Ethereal Packet Sniffing 147
| Ethereal Packet Sniffing | |
| author | Angela Orebaugh with Greg Morris and Ed Warnick |
| pages | 468 |
| publisher | Syngress |
| rating | 7 |
| reviewer | Jose Nazario |
| ISBN | 1932266828 |
| summary | Solid coverage of an excellent networking tool. Offers value beyond free documentation, insight available nowhere else, and plenty of handy tips and tricks. |
I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs. While the book comes out favorably for me, I'll start with the things I didn't like, first.
One of the big things that is missing from this book is any coverage of Ethereal on OS X. Given how many people are migrating to OS X (from UN*X or from Windows), and the coverage of Ethereal on Windows, I would have expected some mention of it. Luckily it's available in both Darwin Ports and the Fink project, but some mention of any of the quirks people may encounter would have been welcome. Amy (from Syngress) tells me that they will have a paper in their Solutions center on Ethereal on OS X, which would be great to see.
Another annoyance with the book is the repeated coverage in some sections of various aspects of Ethereal. One that stands out is the coverage of the additional tools which are installed alongside Ethereal, like Editcap and Text2pcap. They are covered in chapter 2 for a bit and then more completely in chapter 6. Covering these tools only once would have sufficed, but it does let chapter 2 stand on its own. Amy tells me that they do this intentionally, because it makes some chapters stand on their own as "units" for others to use. That makes sense.
A final bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.
Now, on to the real strengths of the book. Like I said earlier, The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).
The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).
Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.
Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.
Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.
Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.
The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think.
All in all I would say this is probably worth picking up if you're looking at becoming a network operator or network security junkie. You'll learn a lot about a powerful tool, how to integrate it into your use, and even how to dissect real traces of traffic. I give it a 7 out of 10 for the above weaknesses, but that shouldn't stop you from strongly considering it.
You can purchase Ethereal Packet Sniffing from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page
Already out of date (Score:5, Informative)
For example, on page 47, figure 2.1 is out of date, as the menu items have changed and the toolbar now has more items.
On Page 146 and 147 the authors attempted to deal with changes in the GUI, and show us what the new print dialog box will look like, however, that version is also out of date.
On Page 153, Figure 4.19 is out of date. On Page 155, Figure 4.21 no longer exists. Page 156, Figure 4.22 is out of date. Page 162, Figure 4.31 is out of date, and so on.
Further on, Page 180, Figures 4.49 and 4.50 are also out of date, and it would have been nicer to show some real-life examples of problems one can spot with the Time Sequence Graphs and some explanation of how socket layer stuff relates to what you might see on the wire.
So, I am not sure this book is worth buying. Perhaps wait for the update.
Re:I'd love to but... (Score:5, Informative)
Your network configuration can also affect what packets you see - are there switches dividing your network? Are you alone on your network?
New the Ethereal?
Start a capture, then check your email. Then use the email address and password you capture to do all kinds of nasty things.
Re:I'd love to but... (Score:5, Informative)
[quote] For windows get winpcap [polito.it] [polito.it]
then get ethereal for windows [ethereal.com] [ethereal.com]
and get windump [polito.it] [polito.it]
SANS.org has all the info: Packet capture apps [sans.org] [sans.org][/quote]
Ethereal Rocks (Score:3, Informative)
Re:ethereal plus google's locator service... (Score:2, Informative)
Usually the wrong level for solving that problem (Score:4, Informative)
If you're an ISP or hosting center that has customers that you're only providing with IP services, not email services, you _could_ sniff packets and send RSETs to kill sessions that look like spam, but you'd be doing it with less information than your customers, and you would probably end up killing off lots of useful mail, such as the message they're sending to abuse@example.net telling them how to find the spammer that just sent them this message. Usually a bad idea.
Re:I'd love to but... (Score:3, Informative)
then get this,
http://www.distrowatch.com/table.php?distribution
and get this too,
ftp://ibiblio.org/pub/linux/distributions/phlak [ibiblio.org]
then get one of these,
http://www.systemrecycler.com/shomiti/ [systemrecycler.com]
and lastly get this just for shits, grins and giggles,
http://www.metasploit.com/projects/Framework/docu
Re:OS X & Ethereal (Score:3, Informative)
There are some real annoyences in getting fink to accept that you are using Apple's distribution of X. I'm still not confident that I understand how I eventually got it to work. But once I did
did the job and I've been happily looking at packets since then.Ever since then (well, about a week ago), I've found myself in need to something that gives me some of the basics of capture and sniffing. So it looks like this book will do the job for me.
Re:I'd love to but... (Score:1, Informative)
Re:Already out of date (Score:4, Informative)
Ethereal compatible packet sniffing:Novell NetWare (Score:2, Informative)
Guidelines to Take a Packet Trace [novell.com]
Packetscan - NetWare packet capture tool [novell.com]
How to use Ethereal to capture a packet trace [novell.com]
How to configure a capture filter for Ethereal [novell.com]
Re:As many Unix tools, Ethereal is egoist ! (Score:2, Informative)
A few other options for you:
1) Simplest option with focus on http: Put in squid as a transparent proxy. No need to setup anything on the client, just put the squid server in front of your gateway and tell it to route port 80 through squid. Lots of tools exists to analyze squid log files. My preference is awstats, because it suits my needs.
2) Use tcpdump, writing to a file. You can use -C to specify filesize if you expect high volume. Then you can use another tcpdump, ethereal or whatever tool to analyze your dump files. Remember "-s 0" to save the full packet.
For instance "tcpdump -s 0 -C 1000 -w tcpdump.dmp &" saves the dump in 1G files. Then you can use "tail -f -c +0 tcpdump.dmp | tcpdump -r - port 80" to follow http traffic online. You'll of course have to monitor when the new rollover happens and restart with the newest filename. This can be easily scripted.
No longer 'sniffing the glue', but much better... (Score:3, Informative)
The other nice function that is not quite that recent, but I think appeared within the past year and a half or so, is the ability to filter a TCP connection, just by right clicking on one frame of the stream, and choosing 'Follow TCP Stream'. This automatically creates a filter based on the source and destination IP and ports, and spawns a new window that contains only the data portions of the stream. It defaults to interpreting data as ASCII, but you can choose EBCDIC, or just look at the HEX, and export out to another app that can view the data. Very useful for any apps that use ASCII text to communicate (I've often used for un-encrypted FIX connection troubleshooting)
This and some other very simple features make Ethereal much more powerful for troubleshooting and viewing individual connections that Sniffer Pro, which can cost more than $5000, depending on your configuration. A very simple but effective feature is just the ability to organize alpha-numerically columns in the capture window. Its sometimes the easiest way to find where traffic from a certain IP starts...We had training on Sniffer Pro from an NAI guy once, and I asked why Sniffer didn't have this feature...He was like 'what would you use this for?'
That training session was when I discovered that Sniffer Pro is really better suited to looking at a whole network, and performance as a whole...Ethereal is absolutely the best for looking at individual packets, data streams, or connection problems.