Network Troubleshooting Tools
by Joseph D. Sloan
Packet Capture — Part 4
1.6. Packet Analyzers
Even with the tools described in our previous segments, the real limitation with tcpdump is interpreting the data. For many uses, tcpdump may be all you need. But if you want to examine the data within packets, a packet sniffer is not enough. You need a packet analyzer. A large number of packet analyzers are available at tremendous prices. But before you start spending money, you should consider ethereal.
–> Open. You can either load a
–> Start. You will be presented with a Capture Preferences screen like the one shown in Figure 1-2 (below). If you have multiple interfaces, you can select which one you want to use with the first field. The Count: field is used to limit the number of packets you will collect. You can enter a capture filter, using
Figure 1-3 ethereal Capture
Once you have finished capturing data, you’ll want to go back to the main screen shown in Figure 1-1. The top pane displays a list of the captured packets. The lower panes display information for the packet selected in the top pane. The packet to be dissected is selected in the top pane by clicking on it. The second pane then displays a protocol tree for the packet, while the bottom pane displays the raw data in hex and ASCII. The layout of ethereal is shown in Figure 1-1. You’ll probably want to scroll through the top pane until you find the traffic of interest. Once you have selected a packet, you can resize the windows as needed. Alternately, you can select Display Show Packet in New Window to open a separate window, allowing you to open several packets at once.
–> Follow TCP Stream. This tool collects information from all the packets in the TCP session and displays the information. Unfortunately, while convenient at times, this feature makes it just a little too easy to capture passwords or otherwise invade users’ privacy.
Figure 1-4 ethereal Summary
There are a number of additional features that I haven’t gone into here. But what I described here is more than enough for most simple tasks.
1.6.1.2. Display filters
–> Match Selected, and
Perhaps more than any other tool described in this book, ethereal is constantly being changed and improved. While this book was being written, new versions were appearing at the rate of about once a month. So you should not be surprised if ethereal looks a little different from what is described here. Fortunately, ethereal is a well-developed program that is very intuitive to use. You should have little trouble going on from here.
—
The next segment from Network Troubleshooting Tools will cover the Dark Side of Packet Capture.
