|
|
|
Sniffing it out
For any network diagnostics operation, especially the one that involves traffic analysis, packet sniffing is the first and foremost requirement. There are many sniffing tools available over the internet, but Ethereal is special because it is free and is used by professionals all over the world.
The tool has been popular with Linux OS users for some time, but with current Windows version with a single dependency on WinPcap (packet capturing library), installing and using Ethereal on Windows is extremely easy. Let us see how it works and how to make use of some of its useful features.
First thing that is required while using Ethereal is to specify which interface is to be used for capturing. Go to Capture > Interfaces. This lists all the NICs present on the system and at the same time starts showing how many packets are currently being transferred, thus providing an instant idea about network activity in progress.
Three icons — Details, Prepare and Capture — are present against each interface. Clicking on Details displays in-depth NIC statistics. Clicking on Prepare button allows you to select capture options in detail, like buffer size, capture stopping conditions, real-time packet display options and most importantly, capture filters.
If capturing is intended for a particular service, or a particular “noise” traffic is to be excluded, this rule-based filtering comes to the rescue — a very handy option in heavy-traffic networks. Do not change any default setting here and click on Start or Cancel and go back to the interface list and click on Capture.
A capture status window appears showing protocol-wise progress as well as the percentage of packets captured. Pressing Stop at any time results in main interface of Ethereal showing all the packets captured. If you want to display the packets as they are being captured, put a check on “Update list of packets in real time” in capture options by using Prepare or menu Capture > Options. Note that the packets are listed with protocol-wise colour coding that makes it easy to identify types of packets. Packet details are shown in three distinct resizeable panels arranged horizontally.
First is the ‘packet list view’ with packet time, source, destination, protocol and information. Select a packet from this list. The second panel is updated and shows layer-wise details in tree control.
For instance, select a packet from browsing session: its break-up begins right from the Frame level. Next levels are Ethernet, IP, TCP and HTTP. Each of these can be viewed as a summary showing frame number, MAC, IP and Port, respectively, and can be expanded further to see each layer’s protocol details — like flags, checksum and sequence.
Selecting an ‘info item’ out of this stack, its corresponding actual value in HEX along with ASCII is shown in the third panel at the bottom. This comprehensive stack gives a complete picture of what constitutes a network packet and allows the analyser to see how various applications (both commonly known and unknown) actually work.
For further inspection, a dedicated Analyse menu is provided, complete with tools and techniques that make it possible to make sense out of myriad of information collected. For example, if you stumble upon a doubtful POP3 (mail checking) packet, select it and go to Analyse > Follow TCP Stream. All the related packets in sequence are displayed with an option to filter incoming and outgoing data or the entire conversation. Output can be changed from raw to ASCII, EBCDIC, hex or even C language arrays.
Another powerful option is ‘Expert Info’ which classifies packets according to severity, like error and warning notes. Coupled with these options, expression-based filtering rules allow you to match traffic against very specific protocol constituents, for instance packets of Bit Torrent where Peer_ID matches a certain criteria. This provides an excellent way of analysing industry standard RFC protocols and application specific protocols.
With configuration options, allowing protocol-wise parameter setting, a full-fledged graphical statistics module, dissection of 750 protocols, ability to import from a number of other capturing products and programmatic editing and conversion of captured files, Ethereal truly is a powerhouse for any serious network administrator. Its options can be used to trace malware, Trojan and spyware activities, as well as to see how other applications work over a network.
|
|
|
|
