Ethereal


URL: http://www.ethereal.com

Supported Platforms

Linux (RedHat, SuSE, Slackware, Mandrake), BSD (Free, Net, Open ), Windows (9 x /ME, NT4/2000/XP), AIX, Compaq Tru64, HP-UX, Irix, MacOS X, SCO, Solaris

Description

Ethereal is one of the most popular sniffers available. It performs packet sniffing on almost any platform (Unix, Windows), in both real-time (live), and from saved capture files from other sniffers (NAI's Sniffer, NetXray, tcpdump, and more). Included with this program are many features such as filtering, TCP stream reconstruction, promiscuous mode, third-party plug-in options, and the capability to recognize more than 260 protocols. Ethereal also supports capturing on Ethernet, FDDI, PPP, token ring, X-25, and IP over ATM. In short, it is one of the most powerful sniffers available on the market todayand it is free.

Installation

Installation varies depending on the platform. Because 90% of people using this program employ either a Linux distribution (such as RedHat) or a Windows operating system, we will be discussing only those platforms. For the most part, what works on one *nix operating system will work on another with only slight modifications to the installation procedure.

Ethereal For Windows

Using Ethereal with Windows is fairly straightforward. There is one exception to this point. 802.11 packet captures are not currently available using Ethereal with any Windows OS. However, if you want to capture data from a wired network, Ethereal will work quite well.

Requirements

WinPcap: http://winpcap.polito.it

There is one requirement for Ethereal on Windows: WinPcap. This program, available online, enables Ethereal to link right into the network card before the data is passed up the network software and processed by Windows. This program is required because of the way Windows interacts with its hardware. To reduce system crashes, any program installed in a Windows environment must interface with the OS software, which in turn communicates with the hardware. This is meant to be beneficial by restricting direct access to the hardware, which can cause software incompatibilities, ultimately resulting in system crashes.

In addition to the packet driver previously discussed, WinPcap includes another software library that can convert the captured data into the libpcap format. This format is the "standard" used by almost every *nix-based sniffer in circulation today. By incorporating this aspect into WinPcap, Ethereal can create files that can be ported to other platforms for dissection or archiving.

Installing WinPcap

To install WinPcap, follow these steps:

  1. Download the file from http://winpcap.polito.it.

  2. Make sure it is not already installed:

    Start Settings Control Panel Add/Remove Programs

  3. Run the WinPcap Install program.

Installing Ethereal

To install Ethereal, follow these steps:

  1. Download the file from http://www.ethereal.com.

  2. Ensure WinPcap is installed (Version 2.3 and up required):

    Start Settings Control Panel Add/Remove Programs

  3. Run the Ethereal install program.

  4. Select the components to install:

    • Ethereal Standard Ethereal program

    • Tethereal Ethereal for a TTY environment (No GUI)

    • Editcap Tool for editing/truncating captured files

    • Text2Pcap Tool for converting raw ASCII hex to libpcap format packet capture files

    • Mergecap Tool for merging several capture files into one file

  5. Finish installation.

Running Ethereal

Launch Ethereal from Start Programs Ethereal Ethereal. Details on using the program are covered after Linux section later in this chapter.

Ethereal For Linux

Linux is the preferred platform for Ethereal. This is because Linux allows programs to interface directly with the hardware installed in the computer. By allowing this, software writers do not have to work with poorly written or tightly managed library components, as they do in Windows. However, this increased functionality does come with its share of problems.

Because of the nature of open source software, you can never be sure what is included in a package, or how it will work with a certain piece of software. Whereas one program might work flawlessly right out of the box, another program might require several additional operating system components or tweaks to existing files before it will run. However, Ethereal is fairly stable across the various Linux platforms, as long as you ensure that the configuration file is set up correctly.

Requirements

Ethereal for Linux has several prerequisites. By meeting these requirements before you attempt to install the software, you will have a relatively easy installation process. Some of these prerequisites are not necessary for the core functionality of Ethereal; however, they will add extra features to make it more productive.

NOTE

Although each of these prerequisites does have its own home page, you can get them all from the local archive at http://www.ethereal.com.


  • GTK+ and Glib (http://www.gtk.org) This program is the de facto standard toolkit used to create GUIs in the Linux environment. Ethereal requires this program for installation.

  • Libpcap (http://www.tcpdump.org) Libpcap for Linux is required by Ethereal to facilitate the capture and formatting of the data from the NIC. Ethereal requires this program for installation.

  • Perl (http://www.perl.com) Perl is the programming language of choice for small projects in the Linux environment. Ethereal uses it to build the documentation.

  • Zlib (http://www. info -zip.org/pub/infozip/zlib) Zlib is a compression software library that can be installed with Ethereal to facilitate the reading of compressed gzip files on the fly. This program is optional for Ethereal.

  • NET-SNMP (http://net-snmp. sourceforge .net) NET-SNMP is a software library used to read and write SNMP data. Ethereal uses this optional component to decode captured SNMP data.

Installation Options

Installing Ethereal requires several steps. You should be somewhat familiar with the general installation process before attempting to perform this process. Install scripts typically request various configuration settings, such as your source directory, module directory, and more. However, for those who do not want to run through the manual building of source code, RPM files are available for download. The following briefly describes the general steps involved in installing from source code and in installing from RPM. As you can see, using the RPM is much simpler.

Installing RPMs Use the following format to install RPMs. This should result in a complete install, without the need to configure or install source code.

 rpm ivh filename.version.i386.rpm 

Installing Source Code This is not recommended for the complete beginner. However, if you have customized your system or want to play with the code, or are having problems installing the RPMs, the source code is available for download. The following is the typical procedure for compiling and installing source code.

NOTE

You will need a compiler installed. The most common is gcc, which is typically available on the Linux CD.


  1. Unpack the source code using the tar command:

     tar xvf file.version.tar.gz 
  2. cd into the newly created directory.

  3. Run ./configure to set up the compiler scripts.

  4. Run ./make all to make all the files.

  5. Run ./make install to install the newly made files.

NOTE

At this point, you will want to restart any services using the files you just installed, or simply reboot.


RPM Installation

To install the RPMs, follow these steps:

  1. Download the required files ( x represents version number):

    • libpcap-0. x . x - x .i386.rpm Includes Libpcap libraries

    • tcpdump- x . x . x - x .i386.rpm Includes tcpdump libraries and program

    • ethereal-base-0. x . x -1.i386.rpm Includes base code for Ethereal

    • ethereal-gnome-0. x . x -1.i386.rpm Includes GUI code for Gnome desktop

    • ethereal-gtk+-0. x . x - x .i386.rpm Includes graphical libraries for GUI

    • ethereal-kde-0. x . x - x .i386.rpm Includes GUI code for KDE desktop

    • ethereal-usermode-0. x . x - x .i386.rpm Includes code for Ethereal

    NOTE

    The other source code files are found at their respective sites.

  2. Install gtk+.

  3. Install libpcap.

  4. Install tcpdump.

  5. Install ethereal-base.

  6. Install ethereal-usermode.

  7. Install ethereal-gnome and/or install ethereal-kde.

Common Errors

While *nix-based operating systems allow users much more flexibility, this does come with a price. Therefore, do not be surprised if you get an error or two while installing these programs. To help, we have provided a few troubleshooting tips to ease the pain.

Missing Files and/or Directory Errors If you receive an error relating to a file or directory that is non-existent, the problem can be solved by manually creating this directory or by creating a link to the necessary file. A Unix "link" is similar to a Windows shortcut and will satisfy the installation script and any program that needs the file.

  1. Manually create the missing directory (for example, mkdir /usr/local/include/net ).

  2. Locate the missing file and copy it into the directory, or create a symbolic link to the file.

Missing libcrypto.0 File This is one error that seems to be common; thus, we included specific instructions on how to correct it. The problem is related to changes in where Linux places files as it is installed.

  1. Create a symbolic link to the libcrypto.0 file using an existing libcrypto.0.x file (for example, ln libcrypto.0.x libcrypto.0 ).

  2. Install RPM using the nodep option.

Running Ethereal

Ethereal can be launched from the command line ( ethereal& ). Details about the program are covered next .

Using Ethereal

Using Ethereal is basically the same regardless of the OS. The GUI and general operation of this program is the same regardless of the platform on which it was installed, with the exception of general file menu operations. Because of the similarities, we will cover the use of the program once.

GUI Overview

After Ethereal is loaded, you will see three screens, as illustrated in Figure 9.1. Each of these frames serves a unique purpose for the user , and will present the following information.

Figure 9.1. Common layout of Ethereal's frames.

graphics/09fig01.gif

  • Packet Summary This is a list of all the captured packets, which includes the packet number (165, 535), time-stamp, source and destination address, protocol, and some brief information about the data in the packet.

  • Packet Detail This window contains more detailed information about the packet, such as MAC addresses, IP address, packet header information, packet size, packet type, and more. This is for those people interested in what type of data a packet contains, but don't care about the actual data. For example, if you are troubleshooting a network, you can use this information to narrow down possible problems.

  • Packet Dump (Hex and ASCII) This field contains the standard three columns of information found in most sniffers. On the left is the memory value of the packet; the middle contains the data in hex; and the right contains the ASCII equivalent of the hex data. This is the section that lets you actually peer into the packet and see what type of data is being transmitted, character-by-character.

Configuration

Using Ethereal can be as simple as you want it to be. By default it comes with everything set up for full sniffing, and the only necessary setting is the selection of the network interface device. However, because of a very user-friendly user interface, this option is simple to use and easy to find.

To start sniffing, ensure that you have a network card in operational mode. This means the NIC's drivers must be installed and the card must be able to receive and transmit data. If the card does not work properly before using Ethereal, it will certainly not work while it is running. In addition, if you are using a WNIC, you might be limited as to how far out on the network you can sniff. If you are using a *nix OS, you will probably be able to sniff to at least the wireless router, wireless access point, or closest switch. If you are using Windows, your WNIC will only capture local data. Keep this in mind, or else you will spend hours attempting to troubleshoot a known issue.

To set up Ethereal to use your NIC, click Capture Start. You will be shown a screen similar to Figure 9.2.

Figure 9.2. Ethereal settings.

graphics/09fig02.gif

The interface option must be set to the NIC currently installed and in operation. Note that in the example there are four options available. This list is from Ethereal as it appears when installed in Windows XP. For this operating system, the list contains the NIC by MAC address. Other versions of Windows create a list by pseudo- names (for example, cw10 , PPPMAC , wldel48 , and so on). Linux's list, on the other hand, is by interface name (for example, wlan0 , eth0 , eth1 ,and so on).

Next, you have the capability to adjust various aspects of how Ethereal captures information. For example, you can set it up to filter the data and only capture HTTP information. Or, you can capture the data and update Ethereal's display in real time. You can also set up the ring buffer to create numerous files in case you collect the maximum number of packets required to fill up the first file (it allows you to capture infinite amounts of data). You can also adjust name resolution settings, which might speed up processing, but which might reduce valuable data if disabled.

NOTE

Using Ethereal will affect your normal network connection. If you place the NIC in promiscuous mode, you could have various connection issues.


Once these settings meet your satisfaction, click the OK button to start sniffing. After you do this, you will see a small window open up that provides you with a running tally of the number of each type of packet collected (Figure 9.3).

Figure 9.3. Ethereal stats.

graphics/09fig03.gif

NOTE

The stats window only displays the common protocols. All others are lumped under the Other category, which will require further investigation.


Ethereal's Filter options

After you capture a significant amount of data, the next step is to filter it based on your preferences. For example, if you are looking for traffic generated by the AIM protocol, which is used by AOL's Instant Messenger, you can set up a filter to quickly parse all AIM data out of the captured data. This can also be done before the capture; however, post-capture filtering is recommended because it gives you the power to go back and review everything captured.

To set up a filter before the capture, use the filter option as illustrated in Figure 9.2. This will open a filter setup window similar to Figure 9.4. To post the filter, use the filter option at the bottom of the Ethereal window.

Figure 9.4. Ethereal filter.

graphics/09fig04.gif

In this example, we will create a filter for AIM and Quake . Quake is a multiplayer game whose mastery is an essential prerequisite for any competent security professional. However, if you are a network administrator, you might desire a way to periodically monitor your network for Quake packets to make sure no one has set up a rogue Quake server. To do this, perform the following steps:

  1. Click the Filter button.

  2. Type Quake in the Filter Name textbox.

  3. Click the Add Expression button.

  4. Scroll through the list of options and select Quake in the Field Name column and is present in the Relation column (see Figure 9.5).

    Figure 9.5. Filter expression.

    graphics/09fig05.gif

  5. Click Accept.

  6. Click the New button to add the filter to the save list.

  7. Click Save to store this filter permanently.

  8. Click OK to use the filter.

This should process the data captured and parse out only those packets that include the Quake protocol. If nothing appears in the screen, or no packets are detected , Quake is not being used on the network. After you are finished with this filter, click the Reset button and Ethereal will return all the captured data to the program windows.

The Follow TCP Stream Option

Ethereal comes with one outstanding feature that puts it at the top of our recommended list of sniffer programs. Besides the fact that it is free, Ethereal will also reconstruct TCP streams from the jumbled collection of data. To illustrate how useful this function is, we are going to perform a short capture while using AIM.

Thus we start Ethereal and set it to listen to the network. To facilitate this example, we simply sent messages to our own chat client. After a few sentences, we stop the capture and let Ethereal load the data into the packet display windows. At this point, we have a great deal of commingled data. How can we sort through this data to find our chat session?

We could set up a filter; however, this would still leave us with numerous packets that we would have to piece together. Because of this, we are going to use the TCP stream-following feature incorporated into Ethereal. This feature alone distinguishes Ethereal from the many others available; in addition, Ethereal is free. To use this, we need to find a packet using the AIM protocol and right-click on it. This will bring up a menu, which contains Follow TCP Stream as the first option. We click on this, and after a few seconds (or minutes, depending on the computer speed and the amount of data) we get a window similar to Figure 9.6. Now we have our complete chat session available to read through. If a hacker or network administrator were using this program while you were chatting with a friend, she too would be able to see the entire conversation.

Figure 9.6. Ethereal data.

graphics/09fig06.gif

As you can see, Ethereal has almost unlimited possibilities. It is full of features that make it the obvious choice for the both the low budget hacker or the thrifty network administrator. This is one program that should be part of every computer geek's arsenal or investigative tool bag.



Maximum Wireless Security
Maximum Wireless Security
ISBN: 0672324881
EAN: 2147483647
Year: 2002
Pages: 171

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net