Mind Your Packets with Ethereal - Page 2

By Carla Schroder | Posted Jul 28, 2004
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Continued From Page 1

Display Filters And Capture Filters
A common source of confusion is Ethereal's support of two different types of filters. Display filters affect only what you see on the screen, so if you save the capture to a file, the file will be unfiltered. Capture filters reduce the size of your saved files by throwing away the bits you're not interested in. Unfortunately, the filter syntax is different for each one. We'll have a look at both.

Setting Up Display Filters
Simple display filters are dead easy, just like our FTP example: pop, imap, ssh, ssl, irc, icq, aim. You can run them singly, or combine them. To see a complete list, click the "+Expression" button. You can save a capture to file, with the "File -> Save as" menu. This is useful when you want to capture several different sessions, then go back and analyze them later. Simply open the file in Ethereal to return to poking and prodding at it.

Most protocols are complex, and can be broken down further. For example:

pop.response
pop.request
ftp.response
ftp.request
ftp.passive.nat
ftp.active.nat
ftp.response.code
smtp.rep
smtp.res
smtp.response.code

Our old friend ping (ICMP) has 24 separate pieces to play with. So you can slice and dice your capture just as finely as you want. This is what you need to do when you are refining Snort or iptables rules, and you want to find specific TCP signatures to write rules for.

Monitoring Specific Ports
You can watch what is happening with your servers or users by spying on their ports, like this:

tcp.port==443    #monitor all HTTPS traffic
ip.addr==192.168.1.100   # monitor all traffic on this machine
ip.addr==192.168.1.100 && tcp.port=443   # monitor all HTTPS traffic on this machine

Capture Filters
Capture filters look like this:

tcp port 22
tcp port 995
host 12.34.56.789
src host 12.34.56.678
dst host 12.34.56.567
tcp port 23 and host 12.34.56.456

To create a capture filter, do Capture -> Capture Filters. Create your filter or filters here. Select the capture filter you want to use in the Capture -> Start menu, under "Capture Filters."

Best Places To Collect Packets
The physical location of where you pluck your packets from makes a huge difference. There are two sides to almost everything. You'll use different places according to the type of information you want to collect. Two very important places are both sides of a firewall- inside and outside. You'll be absolutely astounded at how much nastiness your firewall keeps out. Don't forget that switched hubs filter traffic, passing on only the bits destined for a particular subnet, and you'll see a different picture from each side of a router as well. An elderly laptop makes a great portable packet-sniffing box, and it gives you an excuse to run around and snoop all over the place.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter