Ethereal Packet Sniffing

nazarijo writes "I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible. Sniffers and protocol analyzers are part of my bread and butter, and I'd be foolish to not use Ethereal. Tcpdump for a quick capture, but I use Ethereal when I need detailed information in a better, more navigable fashion. Because of that, I was pretty interested to see a book on Ethereal coming out." Read on for Jose's review of Ethereal Packet Sniffing from Syngress.

Ethereal Packet Sniffing
author	Angela Orebaugh with Greg Morris and Ed Warnick
pages	468
publisher	Syngress
rating	7
reviewer	Jose Nazario
ISBN	1932266828
summary	Solid coverage of an excellent networking tool. Offers value beyond free documentation, insight available nowhere else, and plenty of handy tips and tricks.

I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs. While the book comes out favorably for me, I'll start with the things I didn't like, first.

One of the big things that is missing from this book is any coverage of Ethereal on OS X. Given how many people are migrating to OS X (from UN*X or from Windows), and the coverage of Ethereal on Windows, I would have expected some mention of it. Luckily it's available in both Darwin Ports and the Fink project, but some mention of any of the quirks people may encounter would have been welcome. Amy (from Syngress) tells me that they will have a paper in their Solutions center on Ethereal on OS X, which would be great to see.

Another annoyance with the book is the repeated coverage in some sections of various aspects of Ethereal. One that stands out is the coverage of the additional tools which are installed alongside Ethereal, like Editcap and Text2pcap. They are covered in chapter 2 for a bit and then more completely in chapter 6. Covering these tools only once would have sufficed, but it does let chapter 2 stand on its own. Amy tells me that they do this intentionally, because it makes some chapters stand on their own as "units" for others to use. That makes sense.

A final bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.

Now, on to the real strengths of the book. Like I said earlier, The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).

The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).

Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.

Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.

Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.

Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.

The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think.

All in all I would say this is probably worth picking up if you're looking at becoming a network operator or network security junkie. You'll learn a lot about a powerful tool, how to integrate it into your use, and even how to dissect real traces of traffic. I give it a 7 out of 10 for the above weaknesses, but that shouldn't stop you from strongly considering it.

---

You can purchase Ethereal Packet Sniffing from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

possible?

[WormholeFiend]

would it be possible to sniff spam packets?

Sounds Good

[MrRuslan]

I use ethereal as a comprehensive intrusion detection system and i wish to learn more about it...seems like this book is a very good start.

Question...

[Frennzy]

Can we assume that it really focuses more on the ethereal product than analyzing and understanding frames? (In short, is it more for someone who wants to squeeze the most out of ethereal, or does it do remedial to advanced instruction on packet construction, deconstruction, and analysis?

I'd love to but...

[Iscariot_]

I'd really love to play around with Ethereal, but I'm running WindowsXP and for some reason it just doesn't go. I've read that this has to do with WinPcap.

What I want to know is, is there a way to get Ethereal running on XP? Is there an alternative to WinPcap 3.0?

Good Book

[i2878]

Bought the book last week. Likely nothing you can't find on-line, but I would almost always prefer a hardcopy in my hands when I want a reference manual.

It seens to be a good intro to Ethereal and packet sniffing - esp. if you've not done much with it before.

Ethereal in University Setting

[crass751]

In the networking class I'm taking this semester, we've been doing exercises using Ethereal to study different protocols and layers of the TCP/IP stack. My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks. It's been a useful learning aid, for me at least. It's makes more sense to think about packets and such when you can actually see them and the data they contain.

Re:Sounds Good

[MrRuslan]

LoL not at work...at home on my pc...sometimes i glance at it to see what happens...i run alot of stuff on my home pc like that for the sake of learning it.I have apache running just to give files to people i know...thats the way i learn alot of stuff u know poking it.

Re:Additional note:

[Johnny Doughnuts]

Something that really gets me about /.

The fact that someone can post something that would NORMALLY be modded troll, but since they say 'Oh, I've earned for xth troll mod for the day.', they get modded up, whilst other opinions/facts are more deserving of the mod points.

As many Unix tools, Ethereal is egoist !

[Anonymous Coward]

In my company, we wanted to monitor HTTP traffic from our users but we didn't want to put in place a proxy. We went to the solution of sniffing traffic going through our gateway and Ethereal managed to give us some interesting realtime results.
However, we wanted to log the traffic over many days and to make graphs and statistics from the results. And this where Ethereal falls short and shows up the weak point of many tools coming from the Unix world : how can we interface and use the power of Ethereal from another program easily ? We are a company and we did not want to spend days and days looking at the source code. At the contrary, in the Windows world, we don't have the source code of Word, Excel, Internet Explorer, nor Exchange but we can check spelling, create graphics, and send tasks and notes with only a few lines of VB code.

The only solution we found to use Ethereal from another program was : to ask tethereal (the command line tool) to output results in Xml-like (!) format (pdml), to process output using an Xml parser and to put all this stuff in a .Net component. Finally, this .Net component exposed all high level methods we expected from Ethereal : "analyse http traffic" and "notify us when you find new packets". And at the end... we used this component to generate Excel reports !

Ok, interfacing ethereal with xml works well and took only a few hours to implement but I let you imagine how much CPU this solution uses! Fortunately we process *only* HTTP traffic over a *slow* 1Mb/s line. We could not use this approach to monitor for instance tcp traffic over a 10Mb/s line...

Re:Ethereal in University Setting

[zgornz]

Switches are sniffable too. It just takes more work. Read about arpspoof, part of the dsniff package, you can trick a switch into sending you data rather than a client or even the gateway, then you forward it along to where it really belongs.

This even works on cable modems, but you can only sniff downstream packets, not upstream.

Richard Stevens...

[Mirko.S]

Hi,

I currently reading TCP/IP Illustrated Vol.1 (somewhere above Chap. 19) and have begun with Vol.2 a few days ago... (implemetation of IP in FreeBSD havy stuff... :))

Well... if you have read Vol.1 you should not have further questions to a tcpdump or an ethereal or "raw packet binary dump" output.

Stevens explain all fields in the headers and what are possible options/flags and what they do. Also he explain how connections are established and closed and data are delivered. He also gives a short instruction in many protocols like dns, tftp, bootp etc. and a lot of more...

They are a little bit expensive (arround 60 - 70 euro per book) but thouse books are full of information, no unneedet informations or overhead and worth to buy it (at least Vol.1 when you are interested in IP).

all in one... he explains the internet :)

Re:Already out of date

[ted_nugent]

Sounds great until you realize that Syngress has never published a revision to any of their existing titles.

Disclaimer:Of course, I could be totally wrong on this, since it's based on my own casual observation rather than a publishing schedule.