Ethereal Packet Sniffing (Syngress)

What is Ethereal?

• Ethereal is a free and feature rich network analyzer that rivals commercial counterparts.

• Ethereal can decode more than 480 protocols (See Appendix).

• Ethereal is compatible with more than 20 other sniffers and capture utilities.

• Display and capture filters can be used to sort through network traffic.

• Ethereal mailing lists are a great resource for information and support.

Supporting Programs

• Ethereal also installs with supporting programs: tethereal, editcap, mergecap, and text2pcap.

• Tethereal is a command line version of Ethereal.

• Editcap is used to remove packets from a file and translate the format of capture files.

• Mergecap is used to merge multiple capture files into one.

• Text2pcap is used to translate ASCII hexadecimal dump captures into libpcap output files.

Using Ethereal in Your Network Architecture

• Correct placement of Ethereal in your network architecture is critical to capture the data you need.

• Taps, hubs, and switches with port spanning enabled, can all be used to connect Ethereal to your network.

• You should create a troubleshooting toolkit consisting of a small hub, small network tap, and extra straight-through and crossover cables.

• Installing Ethereal on a laptop makes troubleshooting at various locations easier.

Using Ethereal for Network Troubleshooting

• Following a methodical troubleshooting process can minimize the time it takes to solve the problem.

• Identifying and testing the cause of a problem often involves research on the Internet or support calls to hardware or software vendors.

• Sometimes, solving one problem could create another.

• Keeping detailed notes on how you solved the problem will assist in future troubleshooting efforts.