Packet Capture Using Ethereal

Download Report

Transcript Packet Capture Using Ethereal 

Packet Capture Using Ethereal
Definition for Sniffer:
• A program and/or device that monitors data
traveling over a network. Sniffers can be used
both for legitimate network management functions
and for stealing information off a network.
Unauthorized sniffers can be extremely dangerous
to a network's security because they are virtually
impossible to detect and can be inserted almost
anywhere. This makes them a favorite weapon in
the hacker's arsenal.
•
• On TCP/IP networks, where they sniff packets,
they're often called packet sniffers.
Why Packet Capture?
• Troubleshooting! For most computer users,
the only way we can tell what the network
is doing is by watching the performance of
our workstation. If it takes a long time to
retrieve a file from the server, we say the
network is “slow”. For network analysts
that’s just the first step on the road to
analyzing a reported problem.
Why Packet Capture?
• We use a variety or tools to do this analysis,
including SNMP and RMON, but before
these were available packet capture
software was used.
What is Packet Capture?
• Packet Capture software reads all packets
that fly by on the network, whether they are
addressed for our workstation or not. It
then decodes the binary data into the
appropriate fields of each frame and
interprets what each is doing. By
understanding how a protocol is supposed
to work you can look at what you capture
and tell what’s going on with your network.
Network General
• A company called Network General
developed a hardware/software combination
called the Sniffer. It was expensive
software on an expensive portable
computer, and you couldn’t buy them
separately. The company has since been
sold a couple of times and now is owned by
Network Associates.
Network General
• Network Associates promptly changed the sales
model to a license arrangement and allowed the
software to be sold separately. The software starts
at about $5k per year (2003). It captures frames
and packets, then uses an expert systems program
to analyze the data and suggest the source of
problems. PC magazine considers the Sniffer Pro
LAN the best high-end packet capture software
available.
Packet Capture Tools
• PC Magazine wrote a series of articles
reviewing packet capture tools, and it’s
available at
http://www.pcmag.com/article2/0,4149,890
13,00.asp
Packet Capture Tools
• Some other brands are listed on the above page,
including:
• EtherPeek (About $1000)
• LANwatch32
• Netboy
• Observer
• Sniffer Basic
• Optiview Integrated Network Analyzer
• Surveyor 3.2
Ethereal
• We are going to use Ethereal, because it’s free!
You can find it at http://www.ethereal.com/
• Ethereal is a free network protocol analyzer for
Unix and Windows. It allows you to examine data
from a live network or from a capture file on disk.
You can interactively browse the capture data,
viewing summary and detail information for each
packet. Ethereal has several powerful features,
including a rich display filter language and the
ability to view the reconstructed stream of a TCP
session.
Ethereal
• You can find it at
http://www.ethereal.com/distribution/win32/
. You’ll need to install both Ethereal to
analyze the data and WinPcap to capture
data. There’s a bit of a description of
WinPcap at
http://winpcap.polito.it/default.htm.
Ethereal
• An introduction to Ethereal, along with
some screen shots, can be found at
http://www.ethereal.com/introduction.html
Ethereal
• If you have a network at home, download Ethereal
onto your own workstation. Be sure to also
download WinPcap. Even if you don’t have a
network, you can download previously captured
data off of the Ethereal (and other) web sites and
analyze the data so you can see how it works. The
program is about 10MB, so it won’t fit on a floppy
disk, but it will fit on a zip disk or CD.
Ethereal Tutorial
• Here is a complete Ethereal tutorial. It was
written for a Unix environment, so skip the parts
that have to do with command line. It has
complete information about how to use the
windows version as well. This is a huge
document, so don’t expect to go through all of it
and make sense of it. Go through the first guide
far enough to figure out how the tool works.
There are plenty of screen shots to help you along.
• http://www.ethereal.com/docs/userguide/chap03.html#AEN1092
• The complete user’s guide is at
• http://www.ethereal.com/docs/user-guide/