Frequently Asked Questions

1. 

When I am saving a file to a specified format in Ethereal, do I have to give it the proper filename extension?

2. 

Can I capture from multiple network interfaces with Ethereal?

3. 

I have tcpdump and snoop running on all of my servers. Can I view their capture files at the same time for correlation with Ethereal?

4. 

I have a packet capture file that I saved with Ethereal. Can I use an IDS to see if there are any intrusion attempts in it?

1. 

No, Ethereal will still save it to the right format regardless of the extension, however some other programs will only look for certain extensions when opening a file. So it is safer to give it the appropriate extensions.

2. 

No, not at the current time. The wiretap functionality will hopefully someday have that feature built into it. However, we have opened multiple instances of Ethereal before and captured from two different interfaces that way. Libpcap cannot capture on multiple interfaces at once. However, Linux provides a pseudo-interface called any, which, when read, will provide packets coming from any network interface that is currently up. You can use -i any, or select any in the Capture dialog box in Ethereal.

3. 

Yes, but you will have to use mergecap first to merge all of the files together. Frames are merged in chronological order by default, so if your time clocks are all synchronized you should be able to see what was going on throughout your network when you open the merged capture file with Ethereal.

4. 

Yes, you can save your capture as a binary file (libpcap) and then read it into Snort with a command like snort –r ethereal.log –l ./logs –c snort.conf. This will run the packet capture through the rules files that you have created. A lot of honeynets use this process to analyze data, and the Honeynet Project has a customized snort.conf file for this purpose at http://project.honeynet.org/paper/honeynet/tools.