Ethereal is the Number One tool in the sysadmin’s toolkit. It lets you read the literal, raw traffic going over your wires. The first time you run a packet sniffer is often a bit of a shock- it appears that the entire Internet is on a non-stop talking jag, all those routers and switches and servers yakking at each other continuously- “you there?” “yep” “you still there?” “yep” “what about now?” and so on.
This article will show you how to create both display and capture filters in Ethereal, to help you sort out the noise from what you want to see. You’re on your own for learning TCP/IP; see the Resources for useful links.
Viewing Live Packets
Go ahead and give it a try- run ethereal as root. This opens the nice Ethereal graphical interface. Hit Capture -> Start. This opens a menu; select the interface, and check “capture packets in promiscuous mode.” Under “Display Options,” check both “Update list of packets in real time” and “Automatic scrolling in live capture.” Click “OK,” and watch the packets roll by.
Ethereal’s default display configuration is three stacked windows. The top window shows the packet list. The middle window is the various packet details, such as source and destination IP addresses, and TCP flags. The bottom window shows the actual contents of a packet. To view a particular packet, click on the one you want in the top window.
Obviously, if you don’t have a good grasp of TCP/IP, this is all going to be rather mysterious. But there is no better study tool- fire up Ethereal while you’re studying TCP/IP, and in a couple of hours you’ll know a lot.
Making sense of all this noise is made eminently manageable by Ethereal. Hit the red Stop button to stop the capture. Now you can examine every little bit at your leisure. It should look something like Figure 1:
A single packet is selected in the top window. The middle window selects which part of the packet you want to read, and the bottom windows highlights this bit. This particular example is pretty much hieroglyphics. But some things are obvious even when you don’t know a lot of TCP/IP. Suppose you want to see what your FTP login looks like. Start a capture, log in to an FTP server, then stop the capture. Up near the top of Ethereal is a “Filter” window. Type “ftp” into this window, then hit the “Apply” button. You’ll see something like this:
Boy howdy, that’s a big fat plain-text FTP login traveling across the big bad Internet in cleartext, with the password “secretword” plainly visible to anyone who takes the trouble to intercept your packets. So now you know a simple method for using Ethereal to verify that your SSL/TLS/SSH and other encryption protocols are working.
Display Filters And Capture Filters
A common source of confusion is Ethereal’s support of two different types of filters. Display filters affect only what you see on the screen, so if you save the capture to a file, the file will be unfiltered. Capture filters reduce the size of your saved files by throwing away the bits you’re not interested in. Unfortunately, the filter syntax is different for each one. We’ll have a look at both.
Setting Up Display Filters
Simple display filters are dead easy, just like our FTP example: pop, imap, ssh, ssl, irc, icq, aim. You can run them singly, or combine them. To see a complete list, click the “+Expression” button. You can save a capture to file, with the “File -> Save as” menu. This is useful when you want to capture several different sessions, then go back and analyze them later. Simply open the file in Ethereal to return to poking and prodding at it.
Most protocols are complex, and can be broken down further. For example:
pop.response pop.request ftp.response ftp.request ftp.passive.nat ftp.active.nat ftp.response.code smtp.rep smtp.res smtp.response.code
Our old friend ping (ICMP) has 24 separate pieces to play with. So you can slice and dice your capture just as finely as you want. This is what you need to do when you are refining Snort or iptables rules, and you want to find specific TCP signatures to write rules for.
Monitoring Specific Ports
You can watch what is happening with your servers or users by spying on their ports, like this:
tcp.port==443 #monitor all HTTPS traffic ip.addr==192.168.1.100 # monitor all traffic on this machine ip.addr==192.168.1.100 && tcp.port=443 # monitor all HTTPS traffic on this machine
Capture filters look like this:
tcp port 22 tcp port 995 host 126.96.36.1999 src host 188.8.131.528 dst host 184.108.40.2067 tcp port 23 and host 220.127.116.116
To create a capture filter, do Capture -> Capture Filters. Create your filter or filters here. Select the capture filter you want to use in the Capture -> Start menu, under “Capture Filters.”
Best Places To Collect Packets
The physical location of where you pluck your packets from makes a huge difference. There are two sides to almost everything. You’ll use different places according to the type of information you want to collect. Two very important places are both sides of a firewall- inside and outside. You’ll be absolutely astounded at how much nastiness your firewall keeps out. Don’t forget that switched hubs filter traffic, passing on only the bits destined for a particular subnet, and you’ll see a different picture from each side of a router as well. An elderly laptop makes a great portable packet-sniffing box, and it gives you an excuse to run around and snoop all over the place.