Ethereal Packet Sniffing (Syngress)

Getting started with Ethereal

• Binary Ethereal packages for Windows, Linux, and various UNIX flavors can be downloaded from www.ethereal.com.

• Source code can be downloaded and compiled from www.ethereal.com if the binary packages available don’t meet your needs.

• Ethereal can be launched by typing ethereal at the command line.

Exploring the Main Windows

• The Summary Window provides a one-line summary for each packet.

• The Protocol Tree Window provides a detailed decode of the packet selected in the Summary Window.

• The Data View Window provides the hexadecimal (or hex) dump of the packets’ actual bytes.

Other Window Components

• The filter bar provides a quick mechanism for filtering the packets displayed in the Summary Window.

• Clicking the filter bar’s Filter: button will display the Display Filter dialog box to help you construct a display filter string.

• The Information field will show the display filter field name of the field selected in the Protocol Tree Window.

Exploring the Menus

• Most preferences can be set in the Preferences dialog box.

• There are context-sensitive pop-up menus available by right-clicking on the Summary Window, Protocol Tree Window, or Data View Window.

• Packets in the Summary Window can be color-coded for easy reading by using the Apply Color Filters dialog box.

Using Command Line Options

• Ethereal can apply display filters to packets read from a file with the –R flag, discarding packets that don’t match the filter.

• Ethereal uses –r to indicate a file to read from and –w to indicate a file to write to.

• Ethereal can be made to start capturing from an interface immediately on startup by using the –i and -k options.