14 DAY TRIAL // Network protocol analyzers, also known as packet sniffers, are programs that capture network traffic. They are very useful for network administrators, software developers or for people who want to know how network protocols work. As data travels back and forth over the network, the sniffer captures packets and eventually decodes, analyzes and displays them.
Ethereal is one of the best protocol analyzers available. You can compile the source code or install from a precompiled package. Ethereal doesn't have its own code to capture packets; it uses libcap or WinPCap for this task, so it can only capture on networks supported by these libraries.
The Interface
Ethereal has a simple and easy to use interface. The main window is divided in three panes that show the user a great deal of information. The panes appear only if you have captured data to display. The first pane shown gives a summary of each captured packet, displaying the packet number, its source and destination addresses, the type of the upper layer protocol contained in the packet, and some additional information about the packet. By clicking on packets in this pane you control what is displayed in the other two. The second pane gives detailed information about a selected packet; it shows the headers of all the protocols contained in it. For example, if you have captured an HTTP packet, you will be shown the Ethernet, IP, TCP and HTTP headers. The third pane displays the actual bytes that form the packet in a hex dump style. The left side shows the offset in the packet data, in the middle the bytes are shown in hexadecimal and on the right the data is shown in the ASCII format. If a value is not a valid ASCII code it will be represented by a dot. You can tell Ethereal to colorize the captured packet list to help you better see the packets.
Capturing data
Ethereal understands many protocols from RIP, OSPF to STP and Token Ring. You will certainly find all the protocols you want. You can capture packets only intended for you or you can capture packets in promiscuous mode. For example, if you are connected to a hub you will see all the traffic that the hub handles because hubs are made to transmit a packet on all ports regardless of what the destination is. If you are connected to a switch you will see only broadcast packets and packets that have you as their destination. Switches are smarter then hubs because they use the destination MAC address contained in the packet to make forwarding decisions.
First of all you need to have root privileges to start a live capture (remember that!). To capture packets use the Ctrl+K shortcut or select Start from the Capture menu. The Capture options window will appear. Here you can set a few things. First you must choose the NIC (network interface card) you want to use for capturing packets.
One very useful feature of Ethereal is the fact that you can use filters. When capturing network data with Ethereal, you will probably want to filter out some packets and concentrate on the packets that are of interest to you. You can create one or more filters and you can save them, but you can only apply one filter at a time to a capture. For example you can create a filter to capture only ARP or UDP packets. Ethereal also uses display filters, to sort through captured packets, but these filters do not alter the saved traffic.
If you want to analyze the data later, you can save the capture to a file. You can read in a previously saved capture file by selecting Open from the File menu. If you have captured simultaneously from multiple interfaces at once using multiple instances of Ethereal, you can merge several capture files into one.
Statistics
The statistical tools are available from the Statistics menu. There are some really useful tools. If you want to see a summary of the captured packets, Ethereal provides a summary that includes, among others, the length of the capture, elapsed time between packets and average bytes per second. Ethereal can even generate throughput graphs and has the capability to follow a TCP stream. It creates a readable representation of a conversation contained in your packet capture. There are many more options here, but you will get used to them after a few packet captures.
The Good
Ethereal can recognize all the protocols you might think of and has an easy to use interface. The possibility to create filters and the statistical tools are also a big plus.
The Bad
Nothing bad here. Ethereal works fine and has great functionality. It's one of my favorites.
The Truth
If you want a software tool to use for network troubleshooting or education, use Ethereal. It's one of the best packet sniffers around.
