|   | < Day Day Up > |   | 
| 2.8 etherealAs I mentioned early in this chapter, there are alternatives to tcpdump that provide GUI interfaces. However, it is important that you familiarize yourself first with the structure of packets as they are captured and then with command-line interface tools before making the leap to a GUI application that may overwhelm you with too much information. Starting off with something such as ethereal before learning the basics is like purchasing a top-end calculator with all the whistles and bells without knowing how to do simple addition, subtraction, and multiplication commands. You can still perform basic calculations, but you'll end up using only a small fraction of the calculator's total power or resources. 2.8.1 Installing from SourceThe ethereal network analyzer is a standard feature of most Linux distributions, including Red Hat Linux. Just like tcpdump, ethereal captures its data in libpcap format. It can also read captured data from a variety of other network sniffing appliances that may use different logging formats. Check the ethereal manpage for a complete listing of the applications with which it is compatible. Chances are if your application of tool is not listed, the ethereal developers can easily create a port of it or you may just find ethereal to be all that you need. For those who prefer compiling the latest ethereal from source rather than simply installing the RPMs, the main ethereal page provides links and ports to nearly every available operating system and flavor of Unix on the market, including a Windows version. Most RPMs for ethereal are a couple versions behind the latest source release. Staying ahead of the game and up-to-date on the most current version is incentive enough for anyone to use the source rather than the binary. Although there are several different options available for customizing ethereal, the standard commands apply. Use the following commands to build and install a default version of the application on your system after uncompressing the source code in a standard location: # ./configure && make && make install ethereal is a fairly beefy application, weighing in at over three and a half megabytes. It can take some time to compile on older systems. It is worth the wait. 2.8.2 Available Optionsethereal is a GUI tool that offers a wealth of information. This section provides a quick overview of many of its features. However, for a more detailed explanation of all its features, consult the User's Guide on ethereal's home page. Start ethereal from the root shell prompt. The ampersand tells Linux to run the process in the background. Since this is a graphical program, we do not need to capitalize our command prompt until we're done with ethereal: # ethereal & To begin immediately capturing data, go to the Capture drop-down menu and select Start. This brings up the main Capture Options menu. Here you select from a variety of features, including the interface you wish to sniff, whether you want to capture packets in promiscuous mode, any filters you wish to apply, and whether you want an update of captured packets in real-time. You can also choose to scroll the packets on-screen as they are captured and enable MAC address and network name resolution. Many of these features are similar to the ones available under tcpdump. Figure 2-5 is an example of the Capture Options screen with a few options enabled. Figure 2-5. Enable similar options under ethereal as you would with tcpdump Once you start the packet capture, unless you have specified otherwise, it will continue to log information until you press the Stop button on the Capture window. Figure 2-6 is an example of a real-time packet capture session. Figure 2-6. Packet capture in real time using ethereal When you are done capturing packets, you can save the data to a file in a variety of formats, including the libpcap native format. If the data collected does not have the information you were looking for, modify the ethereal values or preferences in the Edit drop-down menu. You can change how the output appears within the ethereal window by unselecting all options and enabling only those of interest. The Display drop-down window also provides different options for customizing the application, such as colorizing the display so that certain items or protocols are highlighted. You may also choose to collapse or expand features within the middle pane window. The Tools drop-down menu provides options for enabling additional plug-ins, along with a Summary and Statistics of all captured data packets. It is possible to use filters in conjunction with ethereal, just as you would with tcpdump. ethereal uses the same syntax and the filters can be customized under the Edit drop-down menu. One of the most versatile features of ethereal is its ability to follow a particular TCP stream. If a particular network discussion appears interesting, simply highlight the connection in question and select Follow TCP Stream with the right mouse button. Notice the Filter: field at the bottom of the ethereal window; when you tell ethereal to follow a stream, it generates an appropriate filter with the correct syntax. This filter can be easily reset or modified and the changes applied in order to resume capturing other traffic. Along with a particular stream, you can add color filters to make packets of interest stand out against other network connections. It does not take long to become adept at capturing only those packets you wish to see. Like with tcpdump, you can closely analyze all datagram content in the lower pane window as hexadecimal output. It is never wise to implicitly trust ethereal's output. Viewing the hexadecimal is crucial for corroborating evidence within the captured packets. 2.8.3 ethereal Capture of TCP Three-Way HandshakeFigures Figure 2-7 through Figure 2-9 show the details of the three-way handshake between my laptop and slashdot.org. Figure 2-7. SYN Figure 2-8. SYN-ACK Figure 2-9. ACK 2.8.4 TetherealNo section on ethereal would be complete without mentioning the command-line or terminal-based packet capture option, Tethereal. Tethereal comes with ethereal and includes many of the same features. The manpages for the two programs are nearly identical. Tethereal captures and reads data the same way as ethereal, but can be run remotely on any machine, including machines without an X Window interface. Like ethereal, Tethereal must be run as root in order to have access to all command-line functions. Here is the output from a Tethereal packet capture session: # tethereal Capturing on eth0 0.000000 00:d0:bc:ed:15:e4 -> 09:00:2b:01:00:01 DEC_STP Hello Packet 0.407305 64.147.136.1 -> 224.0.0.10 EIGRP Hello 0.820469 00000000.00c0b607af66 -> 00000000.ffffffffffff IPX SAP Nearest Query 0.999948 00:d0:bc:ed:15:e4 -> 09:00:2b:01:00:01 DEC_STP Hello Packet 1.159977 00:30:65:8c:84:50 -> 09:00:07:ff:ff:ff AARP Who has 65280.194? Tell 65280. 128 1.218995 aa:00:04:00:59:9e -> 09:00:2b:00:00:0f 0x6004 DEC LAT 1.528072 00008001.080009a95de6 -> 00008001.ffffffffffff IPX SAP General Response 1.999953 00:d0:bc:ed:15:e4 -> 09:00:2b:01:00:01 DEC_STP Hello Packet 2.723358 00:00:f8:52:5b:79 -> ab:00:00:02:00:00 0x6002 DEC DNA Remote Console 2.743625 00008001.00d0bced15e4 -> 00008001.ffffffffffff IPX SAP General Response 2.915255 64.147.136.1 -> 224.0.0.10 EIGRP Hello 3.000008 00:d0:bc:ed:15:e4 -> 09:00:2b:01:00:01 DEC_STP Hello Packet 3.121764 aa:00:04:00:bd:9e -> ab:00:00:03:00:00 0x6003 DEC DNA Routing 3.123641 aa:00:04:00:bd:9e -> 09:00:2b:02:00:00 0x6003 DEC DNA Routing 3.125544 aa:00:04:00:bd:9e -> ab:00:00:04:00:00 0x6003 DEC DNA Routing 3.205372 64.147.136.5 -> 224.0.0.10 EIGRP Hello 3.235634 aa:00:04:00:59:9e -> 09:00:2b:00:00:0f 0x6004 DEC LAT 3.999932 00:d0:bc:ed:15:e4 -> 09:00:2b:01:00:01 DEC_STP Hello Packet Tethereal can be used as a replacement for tcpdump in remote situations when you are using a console or using secure shell (SSH) to connect to another machine. Use the -V flag with Tethereal to render nearly as much verbose information as the GUI interface. Those familiar with ethereal will find that Tethereal provides many of the same functions. I prefer to use tcpdump if all I have is a command line, but your mileage may vary. | 
|   | < Day Day Up > |   |