Ethereal Packet Sniffing (Syngress)

Chapter 1: Introducing Network Analysis

Figure 1.1: Example Network Analyzer Display

Figure 1.2: Example of Sniffing a Connection

Figure 1.3: Carnivore Configuration Program

Figure 1.4: Hub Collision Domains

Figure 1.5: Switch Collision Domains

Figure 1.6: Port Mirroring

Chapter 2: Introducing Ethereal: Network Protocol Analyzer

Figure 2.1: Ethereal’s GUI

Figure 2.2: Follow the TCP Stream

Figure 2.3: Incorrect Ethereal Placement

Figure 2.4: Correct Ethereal Placement Using Port Spanning

Figure 2.5: Correct Ethereal Placement Using a Hub

Figure 2.6: Ethereal Placement with a Cable Tap

Figure 2.7: Fully Meshed Network

Figure 2.8: Network Troubleshooting Methodology

Chapter 3: Getting and Installing Ethereal

Figure 3.1: The WinPcap Installation Wizard

Figure 3.2: The WinPcap License Agreement

Figure 3.3: WinPcap Setup Status

Figure 3.4: WinPcap Readme Information

Figure 3.5: WinPcap Installation Complete

Figure 3.6: The Ethereal GNU License Agreement

Figure 3.7: Ethereal Installation Components

Figure 3.8: Ethereal Installation Directory

Figure 3.9: Ethereal Installation Status

Figure 3.10: Ethereal Installation Completed

Chapter 4: Using Ethereal

Figure 4.1: Main Window

Figure 4.2: Protocol Tree Window Collapsed

Figure 4.3: Protocol Tree Window Expanded

Figure 4.4: Data View Window

Figure 4.5: Data View Window Byte Selection

Figure 4.6: Filter Bar

Figure 4.7: Filter Bar Drop-down List

Figure 4.8: File Menu

Figure 4.9: Open Dialog Box

Figure 4.10: Save As Dialog Box

Figure 4.11: Save As Dialog: File Formats

Figure 4.12: Print Dialog Box

Figure 4.13: The New Print Dialog Box

Figure 4.14: Edit Menu

Figure 4.15: Find Packet Dialog Box

Figure 4.16: Go To Packet Dialog Box

Figure 4.17: Time Reference Submenu

Figure 4.18: Time Reference Submenu Example

Figure 4.19: Preferences Dialog Box

Figure 4.20: View Menu

Figure 4.21: Display Options Dialog Box

Figure 4.22: Apply Color Filters Dialog Box

Figure 4.23: Edit Color Filter Dialog Box

Figure 4.24: Background Color Dialog Box

Figure 4.25: Edit Color Filter

Figure 4.26: GTK+2 Foreground Color Dialog Box

Figure 4.27: Apply Color Filters Dialog Box

Figure 4.28: Application of Color Filters

Figure 4.29: Show Packet in New Window

Figure 4.30: Capture Menu

Figure 4.31: Capture Options Dialog

Figure 4.32: Capture Dialog Box

Figure 4.33: Capture Options Dialog Box: Use Ring Buffer Selected

Figure 4.34: Edit Capture Filter List Dialog Box

Figure 4.35: Edit Capture Filter List Dialog Box Example

Figure 4.36: Edit Capture Filter List Dialog Box: Copy

Figure 4.37: Analyze Menu

Figure 4.38: Edit Display Filter List Dialog Box

Figure 4.39: Filter Expression Dialog Box

Figure 4.40: Filter Expression Dialog: Equality

Figure 4.41: Edit Display Filter List Dialog Box: Filter String

Figure 4.42: Edit Display Filter List Dialog Box: Filter Name

Figure 4.43: Display Filter Dialog Box: OK/Apply Buttons

Figure 4.44: Match Submenu

Figure 4.45: Enabled Protocols Dialog Box

Figure 4.46: Decode As Dialog Box: Link Tab

Figure 4.47: Decode As Dialog Box: Transport Tab

Figure 4.48: Decode As: Show

Figure 4.49: Contents of TCP Stream Window

Figure 4.50: Follow TCP Stream: Direction Selector

Figure 4.51: TCP Analysis Submenu

Figure 4.52: Time-Sequence Graph (Stevens)

Figure 4.53: Time-Sequence Graph (tcptrace)

Figure 4.54: Time-Sequence Graph (tcptrace): Magnify

Figure 4.55: Time-Sequence Graph (tcptrace): Zoom

Figure 4.56: Time-Sequence Graph(tcptrace): Diagnosis

Figure 4.57: Time-Sequence Graph (tcptrace): Zoom in on Retransmit

Figure 4.58: Throughput Graph

Figure 4.59: RTT Graph

Figure 4.60: Graph Control Dialog Box: Zoom Tab

Figure 4.61: Graph Control Dialog Box: Magnify Tab

Figure 4.62: Graph Control Dialog Box: Origin Tab

Figure 5.63: Graph Control Dialog Box: Cross Tab

Figure 5.64: Graph Control Dialog Box: Graph Type Tab

Figure 4.65: Summary Dialog Box

Figure 4.66: Protocol Hierarchy Statistics Dialog Box

Figure 4.67: Statistics Submenu

Figure 4.68: Help Menu

Figure 4.69: Help Contents Dialog Box

Figure 4.70: Supported Protocols Dialog Box

Figure 4.71: About Plugins Dialog Box

Figure 4.72: About Ethereal Dialog Box

Figure 4.73: Summary Window Pop-up Menu

Figure 4.74: Protocol Tree Window Pop-up Menu

Figure 4.75: Data View Window Pop-up Menu

Chapter 5: Filters

Figure 5.1: Capture Options Dialog Box

Figure 5.2: Display Filter Name for IP Total Length

Figure 5.3: Display Filter Name for IP

Figure 5.4: SMB Response

Figure 5.5: HTTP Headers as Text

Figure 5.6: TCP Ports for HTTP Traffic

Figure 5.7: Ethernet Source and Destination Address Fields

Figure 5.8: Capture Options Dialog Box

Figure 5.9: Ethereal Main Window and Filter Button

Figure 5.10: Capture Filter Dialog Box

Figure 5.11: Display Filter Dialog Box

Figure 5.12: Display Filter Dialog After Clicking New

Figure 5.13: Display Filter Dialog After Clicking Copy

Figure 5.14: Filter Expression Dialog Box

Figure 5.15: Filter Expression Dialog With Operation That Accepts Values

Figure 5.16: Filter Expression With Field That Has Labeled Values

Chapter 7: Integrating Ethereal with Other Sniffers

Figure 7.1: Open Capture File Dialog Box

Figure 7.2: File Open Error

Figure 7.3: Save Capture File As Dialog Box

Figure 7.4: Ethereal Display of Tethereal Capture

Figure 7.5: Ethereal Display of TCPDump Capture

Figure 7.6: Ethereal Display of WinDump Capture

Figure 7.7: Ethereal Display of Snort Capture

Figure 7.8: Ethereal Display of Snoop Capture

Figure 7.9: Microsoft Network Monitor Window

Figure 7.10: Microsoft Network Monitor Frame View Window

Figure 7.11: Ethereal Display of Network Monitor Capture

Figure 7.12: The Packet Decode of the Capture Window

Figure 7.13: Ethereal Display of EtherPeek Capture

Figure 7.14: The Packet Display Window

Figure 7.15: Ethereal Display of Netasyst Capture

Figure 7.16: Ethereal Display of nettl Capture

Figure 7.17: Zethereal User Interface

Chapter 8: Real World Packet Captures

Figure 8.1: TCP Connect Scan

Figure 8.2: SYN/ACK Responses

Figure 8.3: SYN Scan

Figure 8.4: Xmas Scan

Figure 8.5: Null Scan

Figure 8.6: SubSeven Legend Backdoor Trojan

Figure 8.7: SubSeven Client-Server Interaction

Figure 8.8: NetBus Backdoor Trojan

Figure 8.9: NetBus Client-Server Interaction

Figure 8.10: NetBus Client-Server Content

Figure 8.11: RST.b Backdoor Scan

Figure 8.12: SQL Slammer Propagation Attempt

Figure 8.13: Code Red Stage 1 – Infection and Propagation

Figure 8.14: Code Red Exploit Output

Figure 8.15: Code Red Stage 2 – Denial of Service

Figure 8.16: Ramen Work Propagation Scanning

Figure 8.17: Ramen Worm rpc.statd Exploit

Figure 8.18: Ramen Worm Execution

Chapter 9: Developing Ethereal

Figure 9.1: Main Directory

Figure 9.2: epan Directory

Figure 9.3: Image Directory

Figure 9.4: Packaging Directory

Figure 9.5: Plugins Interface

Figure 9.6: Lemon Directory

Figure 9.7: Dissector Data Displayed in the Decode Window

Figure 9.8: Sample Display Filter

Figure 9.9: Summary Pane

Figure 9.10: Closed Item in Decode Pane

Figure 9.11: Expanded Item in Decode Pane

Figure 9.12: Visual Display of Multi-level Tree View

Figure 9.13: Visual Display of Bits

Figure 9.14: Example of LDAP Preference

Figure 9.15: Example of Value String Display