Linux (RedHat, SuSE, Slackware, Mandrake), BSD (Free, Net, Open ), Windows (9 x /ME, NT4/2000/XP), AIX, Compaq Tru64, HP-UX, Irix, MacOS X, SCO, Solaris
Ethereal is one of the most popular sniffers available. It performs packet sniffing on almost any platform (Unix, Windows), in both real-time (live), and from saved capture files from other sniffers (NAI's Sniffer, NetXray, tcpdump, and more). Included with this program are many features such as filtering, TCP stream reconstruction, promiscuous mode, third-party plug-in options, and the capability to recognize more than 260 protocols. Ethereal also supports capturing on Ethernet, FDDI, PPP, token ring, X-25, and IP over ATM. In short, it is one of the most powerful sniffers available on the market todayand it is free.
Installation varies depending on the platform. Because 90% of people using this program employ either a Linux distribution (such as RedHat) or a Windows operating system, we will be discussing only those platforms. For the most part, what works on one *nix operating system will work on another with only slight modifications to the installation procedure.
Ethereal For Windows
Using Ethereal with Windows is fairly straightforward. There is one exception to this point. 802.11 packet captures are not currently available using Ethereal with any Windows OS. However, if you want to capture data from a wired network, Ethereal will work quite well.
There is one requirement for Ethereal on Windows: WinPcap. This program, available online, enables Ethereal to link right into the network card before the data is passed up the network software and processed by Windows. This program is required because of the way Windows interacts with its hardware. To reduce system crashes, any program installed in a Windows environment must interface with the OS software, which in turn communicates with the hardware. This is meant to be beneficial by restricting direct access to the hardware, which can cause software incompatibilities, ultimately resulting in system crashes.
In addition to the packet driver previously discussed, WinPcap includes another software library that can convert the captured data into the libpcap format. This format is the "standard" used by almost every *nix-based sniffer in circulation today. By incorporating this aspect into WinPcap, Ethereal can create files that can be ported to other platforms for dissection or archiving.
To install WinPcap, follow these steps:
To install Ethereal, follow these steps:
Launch Ethereal from Start Programs Ethereal Ethereal. Details on using the program are covered after Linux section later in this chapter.
Ethereal For Linux
Linux is the preferred platform for Ethereal. This is because Linux allows programs to interface directly with the hardware installed in the computer. By allowing this, software writers do not have to work with poorly written or tightly managed library components, as they do in Windows. However, this increased functionality does come with its share of problems.
Because of the nature of open source software, you can never be sure what is included in a package, or how it will work with a certain piece of software. Whereas one program might work flawlessly right out of the box, another program might require several additional operating system components or tweaks to existing files before it will run. However, Ethereal is fairly stable across the various Linux platforms, as long as you ensure that the configuration file is set up correctly.
Ethereal for Linux has several prerequisites. By meeting these requirements before you attempt to install the software, you will have a relatively easy installation process. Some of these prerequisites are not necessary for the core functionality of Ethereal; however, they will add extra features to make it more productive.
Although each of these prerequisites does have its own home page, you can get them all from the local archive at http://www.ethereal.com.
Installing Ethereal requires several steps. You should be somewhat familiar with the general installation process before attempting to perform this process. Install scripts typically request various configuration settings, such as your source directory, module directory, and more. However, for those who do not want to run through the manual building of source code, RPM files are available for download. The following briefly describes the general steps involved in installing from source code and in installing from RPM. As you can see, using the RPM is much simpler.
Installing RPMs Use the following format to install RPMs. This should result in a complete install, without the need to configure or install source code.
rpm ivh filename.version.i386.rpm
Installing Source Code This is not recommended for the complete beginner. However, if you have customized your system or want to play with the code, or are having problems installing the RPMs, the source code is available for download. The following is the typical procedure for compiling and installing source code.
You will need a compiler installed. The most common is gcc, which is typically available on the Linux CD.
At this point, you will want to restart any services using the files you just installed, or simply reboot.
To install the RPMs, follow these steps:
While *nix-based operating systems allow users much more flexibility, this does come with a price. Therefore, do not be surprised if you get an error or two while installing these programs. To help, we have provided a few troubleshooting tips to ease the pain.
Missing Files and/or Directory Errors If you receive an error relating to a file or directory that is non-existent, the problem can be solved by manually creating this directory or by creating a link to the necessary file. A Unix "link" is similar to a Windows shortcut and will satisfy the installation script and any program that needs the file.
Missing libcrypto.0 File This is one error that seems to be common; thus, we included specific instructions on how to correct it. The problem is related to changes in where Linux places files as it is installed.
Ethereal can be launched from the command line ( ethereal& ). Details about the program are covered next .
Using Ethereal is basically the same regardless of the OS. The GUI and general operation of this program is the same regardless of the platform on which it was installed, with the exception of general file menu operations. Because of the similarities, we will cover the use of the program once.
After Ethereal is loaded, you will see three screens, as illustrated in Figure 9.1. Each of these frames serves a unique purpose for the user , and will present the following information.
Figure 9.1. Common layout of Ethereal's frames.
Using Ethereal can be as simple as you want it to be. By default it comes with everything set up for full sniffing, and the only necessary setting is the selection of the network interface device. However, because of a very user-friendly user interface, this option is simple to use and easy to find.
To start sniffing, ensure that you have a network card in operational mode. This means the NIC's drivers must be installed and the card must be able to receive and transmit data. If the card does not work properly before using Ethereal, it will certainly not work while it is running. In addition, if you are using a WNIC, you might be limited as to how far out on the network you can sniff. If you are using a *nix OS, you will probably be able to sniff to at least the wireless router, wireless access point, or closest switch. If you are using Windows, your WNIC will only capture local data. Keep this in mind, or else you will spend hours attempting to troubleshoot a known issue.
To set up Ethereal to use your NIC, click Capture Start. You will be shown a screen similar to Figure 9.2.
Figure 9.2. Ethereal settings.
The interface option must be set to the NIC currently installed and in operation. Note that in the example there are four options available. This list is from Ethereal as it appears when installed in Windows XP. For this operating system, the list contains the NIC by MAC address. Other versions of Windows create a list by pseudo- names (for example, cw10 , PPPMAC , wldel48 , and so on). Linux's list, on the other hand, is by interface name (for example, wlan0 , eth0 , eth1 ,and so on).
Next, you have the capability to adjust various aspects of how Ethereal captures information. For example, you can set it up to filter the data and only capture HTTP information. Or, you can capture the data and update Ethereal's display in real time. You can also set up the ring buffer to create numerous files in case you collect the maximum number of packets required to fill up the first file (it allows you to capture infinite amounts of data). You can also adjust name resolution settings, which might speed up processing, but which might reduce valuable data if disabled.
Using Ethereal will affect your normal network connection. If you place the NIC in promiscuous mode, you could have various connection issues.
Once these settings meet your satisfaction, click the OK button to start sniffing. After you do this, you will see a small window open up that provides you with a running tally of the number of each type of packet collected (Figure 9.3).
Figure 9.3. Ethereal stats.
The stats window only displays the common protocols. All others are lumped under the Other category, which will require further investigation.
Ethereal's Filter options
After you capture a significant amount of data, the next step is to filter it based on your preferences. For example, if you are looking for traffic generated by the AIM protocol, which is used by AOL's Instant Messenger, you can set up a filter to quickly parse all AIM data out of the captured data. This can also be done before the capture; however, post-capture filtering is recommended because it gives you the power to go back and review everything captured.
To set up a filter before the capture, use the filter option as illustrated in Figure 9.2. This will open a filter setup window similar to Figure 9.4. To post the filter, use the filter option at the bottom of the Ethereal window.
Figure 9.4. Ethereal filter.
In this example, we will create a filter for AIM and Quake . Quake is a multiplayer game whose mastery is an essential prerequisite for any competent security professional. However, if you are a network administrator, you might desire a way to periodically monitor your network for Quake packets to make sure no one has set up a rogue Quake server. To do this, perform the following steps:
This should process the data captured and parse out only those packets that include the Quake protocol. If nothing appears in the screen, or no packets are detected , Quake is not being used on the network. After you are finished with this filter, click the Reset button and Ethereal will return all the captured data to the program windows.
The Follow TCP Stream Option
Ethereal comes with one outstanding feature that puts it at the top of our recommended list of sniffer programs. Besides the fact that it is free, Ethereal will also reconstruct TCP streams from the jumbled collection of data. To illustrate how useful this function is, we are going to perform a short capture while using AIM.
Thus we start Ethereal and set it to listen to the network. To facilitate this example, we simply sent messages to our own chat client. After a few sentences, we stop the capture and let Ethereal load the data into the packet display windows. At this point, we have a great deal of commingled data. How can we sort through this data to find our chat session?
We could set up a filter; however, this would still leave us with numerous packets that we would have to piece together. Because of this, we are going to use the TCP stream-following feature incorporated into Ethereal. This feature alone distinguishes Ethereal from the many others available; in addition, Ethereal is free. To use this, we need to find a packet using the AIM protocol and right-click on it. This will bring up a menu, which contains Follow TCP Stream as the first option. We click on this, and after a few seconds (or minutes, depending on the computer speed and the amount of data) we get a window similar to Figure 9.6. Now we have our complete chat session available to read through. If a hacker or network administrator were using this program while you were chatting with a friend, she too would be able to see the entire conversation.
Figure 9.6. Ethereal data.
As you can see, Ethereal has almost unlimited possibilities. It is full of features that make it the obvious choice for the both the low budget hacker or the thrifty network administrator. This is one program that should be part of every computer geek's arsenal or investigative tool bag.