As a Network Admin, I’m trying to use Ethereal to analyze the traffic on my network. Using filters, I’m able to capture what I believe are the relevant packets. However, I’m unsure of what do with them once I’ve got them. How do you display or otherwise view the captured packets it in a meaningful way (e.g. reconstruct a webpage, ASCII, etc).
Anyone have any experience with this? Thanks.
You’re not going to be able to do much of that; since Ethereal is just pulling the raw bits off the wire, all the application layer frames are broken up and embedded in the lower-level frames. I suppose it’s possible, but that’s not really what it’s intended for.
I typically use it for diagnosing problems with customer VPN and SSL access to a very firewalled application server that leans heavily on RMI. Basically, I can tell a customer firewall admin that the app isn’t working because we’re not getting his client requests from port n.
I’ve also used it to gather high-level info about link usage on certain problem segments; basically, to get graphs for particular sample periods, call up the machine’s admin, and yell at him for trying to pull 2GB of backups across a T1 at noon on a Tuesday.
For even more detailed stuff, you’ve really got to get intimately familiar with your buddy TCP, his friend IP, and their pals 802.2 and MAC.
BTW: I’ve been less than impressed with the performance of the pcap driver on Windows - at times, I’ve seen as half of the packets get dropped.
You might want to seriously consider running it from a Linux machine - I typically see less about a thousand lost packets out of 2 million captured.*
You may want to increase the buffer size and/or turning off name resoultion: at the standard 1 MB buffer, it’ll choke if I have all the name resolutions on and am monitoring heavy (for a home network) traffic.
<< Aikido–the Asian art of people-folding. >>
Ethereal can do higher-level things too, like reconstructing TCP sessions from the packets. Find any one TCP/IP packet in the stream that you want to watch (for example, by doing an ASCII search for the word “Yahoo” if you want to monitor a web browsing session with Yahoo). Right-click on the packet and choose “Follow TCP Stream”.
You should then get the entire communications session between the web server and the client, including the HTML webpages, images, and everything else that was downloaded.
If you click on the message, then go to the window underneath and start expanding it, you can look at the data part of each message in hex and ascii. You can probably figure out a few things (like what web sites someone is going to based on the dns requests) from looking at the data in ascii.
I have no idea if it’s any good or not, but you might find this book helpful:
http://www.amazon.com/gp/product/1932266828/104-2447045-8095154?v=glance&n=283155
Winpcap is a slave to the performance of your particular ethernet driver. I used ethereal during the design and development of an industrial ethernet device and it worked very well on my system. I’ve seen it run rather miserably on other computers. YMMV.