Mind Your Packets with Ethereal - Page 2
Display Filters And Capture Filters
A common source of confusion is Ethereal's support of two different types of filters. Display filters affect only what you see on the screen, so if you save the capture to a file, the file will be unfiltered. Capture filters reduce the size of your saved files by throwing away the bits you're not interested in. Unfortunately, the filter syntax is different for each one. We'll have a look at both.
Setting Up Display Filters
Simple display filters are dead easy, just like our FTP example: pop, imap, ssh, ssl, irc, icq, aim. You can run them singly, or combine them. To see a complete list, click the "+Expression" button. You can save a capture to file, with the "File -> Save as" menu. This is useful when you want to capture several different sessions, then go back and analyze them later. Simply open the file in Ethereal to return to poking and prodding at it.
Most protocols are complex, and can be broken down further. For example:
pop.response pop.request ftp.response ftp.request ftp.passive.nat ftp.active.nat ftp.response.code smtp.rep smtp.res smtp.response.code
Our old friend ping (ICMP) has 24 separate pieces to play with. So you can slice and dice your capture just as finely as you want. This is what you need to do when you are refining Snort or iptables rules, and you want to find specific TCP signatures to write rules for.
Monitoring Specific Ports
You can watch what is happening with your servers or users by spying on their ports, like this:
tcp.port==443 #monitor all HTTPS traffic ip.addr==192.168.1.100 # monitor all traffic on this machine ip.addr==192.168.1.100 && tcp.port=443 # monitor all HTTPS traffic on this machine
Capture filters look like this:
tcp port 22 tcp port 995 host 220.127.116.119 src host 18.104.22.1688 dst host 22.214.171.1247 tcp port 23 and host 126.96.36.1996
To create a capture filter, do Capture -> Capture Filters. Create your filter or filters here. Select the capture filter you want to use in the Capture -> Start menu, under "Capture Filters."
Best Places To Collect Packets
The physical location of where you pluck your packets from makes a huge difference. There are two sides to almost everything. You'll use different places according to the type of information you want to collect. Two very important places are both sides of a firewall- inside and outside. You'll be absolutely astounded at how much nastiness your firewall keeps out. Don't forget that switched hubs filter traffic, passing on only the bits destined for a particular subnet, and you'll see a different picture from each side of a router as well. An elderly laptop makes a great portable packet-sniffing box, and it gives you an excuse to run around and snoop all over the place.