×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ethereal Packet Sniffing

timothy posted about 10 years ago | from the sniffle dept.

Security 147

nazarijo writes "I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible. Sniffers and protocol analyzers are part of my bread and butter, and I'd be foolish to not use Ethereal. Tcpdump for a quick capture, but I use Ethereal when I need detailed information in a better, more navigable fashion. Because of that, I was pretty interested to see a book on Ethereal coming out." Read on for Jose's review of Ethereal Packet Sniffing from Syngress.

I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs. While the book comes out favorably for me, I'll start with the things I didn't like, first.

One of the big things that is missing from this book is any coverage of Ethereal on OS X. Given how many people are migrating to OS X (from UN*X or from Windows), and the coverage of Ethereal on Windows, I would have expected some mention of it. Luckily it's available in both Darwin Ports and the Fink project, but some mention of any of the quirks people may encounter would have been welcome. Amy (from Syngress) tells me that they will have a paper in their Solutions center on Ethereal on OS X, which would be great to see.

Another annoyance with the book is the repeated coverage in some sections of various aspects of Ethereal. One that stands out is the coverage of the additional tools which are installed alongside Ethereal, like Editcap and Text2pcap. They are covered in chapter 2 for a bit and then more completely in chapter 6. Covering these tools only once would have sufficed, but it does let chapter 2 stand on its own. Amy tells me that they do this intentionally, because it makes some chapters stand on their own as "units" for others to use. That makes sense.

A final bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.

Now, on to the real strengths of the book. Like I said earlier, The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).

The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).

Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.

Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.

Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.

Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.

The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think.

All in all I would say this is probably worth picking up if you're looking at becoming a network operator or network security junkie. You'll learn a lot about a powerful tool, how to integrate it into your use, and even how to dissect real traces of traffic. I give it a 7 out of 10 for the above weaknesses, but that shouldn't stop you from strongly considering it.


You can purchase Ethereal Packet Sniffing from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

147 comments

Additional note: (5, Funny)

Anonymous Coward | about 10 years ago | (#8862347)

I purchased this book using credit card information I picked up using Ethereal.

Re:Additional note: (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862383)

Ethereal Packet Sniffing... what's it all about? Is it good, or is it whack?

HELP! (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862416)

Hello.

I'm considering open-sourcing my back end. Is Linux the right choice?

Thanks in advance.

Re:HELP! (0)

Anonymous Coward | about 10 years ago | (#8862884)

Maybe a site like www.hotstuds.com or www.fudgepackers.com would be a better place to ask that question.

Re:Additional note: (1, Funny)

MisanthropicProgram (763655) | about 10 years ago | (#8862472)

Ah HA! Now, I can blame that $543.21 porn bill on you!
I'm off the hook with my girlfriend! Pfew!

Re:Additional note: (-1, Troll)

MisanthropicProgram (763655) | about 10 years ago | (#8862534)

I should also thank you for not posting a joke like:
In Soviet Russia Ethereal you!
or ...
Ethereal
???
Profit!

There! I just earned my second "Troll" mod for the week.

Re:Additional note: (3, Funny)

Anonymous Coward | about 10 years ago | (#8862563)

I should also thank you for not posting a joke like:
In Soviet Russia Ethereal you!
or ...
Ethereal
???
Profit!

There! I just earned my second "Troll" mod for the week.

--
Getting modded as "Troll" let's me know that I'm not succumbing /. groupthink.


Getting modded as "Troll" lets everyone else know your an idiot.

Re:Additional note: (-1, Offtopic)

MisanthropicProgram (763655) | about 10 years ago | (#8862655)

Does your Mommy and Daddy know that you're trolling Slashdot? Or are you here because your Mommy is fucking the trashman?

The "..Soviet" and the "..Profit" jokes are old and boring. It still amazes me that they still get modded +5 after all these years !

So my AC friend, just remember this, MisanthropicProggram, that's right 2 'g's was a karma whore! And he gave up his soul to build karma points. He became disgusted with himself because he catered to people like you. People who don't think for themselves. Mindless trash.

There, I've earned my third troll mod!

Fuck you, your MOm, and the all of the guys she's sleeping with!

Re:Additional note: (1, Interesting)

Johnny Doughnuts (767951) | about 10 years ago | (#8862839)

Something that really gets me about /.

The fact that someone can post something that would NORMALLY be modded troll, but since they say 'Oh, I've earned for xth troll mod for the day.', they get modded up, whilst other opinions/facts are more deserving of the mod points.

Re:Additional note: (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862656)

Getting modded as "Troll" let's me know that I'm not succumbing /. groupthink. Getting modded as "Troll" lets everyone else know your an idiot.

It looks like you're the idiot.

Re:Additional note: (3, Funny)

Otter (3800) | about 10 years ago | (#8862698)

Getting modded as "Troll" lets everyone else know your an idiot.

If you're going to be an apostrophe troll, you need to make sure you get your own apostrophes right!

FP! (-1, Troll)

Anonymous Coward | about 10 years ago | (#8862353)

Put that in your pipe and sniff it!

sniff... sniff... (-1)

Anonymous Coward | about 10 years ago | (#8862700)

i can smell tentacles approaching my anus... wooo000oooo...

Wow man (-1, Redundant)

Anonymous Coward | about 10 years ago | (#8862355)

ehh cheech, gimme another packet of ether. Great sniffin' man. wow......

I love this tool (3, Funny)

jxs2151 (554138) | about 10 years ago | (#8862358)

Can only understand about half of what it does though. Maybe I'll buy the book.

Re:I love this tool (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862441)

Hello.

I'm considering open-sourcing my back end. Is Linux the right choice?

This Urethral Sniffing capability certainly sounds handy!

Thanks in advance.

possible? (2, Interesting)

WormholeFiend (674934) | about 10 years ago | (#8862372)

would it be possible to sniff spam packets?

Re:possible? (0)

Anonymous Coward | about 10 years ago | (#8862461)

I wouldn't want to smell that, I can barely look at it.

Re:possible? (0, Redundant)

jaeson (563206) | about 10 years ago | (#8862519)

would it be possible to sniff spam packets?

Yeah, but they smell like shit.

Re:possible? (3, Funny)

SquadBoy (167263) | about 10 years ago | (#8862614)

No spam packets are unlike other packets. They are marked with the "spam bit" and this means that sniffers will not capture them or display them.

It's possible to sniff cocaine: +1, Presidential (-1, Troll)

Anonymous Coward | about 10 years ago | (#8862836)


Try it, you might like it.

Presidentially yours,
George W. Bush [whitehouse.org]

Usually the wrong level for solving that problem (3, Informative)

billstewart (78916) | about 10 years ago | (#8862893)

Spam doesn't arrive in packets - it arrives in SMTP sessions, packaged in TCP flows, packaged in IP packets. That means that you don't have a whole spam session in any given IP packet, so it's much harder to detect spamminess from sampling IP packets than from sampling at the SMTP handler. For most people, all the incoming SMTP is handled at one place - one of your home machines if you're at home, or one of your servers (or clusters of servers) if you're a mailbox provider or a business.

If you're an ISP or hosting center that has customers that you're only providing with IP services, not email services, you _could_ sniff packets and send RSETs to kill sessions that look like spam, but you'd be doing it with less information than your customers, and you would probably end up killing off lots of useful mail, such as the message they're sending to abuse@example.net telling them how to find the spammer that just sent them this message. Usually a bad idea.

No please... (-1, Flamebait)

Anonymous Coward | about 10 years ago | (#8862375)

Ethereal is such a big piece of shit...

Already out of date (5, Informative)

Anonymous Coward | about 10 years ago | (#8862382)

While this is an interesting book, its problem is that it is already out of date. It seems that it was written at a time when the user interface was undergoing lots of churn.

For example, on page 47, figure 2.1 is out of date, as the menu items have changed and the toolbar now has more items.

On Page 146 and 147 the authors attempted to deal with changes in the GUI, and show us what the new print dialog box will look like, however, that version is also out of date.

On Page 153, Figure 4.19 is out of date. On Page 155, Figure 4.21 no longer exists. Page 156, Figure 4.22 is out of date. Page 162, Figure 4.31 is out of date, and so on.

Further on, Page 180, Figures 4.49 and 4.50 are also out of date, and it would have been nicer to show some real-life examples of problems one can spot with the Time Sequence Graphs and some explanation of how socket layer stuff relates to what you might see on the wire.

So, I am not sure this book is worth buying. Perhaps wait for the update.

Re:Already out of date (1)

Sylvain (80355) | about 10 years ago | (#8862779)

So?

I'm pretty sure 90% of the book is still relevant.

Sure there has been new features introduced since the book was written but there will also be some others after the book update will be published.

Regarding the real life examples, I guess it was the author choice to explain what the software does, not to teach TCP/IP again and let you deal with the use cases since there are several thousands of them.

Out of date? It was published in February 2004. (1)

David Hume (200499) | about 10 years ago | (#8862818)


While this is an interesting book, its problem is that it is already out of date.


How out of date can the book be? It was published in February 2004 [oreilly.com] .

Then again, Ethereal version 0.10.3 was released on March 25, 2004 [ethereal.com] .

Ethereal version 0.10.2 was released on February 23, 2004 [ethereal.com] .

Ethereal version 0.10.1 was released on February 18, 2004 [ethereal.com] .

Ethereal version 0.10.0 was released on December 12, 2003 [ethereal.com] .

Perhaps most importantly, according to one Amazon.com review, "the book documents version 0.10.0 [amazon.com] ." Another Amazon.com review states that, "the captures are up to date as of version 0.10.1 [amazon.com] ."

Re:Already out of date (2, Insightful)

Halfbaked Plan (769830) | about 10 years ago | (#8862829)

Well, in making my first judgement of a book, I look to see how many screen shots it has. Books that mainly consist of screenshots are often a waste of paper. Have you mentioned every screen shot in the book? If so, it doesn't sound like that bad a book.

You think the print dialogue is essential to effective use of this tool? Enough that an 'out of date' screenshot of the print dialogue turns you away from it?

Re:Already out of date (3, Informative)

Wister285 (185087) | about 10 years ago | (#8863123)

I'm pretty sure this is why they offer a "1 Year Upgrade", as shown on the cover. It is meant to protect the customer against these sorts of problems with rapidly progressing technology. The only trick seems to be that you have to register. Still, it's refreshing to see book publishers offering such things.

Sounds Good (1, Interesting)

MrRuslan (767128) | about 10 years ago | (#8862395)

I use ethereal as a comprehensive intrusion detection system and i wish to learn more about it...seems like this book is a very good start.

Re:Sounds Good (1)

SquadBoy (167263) | about 10 years ago | (#8862541)

WTF?

Do you by chance mean Snort?

Re:Sounds Good (1)

MrRuslan (767128) | about 10 years ago | (#8862586)

no not snort LoL i just like to look at all the packets incoming and outgoing with it...i know its lame but it works.

Re:Sounds Good (1)

throughthewire (675776) | about 10 years ago | (#8862623)

Beats working, I guess.

Re:Sounds Good (2, Interesting)

MrRuslan (767128) | about 10 years ago | (#8862678)

LoL not at work...at home on my pc...sometimes i glance at it to see what happens...i run alot of stuff on my home pc like that for the sake of learning it.I have apache running just to give files to people i know...thats the way i learn alot of stuff u know poking it.

Re:Sounds Good (1)

The Other White Boy (626206) | about 10 years ago | (#8862669)

OT but willing to put up with it...to the parent, what is your sig from? it strikes me vaguely familiar and its gonna bother me, i just know it. =)

Re:Sounds Good (2, Insightful)

prgrmr (568806) | about 10 years ago | (#8862674)

comprehensive intrusion detection system

Comprehensive? So you basicially rewrote Tripwire, Saint, and a bunch of other stuff using ethereal?

Re:Sounds Good (1)

MrRuslan (767128) | about 10 years ago | (#8862706)

Heh no...it just tell's me what goes in and out in detail and from where and to where ...thats what i meant by comprehensive...

Just Wondering.... (4, Funny)

Dr. Bent (533421) | about 10 years ago | (#8862406)

I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.

So what's it like working for the N.S.A.? Do they have a decent benefits package?

Re:Just Wondering.... (0)

Anonymous Coward | about 10 years ago | (#8862454)

even more important, are they hiring?

HELP! (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862512)

Hello.

I'm considering open-sourcing my back end. Is Linux the right choice?

I don't want to get any viruses!

Thanks in advance.

Re:HELP! (0)

Anonymous Coward | about 10 years ago | (#8862598)

You want to install linux on your ass? Guess you got tired of having your backdoors violated all the time?

More importantly... (1)

crawdaddy (344241) | about 10 years ago | (#8862557)

I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.

So what's it like working for the N.S.A.? Do they have a decent benefits package?


More importantly, do you feel your job security is at stake due to recent purchases [slashdot.org] made by the government?

Re:Just Wondering.... (0)

Anonymous Coward | about 10 years ago | (#8862861)

Nah, Jose actually works on network security in the private sector. Although I have heard rumors of his name showing up on some sort of NSA watch list...

Re:Just Wondering.... (2, Funny)

bfg9000 (726447) | about 10 years ago | (#8862978)

Missing line that fills in the details, deleted for length reasons:

I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.... ... and they turn into boobies and peepee bums on my screen when I've done it right. And if my mom finds out I'm dead meat, which is why I also like crypto.

By this measure, I look at packets for a living too... well, I don't get paid for it, but it takes more time than my day job at Twinkles Bar and Grill.

Question... (4, Interesting)

Frennzy (730093) | about 10 years ago | (#8862412)

Can we assume that it really focuses more on the ethereal product than analyzing and understanding frames? (In short, is it more for someone who wants to squeeze the most out of ethereal, or does it do remedial to advanced instruction on packet construction, deconstruction, and analysis?

Re:Question... (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862535)



Ethereal Packet Sniffing... what's it all about?

Is it good, or is it whack?

Re:Question... (-1, Troll)

Anonymous Coward | about 10 years ago | (#8862569)

Is it good, or is it whack... what's it all about?

Is it good, or is it whack?

Re:Question... (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862637)

It's OK; more whack than good, but more good than whack.

I'd love to but... (4, Interesting)

Iscariot_ (166362) | about 10 years ago | (#8862415)

I'd really love to play around with Ethereal, but I'm running WindowsXP and for some reason it just doesn't go. I've read that this has to do with WinPcap.

What I want to know is, is there a way to get Ethereal running on XP? Is there an alternative to WinPcap 3.0?

Re:I'd love to but... (4, Informative)

lukewarmfusion (726141) | about 10 years ago | (#8862464)

I've run Ethereal on several XP boxes. Make sure you install WinPCap first. Check which device you have set to monitor, too.

Your network configuration can also affect what packets you see - are there switches dividing your network? Are you alone on your network?

New the Ethereal?
Start a capture, then check your email. Then use the email address and password you capture to do all kinds of nasty things.

Re:I'd love to but... (4, Insightful)

phaetonic (621542) | about 10 years ago | (#8862566)

Why not get Knoppix or one of the many LiveCD distributions that allow you to use ethereal without the need to install Linux. Then your WindowsXP problem will not longer be a problem. The Knoppix release I used last July had support for my wireless NIC (Orinoco) on my laptop, and everything worked great.

Re:I'd love to but... (2, Insightful)

matastas (547484) | about 10 years ago | (#8862955)

Because, often times, kicking it over to Linux is neither desirable nor feisible, especially if it's a work machine. If I want to use Ethereal on my laptop, and WinXP is feeling quirky, my solution can't be 'boot Knoppix,' 'cause then I can't do anything else with any ease.

Knee-jerk Linux reactions are no better than knee-jerk MS reactions, 'cept Linux has cooler t-shirts.

Re:I'd love to but... (1)

Aliencow (653119) | about 10 years ago | (#8862478)

I never had any problem with Ethereal in Windows XP... try an older version of WinPcap maybe, that should do it.. Or maybe I'm confused and what I think was Windows XP was actually Windows 2000, but I'm pretty sure my previous box at work was XP and ran ethereal..

Re:I'd love to but... (0)

buht (738798) | about 10 years ago | (#8862498)

Hmm.. Im running Ethereal 0.10.3 on XP Pro. I did click yes when it wanted to load WinPcap stuff. It has not caused any problems yet. Did you try that version?

Re:I'd love to but... (0)

Anonymous Coward | about 10 years ago | (#8862522)

I'm running 0.10.3 and Winpcap 3.0.

Re:I'd love to but... (0)

Anonymous Coward | about 10 years ago | (#8862592)

is there a way to get Ethereal running on XP? Is there an alternative to WinPcap 3.0?

Well, there's WinPcap 3.1 beta. But what do you mean by "doesn't go?" If you can't see any interfaces in Ethereal's capture list, even after you've installed WinPcap - and you're using a corporate machine - there might be a Group Policy restriction that's causing your problem. Ditto if you can't install the WinPcap driver at all.

It works for me with no problems (0)

Anonymous Coward | about 10 years ago | (#8862619)

I installed WinPCap, Ethereal, NetStumbler, and a few other things on XP for travelling around, and I've had no problems.

Re:I'd love to but... (2, Informative)

pair-a-noyd (594371) | about 10 years ago | (#8862973)

Get this, http://www.haking.pl/en/index.php?page=hakin9_live [haking.pl]

then get this,

http://www.distrowatch.com/table.php?distribution= std [distrowatch.com]

and get this too,

ftp://ibiblio.org/pub/linux/distributions/phlak [ibiblio.org]

then get one of these,
http://www.systemrecycler.com/shomiti/ [systemrecycler.com]

and lastly get this just for shits, grins and giggles,

http://www.metasploit.com/projects/Framework/docum entation.html [metasploit.com]

Re:I'd love to but... (1, Informative)

Anonymous Coward | about 10 years ago | (#8863056)

I've ran into issues with WinPcap 3.0 and Windows. Not specifically with ethereal but when i use Snort [snort.org] . WinPcap 2.2 & 2.3 have been the most stable in my book. You can find all the older versions here [polito.it] . WinPcap 3.1 is now available [polito.it] would try that first. Haven't used it personally though.

ethereal plus google's locator service... (2, Funny)

192939495969798999 (58312) | about 10 years ago | (#8862452)

I would like to see an integration of Ethereal with google's locator service, or one of those ip to geographical coordinate services. It could bring up a map of the world, and where people are coming from to get to you. Finally, I could project that map on the wall, and be just like in DEFCON 5 the movie! HA HA HA!

NET Sniffer vs Ethereal (0)

Anonymous Coward | about 10 years ago | (#8862467)

What's everyone opinion on Network Associates Sniffer vs free Ethereal? Which one help you solve your problems, and report status of your network better?

ok, I'll bite (-1, Redundant)

Anonymous Coward | about 10 years ago | (#8862477)

I look at packets for a living. I generate them, I capture them...

[insert masturbation joke here]

I sell packets for a living (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862544)

But the streetname is 'bags'. Dime bags, nickle bags...you get the picture.

Good Book (2, Interesting)

i2878 (736937) | about 10 years ago | (#8862552)

Bought the book last week. Likely nothing you can't find on-line, but I would almost always prefer a hardcopy in my hands when I want a reference manual.

It seens to be a good intro to Ethereal and packet sniffing - esp. if you've not done much with it before.

OS X & Ethereal (3, Insightful)

grocer (718489) | about 10 years ago | (#8862553)

Ethereal requires X Windows to run on OS X...which means the some form of a rootless install or the defunct Apple XFree86 Beta in Jaguar (10.2.x).

Panther (10.3.x) has X Windows intergrated, although I haven't bought it yet...(so I don't know how well it works or if all the build issues are sorted out of Fink...although Fink is supposed to work now)

10.1.x, I have no clue, but it's different than 10.2.x (probably have to install some third variant of X via Fink)

Ethereal on OS X does rock especially with KisMac but there's three or four possible scenarios for install...probably why the book doesn't cover it...

Re:OS X & Ethereal (2, Informative)

Charles Dodgeson (248492) | about 10 years ago | (#8863003)

Panther (10.3.x) has X Windows intergrated, although I haven't bought it yet...(so I don't know how well it works or if all the build issues are sorted out of Fink...although Fink is supposed to work now)
Note that while X is "integrated" you need to specifically install it from Install Disk 3. Also, you will need to do a custom install from the XCode disk to get the X11SDK.

There are some real annoyences in getting fink to accept that you are using Apple's distribution of X. I'm still not confident that I understand how I eventually got it to work. But once I did

sudo fink install ethereal
did the job and I've been happily looking at packets since then.

Ever since then (well, about a week ago), I've found myself in need to something that gives me some of the basics of capture and sniffing. So it looks like this book will do the job for me.

IS OS X Special? (2, Insightful)

the MaD HuNGaRIaN (311517) | about 10 years ago | (#8862568)

I mean, I know it's a special OS and everything (posted from Camino).

But, whenever I use Ethereal on OS X, I just download the latest source. ./configure
make
make install

Then, launch X, and run ethereal.

So, there you go. There's your chapter on using Ethereal in OS X.
Happy to help!

Too late (2, Funny)

KalvinB (205500) | about 10 years ago | (#8862576)

I used Ethereal back when I was playing with Try2Hack and discovered what information was being sent for The Kill Everyone Project [homokaasu.org] . I then fired up my custom "hacker" program and proceeded to destroy the world approximatly five times per packet.

After crashing the high score page from an integer overflow caused by my rediculously high score, I decided that maybe I should stop.

So after beating the internet, what purpose does a book on Ethereal serve?

What would actually be handy is a browser that you can tell to "step" through message transmissions. The owner of the "Kill Everyone Project" challenged me to hack his other games after I e-mailed him to explain what I did and how he could fix it. The only reason I couldn't do it was because after some cookie passing with my program I couldn't quite get the SWF file with the session ID. With a real browser with "step" it would be possible to let it load up the game session like normal but then set it to "step" mode and be able to edit packets before they go to the server.

I don't imagine it would be too terribly difficult to add such a feature to Mozilla. It would be nice to have a text window that shows what data is actually being sent up to the server with the option to have to manually okay each packet so you could edit out any info you'd rather the server didn't have.

Like when certain Javascript pages try to grab system information.

Ben

Great every idiot on slashdot will be sniffing now (3, Funny)

DR SoB (749180) | about 10 years ago | (#8862579)

Here we go with the n00b questions.. ie. Can it sniff spam packets? Answer: No, spam packets are so mysterious and powerful, no available NIC is capable of passing them to a sniffer program.

Please people, leaving SNIFFING to the professionals!

Ethereal Rocks (2, Informative)

Doug Dante (22218) | about 10 years ago | (#8862600)

* Always shows gracefully parsed packets, even on tagged vlans * Follows TCP Stream so you can view and analyze XML transactions generated by JavaScript scripts. * Completely supports almost all protocols e.g. Knows RADIUS options. * Can use it to examine HTML headers, redirects, and what goofy web pages are doing behind the scenes. * Works on Windows, Linux, and Mac OS-X (although I never use the last)

Please help. (0, Offtopic)

Neil Blender (555885) | about 10 years ago | (#8862622)

I send you this packet in order to have your advice.

See you later. Thanks.

Re:Please help. (-1, Troll)

Anonymous Coward | about 10 years ago | (#8862928)

FU Bunghole...the only packet you need is a packet of astroglide so you can fluff the stars in gay porno.

Ethereal in University Setting (4, Interesting)

crass751 (682736) | about 10 years ago | (#8862632)

In the networking class I'm taking this semester, we've been doing exercises using Ethereal to study different protocols and layers of the TCP/IP stack. My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks. It's been a useful learning aid, for me at least. It's makes more sense to think about packets and such when you can actually see them and the data they contain.

Re:Ethereal in University Setting (3, Funny)

dr_dank (472072) | about 10 years ago | (#8862764)

My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks

Is this Prof on crack that he/she doesn't think that any of their students is going to try sniffing their neighbors packets on the dorm network? Hell, thats the first thing I'd do!

Re:Ethereal in University Setting (1)

mikeee (137160) | about 10 years ago | (#8863017)

Odds are, they won't see much. Just *try* to buy a hub (not a switch!) with more than 4 ports these days. It's a PITA if you actually do want to use ethereal to sniff outside traffic.

Re:Ethereal in University Setting (0)

Anonymous Coward | about 10 years ago | (#8863026)

Heh, first thing I did when I figured out how to use ethereal a little bit was sniff for AOL Instant Messenger packets.

I'd interject into peoples' conversations, doing fun shit like answering someone's question from their conversation using handles like eyeseejewhah and whatnot. Some people seemed to be very creeped out by it, some people just closed their AIM clients. All in all a fun way to spend an afternoon of skipping class.

Re:Ethereal in University Setting (0)

Anonymous Coward | about 10 years ago | (#8863048)

Is this Prof on crack that he/she doesn't think that any of their students is going to try sniffing their neighbors packets on the dorm network?

Well, I wouldn't expect students not to download music from dubious sites either or all manner of illegal things. I wouldn't show them how to do it in class though.

Re:Ethereal in University Setting (1)

symbolic (11752) | about 10 years ago | (#8862907)

My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks.

Bah...running traces on live networks is MUCH more fun (albeit for legitimate purposes). Tethereal and grep are an interesting combination as well.

Web (2)

macgyvr64 (678752) | about 10 years ago | (#8862652)

Are there any good introductions to Ethereal on the web? I've looked a little with Google, but turned up nothing great. I may buy this book, but I'm not sure I want to spend $35 on something I may or may not use.

I know I'm being lazy but... (1)

jeffehobbs (419930) | about 10 years ago | (#8862702)

... I really wish there was a .pkg installer for OS X.

~jeff

Re:I know I'm being lazy but... (1)

OmniVector (569062) | about 10 years ago | (#8862800)

if you're even remotely a *nix user in os x, you should already have fink [sf.net] and darwinports [opendarwin.org] already installed. it's a simple port install ethereal and you're done.

THINK - cover stories (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862712)

These days, it's all about whether a "well-intentioned" White House
made "mistakes" in not paying closer attention to warnings about Al
Qaida ops inside the US.

As if that were the real issue.

It's easy to get caught up in cover stories. One begins to believe
that, if the White House can be nailed on its errors, it will suffer
a hard blow.

Forget about magical pristine hijacker passports being found on the
street near the WTC, after they fell out of exploding jetliners.

Forget about the fact that no one has actually shown there were Arab
hijackers aboard the key flights on 9/11.

Forget about evidence offered that some of these "hijackers" are
still alive.

Forget about the fact that US fighter jets failed to scramble when
they should have.

Forget about the fact that the nature and size of the hole punched in
the Pentagon---and the missing major parts of the jetliner at the
scene---mitigate against the conclusion that a jetliner actually
crashed into the Pentagon.

Forget about Bush's non-reaction at the Florida school when he was
told two planes had crashed into the WTC.

Forget about who benefited from 9/11.

Forget about pre-9/11 war plans for Afghanistan and Iraq being on the
drawing boards.

Forget about "the need for a new Pearl Harbor" to justify these wars.

Forget about the lack of a deep and final investigation into short-
selling of key stocks just before 9/11.

Forget about evidence and allegations that, on the morning of 9/11,
before the planes crashed, the US military was conducting an exercise
that had to do with simulated hijackings.

Forget about visual evidence that the second plane to crash into the
WTC exploded most of its fuel out in the air, and not inside the
building. (How did this fuel heat melt all that steel and take the
tower down?)

And so on and so forth.

These days, it's all about possible goofs by the White House in the
months leading up to 9/11.

The 9/11 commission had its investigation defined before it even
began.

The current debate in the press is about Guilt-Lite.

The whole thrust of the cover story is to AVOID TREATING THE WTC AND
THE PENTAGON AND THE FIELDS IN PENNSYLVANIA AS ACTUAL CRIME SCENES.

Off topic but related... (0)

Anonymous Coward | about 10 years ago | (#8862718)

I need to capture an entire day or two worth of data, and be able to generate summary statistics, and drill down to individual transactions if necessary. I looked at ntop, but with the migration away from supporting SQL, that doesn't look like a solution.

Anyone have any recommendations???

Thanks!!

Tomayto, tomahto (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8862762)

So I pronounce it Like This [reference.com]

BUT...

I often hear the last syllable pronounced like REEL of film.

Is this going to be like the LIE-Nuks Lee-nooks, thing?

Network Associates Sniffer Pro is excellent. (1)

qualico (731143) | about 10 years ago | (#8862783)

I like that product best with its graphs and traffic maps.
Although it would be nice to have some more sophisticated software in tune with hardware like routers and switches.

Development on these types of software seems to have gone stagnant.

You'd think with all the crap on the net, there would be some really good tools.

packet sniffing (4, Funny)

Cruciform (42896) | about 10 years ago | (#8862791)

Ever mention 'packet sniffing' in a public place?

Suddenly people across the room are hanging on your every word, until they realize you didn't say "panty sniffing" and they can't get vicarious thrills/outrage from the perverted geeks in the corner.

Ethereal question... (0)

Anonymous Coward | about 10 years ago | (#8862825)

I stared using it from the last slashdot article, and I was wondering how with Ethereal can I capture files like html, images, media, cgi, etc?

packet sniffing? (1)

bl8n8r (649187) | about 10 years ago | (#8863050)

"I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible. Sniffers and protocol analyzers are part of my bread and butter"

Aha! a real live Tea farmer!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...