[,filter]

DESCRIPTION Count ITU-T H.225 messages and their reasons. The first column provides a list of H.225 messages and H.225 message reasons, which occur in the current capture file. The second column displays the number of occurrences of each message or reason.

EXAMPLE 1 -z h225,counter will collect all H.225 messages and their reasons.

EXAMPLE 2 -z h225,counter,ip.addr==192.168.100.40 will collect statistics for H.225 packets exchanged by the host at IP address 192.168.100.40.

NOTES This option can be used multiple times on the command line.

COMMAND -z h225,srt[,filter]

DESCRIPTION Collect request and response SRT (Service Response Time) data for ITU-T H.225 RAS. The data collected is number of calls of each ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame. Additionally it displays the number of Open Requests (Unresponded Requests), Discarded Responses (responses without matching requests), and Duplicate Messages.

EXAMPLE 1 -z h225,srt will collect all SRT data for all ITU-T H.225 RAS traffic.

EXAMPLE 2 -z h225,srt,ip.addr==192.168.100.40 will collect SRT statistics for ITU-T H.225 RAS packets exchanged by the host at IP address 192.168.100.40.

NOTES This option can be used multiple times on the command line.

start sidebar
Notes from the Underground…
XML Compatible Protocol Dissection

A new feature to Tethereal in version 0.10.0 is the ability to display output in PDML format by using the –T pdml option. The Politecnico Di Torino group, known for Analyzer and WinPcap, created the PDML specification. PDML is a simple language to format information related to packet decodes. The PDML data that Tethereal produces differs slightly from the specification and is not readable by Analyzer. The Tethereal PDML output contains the following flags:

  • <pdml> This PDML file is delimited by the <pdml> and </pdml> tags. This tag does not have any attributes.

    Example: <pdml version=”0” creator=”ethereal/0.10.0”>

  • <packet> A PDML file can contain multiple packets by using the <packet> element. This tag does not have any attributes.

  • <proto> A packet can contain multiple protocols, designated by the <proto> element. The <proto> tag can have the following attributes:

    name The display filter name for the protocol.

    showname The label used to describe this protocol in the protocol tree.

    pos The starting offset within the packet data where this protocol starts

    size The number of octets in the packet data that this protocol covers.

    Example: <proto name=”ip” showname=”Internet Protocol, Src Addr: 192.168.100.132

    (192.168.100.132), Dst Addr: 192.168.129.201 (192.168.129.201)” size=”20” pos=”14”>

  • <field> A protocol can contain multiple fields, designated by the <field> element. The <field> tag can have the following attributes:

    name The display filter name for the field.

    showname The label used to describe this field in the protocol tree.

    pos The starting offset within the packet data where this field starts.

    size The number of octets in the packet data that this field covers.

    value The actual packet data, in hex, that this field covers.

    show The representation of the packet data as it appears in a display filter.

    Example: <field name=”ip.version” showname=”Version: 4” size=”1”

    pos=”14” show=”4” value=”45”/>

    Two tools are provided in the ethereal-0.10.0a/tools directory to assist with PDML output parsing. EtherealXML.py is a Python module used to read a PDML file and call a specified callback function. Msnchat is a sample program that uses EtherealXML to parse PDML output for MSN chat conversations. It takes one or more capture files as input, invokes Tethereal with a specified read filter, and produces HTML output of the conversations. The usage output for msnchat is as follows:

end sidebar

 [root@localhost tools]# ./msnchat -h msnchat [OPTIONS] CAPTURE_FILE [...]   -o FILE       name of output file   -t TETHEREAL  location of tethereal binary   -u USER       name for unknown user

The following command can be used to read and parse a saved capture file called msn_test1:

[root@localhost tools]# ./msnchat -o outfile msn_test1

When viewed with a web browser, the HTML outfile looks like the following:

---- New Conversation @ Dec 30, 2003 14:21:08 ---- (14:21:08) Luke: hello (14:21:22) Unknown: how are you? (14:21:53) Luke: are we meeting at noon? (14:22:03) Unknown: yes, at the secret location. (14:22:11) Luke: great, see you then (14:22:17) Unknown: ok (14:22:18) Unknown: bye

You can add a name for the Unknown user by typing the following command:

[root@localhost tools]# ./msnchat -o outfile -u Leia msn_test1

The HTML output would then look like the following:

 ---- New Conversation @ Dec 30, 2003 14:21:08 ---- (14:21:08) Luke: hello (14:21:22) Leia: how are you? (14:21:53) Luke: are we meeting at noon? (14:22:03) Leia: yes, at the secret location. (14:22:11) Luke: great, see you then (14:22:17) Leia: ok (14:22:18) Leia: bye

The msnchat code will give you a good idea of how to write your own scripts to parse capture files, manipulate the PDML data, and print the output in HTML format.



 < Day Day Up > 



Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net