Forgot your password?
typodupeerror
Security Books Media Operating Systems Software Unix Book Reviews

Ethereal Packet Sniffing 147

Posted by timothy
from the sniffle dept.
nazarijo writes "I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible. Sniffers and protocol analyzers are part of my bread and butter, and I'd be foolish to not use Ethereal. Tcpdump for a quick capture, but I use Ethereal when I need detailed information in a better, more navigable fashion. Because of that, I was pretty interested to see a book on Ethereal coming out." Read on for Jose's review of Ethereal Packet Sniffing from Syngress.
Ethereal Packet Sniffing
author Angela Orebaugh with Greg Morris and Ed Warnick
pages 468
publisher Syngress
rating 7
reviewer Jose Nazario
ISBN 1932266828
summary Solid coverage of an excellent networking tool. Offers value beyond free documentation, insight available nowhere else, and plenty of handy tips and tricks.

I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs. While the book comes out favorably for me, I'll start with the things I didn't like, first.

One of the big things that is missing from this book is any coverage of Ethereal on OS X. Given how many people are migrating to OS X (from UN*X or from Windows), and the coverage of Ethereal on Windows, I would have expected some mention of it. Luckily it's available in both Darwin Ports and the Fink project, but some mention of any of the quirks people may encounter would have been welcome. Amy (from Syngress) tells me that they will have a paper in their Solutions center on Ethereal on OS X, which would be great to see.

Another annoyance with the book is the repeated coverage in some sections of various aspects of Ethereal. One that stands out is the coverage of the additional tools which are installed alongside Ethereal, like Editcap and Text2pcap. They are covered in chapter 2 for a bit and then more completely in chapter 6. Covering these tools only once would have sufficed, but it does let chapter 2 stand on its own. Amy tells me that they do this intentionally, because it makes some chapters stand on their own as "units" for others to use. That makes sense.

A final bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.

Now, on to the real strengths of the book. Like I said earlier, The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).

The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).

Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.

Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.

Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.

Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.

The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think.

All in all I would say this is probably worth picking up if you're looking at becoming a network operator or network security junkie. You'll learn a lot about a powerful tool, how to integrate it into your use, and even how to dissect real traces of traffic. I give it a 7 out of 10 for the above weaknesses, but that shouldn't stop you from strongly considering it.


You can purchase Ethereal Packet Sniffing from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

This discussion has been archived. No new comments can be posted.

Ethereal Packet Sniffing

Comments Filter:
  • by Anonymous Coward on Wednesday April 14, 2004 @02:30PM (#8862347)
    I purchased this book using credit card information I picked up using Ethereal.
    • Ah HA! Now, I can blame that $543.21 porn bill on you!
      I'm off the hook with my girlfriend! Pfew!
    • Well, I'm sure you had to use a little technical hacking skills and social engineering to get the information though, as Ethereal the program does not send back credit card info. ;)

      I understand truthfully though, as I can name a certain someone who has done something of that sort in the past before...
  • by jxs2151 (554138) on Wednesday April 14, 2004 @02:32PM (#8862358) Homepage
    Can only understand about half of what it does though. Maybe I'll buy the book.
  • possible? (Score:2, Interesting)

    by WormholeFiend (674934)
    would it be possible to sniff spam packets?

    • by dubdays (410710)
      Why? They already smell like crap.
    • by SquadBoy (167263)
      No spam packets are unlike other packets. They are marked with the "spam bit" and this means that sniffers will not capture them or display them.
    • by billstewart (78916) on Wednesday April 14, 2004 @03:22PM (#8862893) Journal
      Spam doesn't arrive in packets - it arrives in SMTP sessions, packaged in TCP flows, packaged in IP packets. That means that you don't have a whole spam session in any given IP packet, so it's much harder to detect spamminess from sampling IP packets than from sampling at the SMTP handler. For most people, all the incoming SMTP is handled at one place - one of your home machines if you're at home, or one of your servers (or clusters of servers) if you're a mailbox provider or a business.

      If you're an ISP or hosting center that has customers that you're only providing with IP services, not email services, you _could_ sniff packets and send RSETs to kill sessions that look like spam, but you'd be doing it with less information than your customers, and you would probably end up killing off lots of useful mail, such as the message they're sending to abuse@example.net telling them how to find the spammer that just sent them this message. Usually a bad idea.

  • Already out of date (Score:5, Informative)

    by Anonymous Coward on Wednesday April 14, 2004 @02:34PM (#8862382)
    While this is an interesting book, its problem is that it is already out of date. It seems that it was written at a time when the user interface was undergoing lots of churn.

    For example, on page 47, figure 2.1 is out of date, as the menu items have changed and the toolbar now has more items.

    On Page 146 and 147 the authors attempted to deal with changes in the GUI, and show us what the new print dialog box will look like, however, that version is also out of date.

    On Page 153, Figure 4.19 is out of date. On Page 155, Figure 4.21 no longer exists. Page 156, Figure 4.22 is out of date. Page 162, Figure 4.31 is out of date, and so on.

    Further on, Page 180, Figures 4.49 and 4.50 are also out of date, and it would have been nicer to show some real-life examples of problems one can spot with the Time Sequence Graphs and some explanation of how socket layer stuff relates to what you might see on the wire.

    So, I am not sure this book is worth buying. Perhaps wait for the update.
  • Sounds Good (Score:1, Interesting)

    by MrRuslan (767128)
    I use ethereal as a comprehensive intrusion detection system and i wish to learn more about it...seems like this book is a very good start.
  • by Dr. Bent (533421) <ben&int,com> on Wednesday April 14, 2004 @02:36PM (#8862406) Homepage
    I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.

    So what's it like working for the N.S.A.? Do they have a decent benefits package?
    • I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.

      So what's it like working for the N.S.A.? Do they have a decent benefits package?


      More importantly, do you feel your job security is at stake due to recent purchases [slashdot.org] made by the government?
    • Missing line that fills in the details, deleted for length reasons:

      I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.... ... and they turn into boobies and peepee bums on my screen when I've done it right. And if my mom finds out I'm dead meat, which is why I also like crypto.

      By this measure, I look at packets for a living too... well, I don't get paid for it, but it takes more time than my day job at Twinkles Bar and
  • Question... (Score:5, Interesting)

    by Frennzy (730093) on Wednesday April 14, 2004 @02:36PM (#8862412) Homepage
    Can we assume that it really focuses more on the ethereal product than analyzing and understanding frames? (In short, is it more for someone who wants to squeeze the most out of ethereal, or does it do remedial to advanced instruction on packet construction, deconstruction, and analysis?
  • I'd love to but... (Score:5, Interesting)

    by Iscariot_ (166362) on Wednesday April 14, 2004 @02:36PM (#8862415)
    I'd really love to play around with Ethereal, but I'm running WindowsXP and for some reason it just doesn't go. I've read that this has to do with WinPcap.

    What I want to know is, is there a way to get Ethereal running on XP? Is there an alternative to WinPcap 3.0?
  • I would like to see an integration of Ethereal with google's locator service, or one of those ip to geographical coordinate services. It could bring up a map of the world, and where people are coming from to get to you. Finally, I could project that map on the wall, and be just like in DEFCON 5 the movie! HA HA HA!
  • Good Book (Score:2, Interesting)

    by i2878 (736937)
    Bought the book last week. Likely nothing you can't find on-line, but I would almost always prefer a hardcopy in my hands when I want a reference manual.

    It seens to be a good intro to Ethereal and packet sniffing - esp. if you've not done much with it before.
  • OS X & Ethereal (Score:3, Insightful)

    by grocer (718489) on Wednesday April 14, 2004 @02:48PM (#8862553)
    Ethereal requires X Windows to run on OS X...which means the some form of a rootless install or the defunct Apple XFree86 Beta in Jaguar (10.2.x).

    Panther (10.3.x) has X Windows intergrated, although I haven't bought it yet...(so I don't know how well it works or if all the build issues are sorted out of Fink...although Fink is supposed to work now)

    10.1.x, I have no clue, but it's different than 10.2.x (probably have to install some third variant of X via Fink)

    Ethereal on OS X does rock especially with KisMac but there's three or four possible scenarios for install...probably why the book doesn't cover it...
    • Panther (10.3.x) has X Windows intergrated, although I haven't bought it yet...(so I don't know how well it works or if all the build issues are sorted out of Fink...although Fink is supposed to work now)

      Note that while X is "integrated" you need to specifically install it from Install Disk 3. Also, you will need to do a custom install from the XCode disk to get the X11SDK.

      There are some real annoyences in getting fink to accept that you are using Apple's distribution of X. I'm still not confiden

      • There are some real annoyences in getting fink to accept that you are using Apple's distribution of X.

        You just have to install system-xfree86 [sourceforge.net] via Fink first. You shouldn't have any problems after that.
  • I mean, I know it's a special OS and everything (posted from Camino).

    But, whenever I use Ethereal on OS X, I just download the latest source. ./configure
    make
    make install

    Then, launch X, and run ethereal.

    So, there you go. There's your chapter on using Ethereal in OS X.
    Happy to help!
  • Too late (Score:3, Funny)

    by KalvinB (205500) on Wednesday April 14, 2004 @02:50PM (#8862576) Homepage
    I used Ethereal back when I was playing with Try2Hack and discovered what information was being sent for The Kill Everyone Project [homokaasu.org]. I then fired up my custom "hacker" program and proceeded to destroy the world approximatly five times per packet.

    After crashing the high score page from an integer overflow caused by my rediculously high score, I decided that maybe I should stop.

    So after beating the internet, what purpose does a book on Ethereal serve?

    What would actually be handy is a browser that you can tell to "step" through message transmissions. The owner of the "Kill Everyone Project" challenged me to hack his other games after I e-mailed him to explain what I did and how he could fix it. The only reason I couldn't do it was because after some cookie passing with my program I couldn't quite get the SWF file with the session ID. With a real browser with "step" it would be possible to let it load up the game session like normal but then set it to "step" mode and be able to edit packets before they go to the server.

    I don't imagine it would be too terribly difficult to add such a feature to Mozilla. It would be nice to have a text window that shows what data is actually being sent up to the server with the option to have to manually okay each packet so you could edit out any info you'd rather the server didn't have.

    Like when certain Javascript pages try to grab system information.

    Ben
  • by DR SoB (749180) on Wednesday April 14, 2004 @02:50PM (#8862579) Journal
    Here we go with the n00b questions.. ie. Can it sniff spam packets? Answer: No, spam packets are so mysterious and powerful, no available NIC is capable of passing them to a sniffer program.

    Please people, leaving SNIFFING to the professionals!

  • Ethereal Rocks (Score:3, Informative)

    by Doug Dante (22218) on Wednesday April 14, 2004 @02:52PM (#8862600)
    * Always shows gracefully parsed packets, even on tagged vlans * Follows TCP Stream so you can view and analyze XML transactions generated by JavaScript scripts. * Completely supports almost all protocols e.g. Knows RADIUS options. * Can use it to examine HTML headers, redirects, and what goofy web pages are doing behind the scenes. * Works on Windows, Linux, and Mac OS-X (although I never use the last)
  • Get your own Carnivore device...
    http://www.systemrecycler.com/shomiti/ [systemrecycler.com]
  • by crass751 (682736) on Wednesday April 14, 2004 @02:56PM (#8862632) Homepage
    In the networking class I'm taking this semester, we've been doing exercises using Ethereal to study different protocols and layers of the TCP/IP stack. My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks. It's been a useful learning aid, for me at least. It's makes more sense to think about packets and such when you can actually see them and the data they contain.
    • by dr_dank (472072) on Wednesday April 14, 2004 @03:08PM (#8862764) Homepage Journal
      My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks

      Is this Prof on crack that he/she doesn't think that any of their students is going to try sniffing their neighbors packets on the dorm network? Hell, thats the first thing I'd do!
      • Odds are, they won't see much. Just *try* to buy a hub (not a switch!) with more than 4 ports these days. It's a PITA if you actually do want to use ethereal to sniff outside traffic.
        • Switches are sniffable too. It just takes more work. Read about arpspoof, part of the dsniff package, you can trick a switch into sending you data rather than a client or even the gateway, then you forward it along to where it really belongs.

          This even works on cable modems, but you can only sniff downstream packets, not upstream.
      • Actually, I'm alumni of this particular school. The network is switched and you wouldn't get anywhere sniffing the neighbors packets. Unless you were living in an apartment on campus and used a hub to split up the one ethernet connection running to the bedrooms, they you could sniff your roommates packets.
    • My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks.

      Bah...running traces on live networks is MUCH more fun (albeit for legitimate purposes). Tethereal and grep are an interesting combination as well.
  • by macgyvr64 (678752)
    Are there any good introductions to Ethereal on the web? I've looked a little with Google, but turned up nothing great. I may buy this book, but I'm not sure I want to spend $35 on something I may or may not use.
  • ... I really wish there was a .pkg installer for OS X.

    ~jeff
    • if you're even remotely a *nix user in os x, you should already have fink [sf.net] and darwinports [opendarwin.org] already installed. it's a simple port install ethereal and you're done.
    • I wouldn't call it laziness.

      strlen( "port install ethereal")*
      strlen( "I know I'm being lazy but... ... I really wish there was a .pkg installer for OS X.")

      *(Pre-requisite)
      % cd ~/
      % cvs -d :pserver:anonymous@anoncvs.opendarwin.org:/Volumes /src/cvs/od login
      % cvs -d :pserver:anonymous@anoncvs.opendarwin.org:/Volumes /src/cvs/od co -P darwinports

  • I like that product best with its graphs and traffic maps.
    Although it would be nice to have some more sophisticated software in tune with hardware like routers and switches.

    Development on these types of software seems to have gone stagnant.

    You'd think with all the crap on the net, there would be some really good tools.
  • by Cruciform (42896) on Wednesday April 14, 2004 @03:10PM (#8862791) Homepage
    Ever mention 'packet sniffing' in a public place?

    Suddenly people across the room are hanging on your every word, until they realize you didn't say "panty sniffing" and they can't get vicarious thrills/outrage from the perverted geeks in the corner.
  • Flameon (Score:3, Funny)

    by g0bshiTe (596213) on Wednesday April 14, 2004 @03:20PM (#8862878)
    Not to mention the 13 root exploits for Ethereal.
  • "I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible. Sniffers and protocol analyzers are part of my bread and butter"

    Aha! a real live Tea farmer!
  • by Anonymous Coward
    In my company, we wanted to monitor HTTP traffic from our users but we didn't want to put in place a proxy. We went to the solution of sniffing traffic going through our gateway and Ethereal managed to give us some interesting realtime results.
    However, we wanted to log the traffic over many days and to make graphs and statistics from the results. And this where Ethereal falls short and shows up the weak point of many tools coming from the Unix world : how can we interface and use the power of Ethereal from
    • I would be nervous to make such a blanket statement about a free (beta) tool. Also, you may want to consider other options since it sounds like you're trying to do live network monitoring and reporting, which is barely within the scope of what Ethereal was written for.

      Have you taken a look at Nagios, for example? ( www.nagios.org )

      I have a feeling that your tone of voice won't be received well here, despite all the work you've done to get Ethereal to work in your environment. Good luck to you.
    • Ethereal is primarily meant as an interactive tool, I guess, which makes it not perfect for your purpose.
      A few other options for you:
      1) Simplest option with focus on http: Put in squid as a transparent proxy. No need to setup anything on the client, just put the squid server in front of your gateway and tell it to route port 80 through squid. Lots of tools exists to analyze squid log files. My preference is awstats, because it suits my needs.
      2) Use tcpdump, writing to a file. You can use -C to specify files
  • It has a big learning curve, other than the tool is very handy.
  • There is a free packet scan nlm file that you can run on Novell NetWare. The file dumps can be read with Ethereal.
    Guidelines to Take a Packet Trace [novell.com]
    Packetscan - NetWare packet capture tool [novell.com]
    How to use Ethereal to capture a packet trace [novell.com]
    How to configure a capture filter for Ethereal [novell.com]
  • Richard Stevens... (Score:2, Interesting)

    by Mirko.S (696666)
    Hi,

    I currently reading TCP/IP Illustrated Vol.1 (somewhere above Chap. 19) and have begun with Vol.2 a few days ago... (implemetation of IP in FreeBSD havy stuff... :))

    Well... if you have read Vol.1 you should not have further questions to a tcpdump or an ethereal or "raw packet binary dump" output.

    Stevens explain all fields in the headers and what are possible options/flags and what they do. Also he explain how connections are established and closed and data are delivered. He also gives a short instr

  • by quantaq (643138) on Wednesday April 14, 2004 @06:16PM (#8863988)
    Yes, but what are the material componants? Area of effect? Your review of this "Ethereal Packet Sniffing" leaves me wanting.

    Why oh why did I have to play so much D&D in high school...
  • Sorry, but is Ethereal a complex enough program to inspire a book? Sendmail, yes, but Ethereal? I figured it out within 5 minutes. Can someone enlighten me here on what I'm missing?

    LS
  • by mnemotronic (586021) <[ten.epacsten] [ta] [cinortomenm]> on Wednesday April 14, 2004 @07:47PM (#8864881) Homepage Journal
    It would be nice to get a single usage guide for all these tools together. How to use them individually or in combinations.
    • nmap [insecure.org] for basic port sniffing.
    • nessus [nessus.org] for more extensive security sweeping.
    • ethereal [ethereal.com] for packet capture & analysis.
    • snort [snort.org] for intrusion detection.
    • magnum marine [remington.com] for spammer management (I feel a mod-down comin on!)
    (Apologies if I've left your favorite tool out of this list)

    I have a vague notion about how to use some of them in limited fashion, but I'm handicaped by not having an intimate knowledge of how IP and TCP really work (down at the packet level).

  • Unfortunately, Ethereal's motto has changed from the oh-so-sweet 'Sniffing the glue that holds the Internet together' [kefk.net] But, it gets better almost monthly...The latest feature that I immediately noticed is the syntax checker on the filter box. To create filters in Ethereal, you type some simple boolean type commands, that can become very specific and complicated. (Filter by specific IP or protocol or port, for example) The box where you type them in (if you don't use the wizard, which is kind of clunky) is red, until you type in a filter with correct syntax. Then, it turns green. This happens as you type...Very nice.

    The other nice function that is not quite that recent, but I think appeared within the past year and a half or so, is the ability to filter a TCP connection, just by right clicking on one frame of the stream, and choosing 'Follow TCP Stream'. This automatically creates a filter based on the source and destination IP and ports, and spawns a new window that contains only the data portions of the stream. It defaults to interpreting data as ASCII, but you can choose EBCDIC, or just look at the HEX, and export out to another app that can view the data. Very useful for any apps that use ASCII text to communicate (I've often used for un-encrypted FIX connection troubleshooting)

    This and some other very simple features make Ethereal much more powerful for troubleshooting and viewing individual connections that Sniffer Pro, which can cost more than $5000, depending on your configuration. A very simple but effective feature is just the ability to organize alpha-numerically columns in the capture window. Its sometimes the easiest way to find where traffic from a certain IP starts...We had training on Sniffer Pro from an NAI guy once, and I asked why Sniffer didn't have this feature...He was like 'what would you use this for?'

    That training session was when I discovered that Sniffer Pro is really better suited to looking at a whole network, and performance as a whole...Ethereal is absolutely the best for looking at individual packets, data streams, or connection problems.

  • I dont read books

It's a poor workman who blames his tools.

Working...