Mind Your Packets with Ethereal

Its name might be 'ethereal,' but you'll find this tool a solid performer when it comes to monitoring network traffic. It'll probably teach you a little about TCP/IP along the way, too.

By Carla Schroder | Posted Jul 28, 2004
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Ethereal is the Number One tool in the sysadmin's toolkit. It lets you read the literal, raw traffic going over your wires. The first time you run a packet sniffer is often a bit of a shock- it appears that the entire Internet is on a non-stop talking jag, all those routers and switches and servers yakking at each other continuously- "you there?" "yep" "you still there?" "yep" "what about now?" and so on.

This article will show you how to create both display and capture filters in Ethereal, to help you sort out the noise from what you want to see. You're on your own for learning TCP/IP; see the Resources for useful links.

Viewing Live Packets
Go ahead and give it a try- run ethereal as root. This opens the nice Ethereal graphical interface. Hit Capture -> Start. This opens a menu; select the interface, and check "capture packets in promiscuous mode." Under "Display Options," check both "Update list of packets in real time" and "Automatic scrolling in live capture." Click "OK," and watch the packets roll by.

Ethereal's default display configuration is three stacked windows. The top window shows the packet list. The middle window is the various packet details, such as source and destination IP addresses, and TCP flags. The bottom window shows the actual contents of a packet. To view a particular packet, click on the one you want in the top window.

Obviously, if you don't have a good grasp of TCP/IP, this is all going to be rather mysterious. But there is no better study tool- fire up Ethereal while you're studying TCP/IP, and in a couple of hours you'll know a lot.

Making sense of all this noise is made eminently manageable by Ethereal. Hit the red Stop button to stop the capture. Now you can examine every little bit at your leisure. It should look something like Figure 1:

Ethereal in action
Figure 1 - Click for a larger image

A single packet is selected in the top window. The middle window selects which part of the packet you want to read, and the bottom windows highlights this bit. This particular example is pretty much hieroglyphics. But some things are obvious even when you don't know a lot of TCP/IP. Suppose you want to see what your FTP login looks like. Start a capture, log in to an FTP server, then stop the capture. Up near the top of Ethereal is a "Filter" window. Type "ftp" into this window, then hit the "Apply" button. You'll see something like this:

Ethereal looking for FTP traffic
Figure 2 - Click for a larger image

Boy howdy, that's a big fat plain-text FTP login traveling across the big bad Internet in cleartext, with the password "secretword" plainly visible to anyone who takes the trouble to intercept your packets. So now you know a simple method for using Ethereal to verify that your SSL/TLS/SSH and other encryption protocols are working.

Continued on page 2: Display Filters And Capture Filters

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter