Ethereal Packet Sniffing (Syngress)

Getting Ethereal

• Ethereal can be downloaded as binaries or source code.

• There are Ethereal binaries available for more than twenty platforms.

• Ethereal source compiling prerequisites include libpcap, GTK+, Glib, Zlib, Perl, Net-SNMP, and GNU adns.

Packet Capture Drivers

• Packet capture drivers are responsible for capturing the raw network packets.

• Libpcap is a packet capture library for UNIX systems; Windows uses WinPcap.

• Sometimes RPMs are a version or two behind the current source code release.

• Ethereal must have libpcap (or WinPcap) installed to capture packets.

• Libpcap can be installed from a binary or source code.

• Uninstall older versions of WinPcap before installing newer ones.

Installing Ethereal on Windows

• Ethereal will install without WinPcap but can only be used to read saved capture files.

• Uninstall Ethereal by using the uninstall.exe program.

• Ethereal for Windows also installs tethereal, editcap, mergcap, and text2pcap.

Installing Ethereal on UNIX

• There are several different versions of Ethereal RPMs, each with a different purpose.

• The base Ethereal package does not install the Ethereal GUI program, you need to install the GTK+ RPM in addition to the base.

• The Solaris pkgadd process is much like the RPM process.

Building Ethereal from Source

• Source code installs are accomplished with the configure | make | make install process.

• Installing from source code gives you more control over the installation process.

• Installing from source gives you access to the source code and additional documentation.

• Ethereal installs by default in the /usr/local/bin directory.

• There are many options to the configure script to customize your install.