Lucent-technologies Ethereal Uživatelský manuál

Ethereal User's GuideV2.0.2 (16376) for Ethereal 0.10.12Richard Sharpe, NS Computer Software and Services P/LEd Warnicke,Ulf Lamping,

3. AcknowledgementsThe authors would like to thank the whole Ethereal team for their assistance. In particular, the au-thors would like to thank:• Ger

5.5. File SetsWhen using the "Multiple Files" option while doing a capture, the capture data is spreaded over sev-eral capture files, called

5.6. Exporting dataEthereal provides several ways and formats to export packet data. This section describes generalways to export data from Ethereal.N

Tip!You can easily convert PostScript files to PDF files using ghostscript. For example:export to a file named foo.ps and then call: ps2pdf foo.psFigu

Export packet data into PSML. This is an XML based format including only the packet summary.Figure 5.6. The "Export as PSML File" dialog box

• Export to file: frame chooses the file to export the packet data to.• The Packet Range frame is described in Section 5.8, “The Packet Range frame”.T

• Name: the filename to export the packet data to.• The Save in folder: field lets you select the folder to save to (from some predefined folders).• B

5.7. Printing packetsTo print packets, select the "Print..." menu item from the File menu. When you do this, Etherealpops up the Print dialo

• Print command specifies that a command be used for printing.Note!These Print command fields are not available on windowsplatforms.This field specifi

5.8. The Packet Range frameThe packet range frame is a part of various output related dialog boxes. It provides options to selectwhich packets should

5.9. The Packet Format frameThe packet format frame is a part of various output related dialog boxes. It provides options to selectwhich parts of a pa

4. About this documentThis book was originally developed by Richard Sharpe with funds provided from the Ethereal Fund.It was updated by Ed Warnicke an

File Input / Output and Printing96

Chapter 6. Working with capturedpackets6.1. Viewing packets you have capturedOnce you have captured some packets, or you have opened a previously save

Figure 6.2. Viewing a packet in a separate windowFinally, you can bring up a pop-up menu over either the "Packet List", "Packet Details

Item ListDe-tailsBytesMenu Description“Preferences”.Decode As... X X - Analyze.Print... X - - FilePrint (the selected) packet(s).Show Packet inNew Win

Mark Packet (toggle) This menu item is the same as the Edit menu item of the samename. It allows you to mark a packet.Time Reference This menu item is

Expand Subtrees This menu item expands the currently selected subtree.Expand All This menu item expands all subtrees in all packets in the cap-ture.Co

Copy Copy the selected packet data to the clipboard (XXX - inwhich format).Export Selected Packet Bytes... This menu item is the same as the File menu

6.2. Filtering packets while viewingEthereal has two filtering languages: One used when capturing packets, and one used when display-ing packets. In t

As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10are hidden). The packet numbering will remain as befor

6.3. Building display filter expressionsEthereal provides a simple but powerful display filter language that you can build quite complex fil-ter expre

5. Where to get the latest copy of thisdocument?The latest copy of this documentation can always be found at: http:/ / www.ethereal.com/ docs/#usersgu

English C-like Description and exampleframe.pkt_len < 128ge>=Greater than or equal toframe.pkt_len ge 0x100le<=Less than or equal toframe.pkt

Table 6.4. Display Filter Logical OperationsEnglish C-like Description and exampleand &&Logical ANDip.addr==10.0.0.5 and tcp.flags.finor ||Log

English C-like Description and exampleeth.src[2] == 83The example above uses the n format to specify a single range. In this case the ele-ment in the

6.4. The "Filter Expression" dialog boxWhen you are accustomed to Ethereal's filtering system and know what labels you wish to use inyo

Value You may enter an appropriate value in the Value text box. The Valuewill also indicate the type of value for the field name you have selected(lik

6.5. Defining and saving filtersYou can define filters with Ethereal and give them labels for later use. This can save time in remem-bering and retypi

New This button adds a new filter to the list of filters. The currently enteredvalues from Filter name and Filter string will be used. If any of these

6.6. Finding packetsYou can easily find packets once you have captured some packets or have read in a previously savedcapture file. Simply select the

You can choose the direction to be searched for:• UpSearch upwards in the packet list (decreasing packet numbers).• DownSearch downwards in the packet

6.7. Go to a specific packetYou can easily jump to specific packets with one of the menu items in the Go menu.6.7.1. The "Go Back" commandGo

6. Providing feedback about this documentShould you have any feedback about this document, please send them to the authors through ethere-al-dev[AT]et

6.8. Marking packetsYou can mark packets in the "Packet List" pane. A marked packet will be shown with black back-ground, regardless of the

6.9. Time display formats and time referencesWhile packets are captured, each packet is timestamped. These timestamps will be saved to the cap-ture fi

A time referenced packet will be marked with the string *REF* in the Time column (see packetnumber 10). All subsequent packets will show the time sinc

Working with captured packets119

Chapter 7. Advanced Features7.1. IntroductionIn this chapter some advanced features of Ethereal will be described.120

7.2. Following TCP streamsThere will be occasions when you would like to see the data from a TCP session in the order that theapplication layer sees i

You can then choose to view the data in one of the following formats:1. ASCII. In this view you see the data from each end in ASCII, but alternating a

7.3. Packet Reassembling7.3.1. What is it?Often network protocols needs to transport large chunks of data, which are complete in itself, e.g.when tran

7.4. Name ResolutionName resolution tries to resolve some of the numerical address values to human readable names.There are two possible ways to do th

Enabling network name resolution when your name server is unavailable may signific-antly slow down Ethereal while it waits for all of the name server

Prefacexiv

Advanced Features126

Chapter 8. Statistics8.1. IntroductionEthereal provides a wide range of network statistics.These statistics range from general information about the l

8.2. The "Summary" windowGeneral statistics about the current capture file.Figure 8.1. The "Summary" windowStatistics128

• File general information about the capture file.• Time the timestamps when the first and the last packet were capturing (and the time betweenthem).•

8.3. The "Protocol Hierarchy" windowThe protocol hierarchy of the captured packets.Figure 8.2. The "Protocol Hierarchy" windowThis

Note!Packets will usually contain multiple protocols, so more than one protocol will becounted for each packet. Example: In the screenshot IP has 99,1

8.4. EndpointsStatistics of the endpoints captured.Tip!If you are looking for a feature other network tools call a hostlist, here is the rightplace to

For each supported protocol, a tab is shown in this window. The tab labels shows the number of en-dpoints captured (e.g. the tab label "Ethernet:

8.5. ConversationsStatistics of the captured conversations.8.5.1. What is a Conversation?A network conversation is the traffic between two specific en

8.6. The "IO Graphs" windowUser configurable graph of the captured network packets.You can define up to five differently colored graphs.Figu

Chapter 1. Introduction1.1. What is Ethereal?Ethereal is a network packet analyzer. A network packet analyzer will try to capture network pack-ets and

• Unit the unit for the y direction (Packets/Tick, Bytes/Tick, Advanced...)• Scale the scale for the y unit (10,20,50,100,200,500,...)XXX - describe t

8.7. Service Response TimeThe service response time is the time between a request and the corresponding response. This in-formation is available for m

Figure 8.7. The "DCE-RPC Statistic for ..." windowEach row corresponds to a method of the interface selected (so the EPM interface in versio

8.8. The protocol specific statistics windowsThe protocol specific statistics windows display detailed information of specific protocols and mightbe d

Statistics140

Chapter 9. Customizing Ethereal9.1. IntroductionEthereal's default behaviour will usually suit your needs pretty well. However, as you become mor

9.2. Start Ethereal from the command lineYou can start Ethereal from the command line, but it can also be started from most Window man-agers as well.

on the creation date and time.When the first capture file fills up, Ethereal will switch towriting to the next file, until it fills up the last file,

-m <font> This option sets the name of the font used for most text dis-played by Ethereal. XXX - add an example!-n Disable network object name r

data for each packet.-S This option specifies that Ethereal will display packets as itcaptures them. This is done by capturing in one process anddispl

Figure 1.1. Ethereal captures packets and allows you to examine their content.1.1.3. Live capture from many different network mediaDespite its name, E

9.3. Packet colorizationA very useful mechanism available in Ethereal is packet colorization. You can set-up Ethereal sothat it will colorize packets

In the Edit Color dialog box, simply enter a name for the color filter, and enter a filter string in theFilter text field. Figure 9.2, “The "Edit

Figure 9.4, “Using color filters with Ethereal” shows an example of several color filters being usedin Ethereal. You may not like the color choices, h

9.4. Control Protocol dissectionThe user can control how protocols are dissected.Each protocol has its own dissector, so dissecting a complete packet

To disable or enable a protocol, simply click on it using the mouse or press the space bar when theprotocol is highlighted.Warning!You have to use the

5. Apply Apply the changes and keep the dialog box open.6. Save Save the settings to the disabled_protos, see Appendix A, Configuration (and other) Fi

dialog box was opened.4. Show Current Open a dialog box showing the current list of user specified decodes.5. OK Apply the currently selected decode a

9.5. PreferencesThere are a number of preferences you can set. Simply select the Preferences... menu item from theEdit menu, and Ethereal will pop up

Customizing Ethereal154

Customizing Ethereal155

license keys or fees or such. In addition, all source code is freely available under the GPL. Becauseof that, it is very easy for people to add new pr

Appendix A. Configuration (andother) Files and FoldersEthereal uses a number of files and folders while it is running. Some of these reside in the per

File/Folder Description Unix/LinuxfoldersWindows folderstemp Temporary files. Environment:TMPDIREnvironment: TMPDIR or TEMPWindows folders%APPDATA% po

written to disk when you press the Save button in the "Dis-play Filters" dialog box.colorfilters This file contains all the color filters th

hosts Ethereal uses the files listed in Table A.1, “Configurationfiles and folders overview” to translate IPv4 and IPv6 ad-dresses into names.This fil

95/98/ME The default in Windows 95/98/ME is: all users work with thesame profile, which is located at:C:\windows\Application Data\Ethereal98/ME (with

Configuration (and other) Files andFolders161

Appendix B. Protocols and ProtocolFieldsEthereal distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port).A comprehensive list o

Appendix C. Related command linetoolsC.1. IntroductionBeside the Ethereal GUI application, there are some command line tools, which can be helpful for

C.2. tcpdump: Capturing with tcpdump forviewing with EtherealThere are occasions when you want to capture packets using tcpdump rather than ethereal,

C.3. tethereal: Terminal-based EtherealTethereal is a terminal oriented version of ethereal designed for capturing and displaying packetswhen an inter

1.2. Platforms Ethereal runs onEthereal currently runs on most UNIX platforms and various Windows platforms. It requires GTK+,GLib, libpcap and some o

C.4. capinfos: Print information aboutcapture filesIncluded with Ethereal is a small utility called capinfos, which is a command-line utility to print

C.5. editcap: Edit capture filesIncluded with Ethereal is a small utility called editcap, which is a command-line utility for workingwith capture file

ieee-802-11-radiotap - IEEE 802.11 plus radiotap WLAN headerieee-802-11-avs - IEEE 802.11 plus AVS WLAN headerlinux-sll - Linux cooked-mode capturefre

-h This option provides help.-v This option specifies verbose operation. The default is silentoperation.-T {encap type} This option specifies the fram

C.6. mergecap: Merging multiple capture filesinto oneMergecap is a program that combines multiple saved capture files into a single output file specif

rawip - Raw IParcnet - ARCNETarcnet_linux - Linux ARCNETatm-rfc1483 - RFC 1483 ATMlinux-atm-clip - Linux ATM CLIPlapb - LAPBatm-pdus - ATM PDUsatm-pdu

ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00xvisual - Visual Networ

C.7. text2pcap: Converting ASCII hexdumpsto network capturesThere may be some occasions when you wish to convert a hex dump of some network traffic in

where <input-filename> specifies input filename (use - for standard input)<output-filename> specifies output filename (use - for standard

-e l3pid Include a dummy Ethernet header before each packet. Specify theL3PID for the Ethernet header in hex. Use this option if your dumphas Layer 3

1.2.3. Microsoft WindowsMaintained:• Windows Server 2003 / XP / 2000 / NT 4.0• Windows Me / 98Unsupported/Unmaintained (because lack of required libra

C.8. idl2eth: Creating dissectors from CorbaIDL filesIn an ideal world idl2eth would be mentioned in the users guide in passing and documented in thed

Procedure for converting a Corba idl file into an ethereal dissector1. To write the C code to stdout.idl2eth <your file.idl>eg:idl2eth echo.idl2

1. Exception code not generated (yet), but can be added manually.2. Enums not converted to symbolic values (yet), but can be added manually.3. Add com

Related command line tools179

Appendix D. This Document's License(GPL)As with the original licence and documentation distributed with Ethereal, this document is coveredby the

patent must be licensed for everyone's free use or not licensed at all.The precise terms and conditions for copying, distribution andmodification

Thus, it is not the intent of this section to claim rights or contestyour rights to work written entirely by you; rather, the intent is toexercise the

these terms and conditions. You may not impose any furtherrestrictions on the recipients' exercise of the rights granted herein.You are not respo

FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHENOTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIESPROVIDE T

Yoyodyne, Inc., hereby disclaims all copyright interest in the program`Gnomovision' (which makes passes at compilers) written by James Hacker.<

Ethereal User's Guide: V2.0.2 (16376) for Ethereal 0.10.12by Richard Sharpe, Ed Warnicke, and Ulf LampingCopyright © 2004-2005 Richard SharpeEd W

1.3. Where to get Ethereal?You can get the latest copy of the program from the Ethereal website: ht-tp://www.ethereal.com/download.html. The website a

1.4. A rose by any other nameWilliam Shakespeare wrote: "A rose by any other name would smell as sweet." And so it is withEthereal, as there

1.5. A brief history of EtherealIn late 1997, Gerald Combs needed a tool for tracking down networking problems and wanted tolearn more about networkin

1.6. Development and maintenance ofEtherealEthereal was initially developed by Gerald Combs. Ongoing development and maintenance of Eth-ereal is handl

1.7. Reporting problems and getting helpIf you have problems, or need help with Ethereal, there are several places that may be of interest toyou (well

1.7.5. Reporting ProblemsNote!Before reporting any problems, please make sure you have installed the latest versionof Ethereal.When reporting problems

backtrace is a gdb command. You should enter it verbatim after the first line shownabove, but it will not be echoed. The ^D (Control-D, that is, press

Introduction13

Chapter 2. Building and InstallingEthereal2.1. IntroductionAs with all things, there must be a beginning, and so it is with Ethereal. To use Ethereal,

2.2. Obtaining the source and binarydistributionsYou can obtain both source and binary distributions from the Ethereal web site: ht-tp://www.ethereal.

2.3. Before you build Ethereal under UNIXBefore you build Ethereal from sources, or install a binary package, you must ensure that you havethe followi

“Building and installing libpcap” will assist in building it. Also, if your operating system does notsupport tcpdump, you might also want to download

cd /mnt/cdrom/RedHat/RPMSrpm -ivh glib-1.2.6-3.i386.rpmrpm -ivh glib-devel-1.2.6-3.i386.rpmrpm -ivh gtk+-1.2.6-7.i386.rpmrpm -ivh gtk+-devel-1.2.6-7.i

2.4. Building Ethereal from source underUNIXUse the following general steps if you are building Ethereal from source under a UNIX operatingsystem:1. U

Once you have installed Ethereal with make install above, you should be able to run it by enteringethereal.Building and Installing Ethereal20

2.5. Installing the binaries under UNIXIn general, installing the binary under your version of UNIX will be specific to the installation meth-ods used

2.6. Troubleshooting during the install onUnixA number of errors can occur during the installation process. Some hints on solving these areprovided he

2.7. Building from source under WindowsIt is recommended to use the binary installer for Windows, until you want to start developing Ether-eal on the

2.8. Installing Ethereal under WindowsIn this section we explore installing Ethereal under Windows from the binary packages.2.8.1. Install EtherealYou

The Components (both Ethereal GTK1 and 2 cannot be installed at the same time):• Etheral GTK1 - Ethereal is a GUI network protocol analyzer.• Etheral

Table of ContentsPreface ...

install WinPcap, if none or an older version is detected.More WinPcap info:• Ethereal related: http://wiki.ethereal.com/WinPcap• General WinPcap info:

2.8.6. Uninstall WinPcapYou can uninstall WinPcap independantly of Ethereal, using the "WinPcap" entry in the "Add orRemove Programs&qu

Building and Installing Ethereal28

Chapter 3. User Interface3.1. IntroductionBy now you have installed Ethereal and are most likely keen to get started capturing your first pack-ets. In

3.2. Start EtherealYou can start Ethereal from your shell or window manager.Tip!When starting Ethereal it's possible to specify optional settings

3.3. The Main windowLets look at Ethereal's user interface. Figure 3.1, “The Main window” shows Ethereal as you wouldusually see it after some pa

current program state and the captured data.Tip!The layout of the main window can be customized by changing preference settings.See Section 9.5, “Pref

3.4. The MenuThe Ethereal menu sits on top of the Ethereal window. An example is shown in Figure 3.2, “TheMenu”.Note!Menu items will be greyed out if

3.5. The "File" menuThe Ethereal file menu contains the fields shown in Table 3.1, “File menu items”.Figure 3.3. The "File" MenuTa

Menu Item Accelerator DescriptionSave Ctrl+SThis menu item saves the current capture. If you have not set a defaultcapture file name (perhaps with the

3.7. The "View" menu ...393.8. The "Go&

Menu Item Accelerator DescriptionExport > as"PDML" file...This menu item allows you to export the (or some) of the packets in thecapture

3.6. The "Edit" menuThe Ethereal Edit menu contains the fields shown in Table 3.2, “Edit menu items”.Figure 3.4. The "Edit" MenuTa

Menu Item Accelerator DescriptionTime Reference> Find Previ-ousThis menu item tries to find the previous time referenced packet.Mark Packet(toggle)

3.7. The "View" menuThe Ethereal View menu contains the fields shown in Table 3.3, “View menu items”.Figure 3.5. The "View" MenuTa

Menu Item Accelerator DescriptionPacket BytesThis menu item hides or shows the packet bytes pane, see Section 3.17,“The "Packet Bytes" pane”

Menu Item Accelerator DescriptionZoom In Ctrl++Zoom into the packet data (increase the font size).Zoom Out Ctrl+-Zoom out of the packet data (decrease

3.8. The "Go" menuThe Ethereal Go menu contains the fields shown in Table 3.4, “Go menu items”.Figure 3.6. The "Go" MenuTable 3.4.

Menu Item Accelerator DescriptionLast PacketJump to the last packet of the capture file.User Interface43

3.9. The "Capture" menuThe Ethereal Capture menu contains the fields shown in Table 3.5, “Capture menu items”.Figure 3.7. The "Capture&

Menu Item Accelerator DescriptionCapture Fil-ters...This menu item brings up a dialog box that allows you to create and editcapture filters. You can n

6.6. Finding packets ... 1136.6.1. The "Find Pac

3.10. The "Analyze" menuThe Ethereal Analyze menu contains the fields shown in Table 3.6, “Analyze menu items”.Figure 3.8. The "Analyze

Menu Item Accelerator DescriptionEnabled Proto-cols...Shift+Ctrl+RThis menu item allows the user to enable/disable protocol dissectors, seeSection 9.4

3.11. The "Statistics" menuThe Ethereal Statistics menu contains the fields shown in Table 3.7, “Statistics menu items”.Figure 3.9. The &quo

Menu Item Accelerator Description------ConversationListDisplay a list of conversations, obsoleted by the combined window ofConversations above, see Se

3.12. The "Help" menuThe Ethereal Help menu contains the fields shown in Table 3.8, “Help menu items”.Figure 3.10. The "Help" Menu

Note!Calling a Web browser might be unsupported in your version of Ethereal. If this is thecase, the corresponding menu items will be hidden.Note!If c

3.13. The "Main" toolbarThe main toolbar provides quick access to frequently used items from the menu. This toolbar cannotbe customized by t

ToolbarIconToolbar Item CorrespondingMenu ItemDescriptionReload View/ReloadThis item allows you to reload the current capture file.Print... File/Print

ToolbarIconToolbar Item CorrespondingMenu ItemDescriptionColoring Rules... View/ColoringRules...This item brings up a dialog box that allows you color

3.14. The "Filter" toolbarThe filter toolbar lets you quickly edit and apply display filters. More information on display filtersis availabl

C.5. editcap: Edit capture files ...167C.6. mergecap: Merging multip

3.15. The "Packet List" paneThe packet list pane displays all the packets in the current capture file.Figure 3.13. The "Packet List&quo

3.16. The "Packet Details" paneThe packet details pane shows the current packet (selected in the "Packet List" pane) in a more de-

3.17. The "Packet Bytes" paneThe packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in ah

3.18. The StatusbarThe statusbar displays informational messages.In general, the left side will show context related information, while the right side

User Interface60

Chapter 4. Capturing Live NetworkData4.1. IntroductionCapturing live network data is one of the major features of Ethereal.The Ethereal capture engine

4.2. PrerequisitesSetting up Ethereal to capture packets for the first time can be tricky.Tip!A comprehensive guide "How To setup a Capture"

4.3. Start CapturingOne of the following methods can be used to start capturing packets with Ethereal:• You can get an overview of the available local

4.4. The "Capture Interfaces" dialog boxWhen you select "Interfaces..." from the Capture menu, Ethereal pops up the "Capture

4.5. The "Capture Options" dialog boxWhen you select Start... from the Capture menu (or use the corresponding item in the "Main" t

Preface1. ForewordEthereal is one of those programs that many network managers would love to be able to use, butthey are often prevented from getting

on interfaces that Ethereal has found on the system. It is adrop-down list, so simply click on the button on the righthand side and select the interfa

CPU time is required for copying packets, less bufferspace is required for packets, and thus perhaps fewerpackets will be dropped if traffic is very h

... after n minute(s) Stop capturing after the given number ofsecond(s)/minutes(s)/hours(s)/days(s) have elapsed.4.5.4. Display Options frameUpdate li

4.6. Capture files and file modesWhile capturing, the underlying libpcap capturing engine will grab the packets from the networkcard and keep the pack

new capture file to a specific folder, choose this mode.Multiple files, continuous Like the "Single named file" mode, but a new file is crea

4.7. Link-layer header typeIn the usual case, you won't have to choose this link-layer header type. The following paragraphsdescribe the exceptio

4.8. Filtering while capturingEthereal uses the libpcap filter language for capture filters. This is explained in the tcpdump manpage, which can be ha

You can optionally include the keyword src|dst between thekeywords ether and host to specify that you are only inter-ested in source or destination ad

4.9. While a Capture is running ...While a capture is running, the following dialog box is shown:Figure 4.3. The "Capture Info" dialog boxTh

Note!The Capture Info dialog box might be hidden, if the option "Hide capture infodialog" is used.2. Using the menu item "Capture/ Stop

2. Who should read this document?The intended audience of this book is anyone using Ethereal.This book will explain all the basics and also some of th

Capturing Live Network Data76

Chapter 5. File Input / Output andPrinting5.1. IntroductionThis chapter will describe input and output of capture data.• Open/Import capture files in

5.2. Open capture filesEthereal can read in previously saved capture files. To read them, simply select the menu or toolbaritem: "File/ Open"

With this dialog box, you can perform the following actions:1. The "+ Add" button allows you to add a directory, selected in the right-hand

The following file formats from other capture tools can be opened by Ethereal:• libpcap, tcpdump and various other tools using tcpdump's capture

5.3. Saving captured packetsYou can save captured packets simply by using the Save As... menu item from the File menu underEthereal. You can choose wh

With this dialog box, you can perform the following actions:1. Type in the name of the file you wish to save the captured packets in, as a standard fi

file and writing it out using a different format.5. Use "Browse for other folders" to browse files and folders in your file system.6. Click

5.4. Merging capture filesSometimes you need to merge several capture files into one. For example this can be useful, if youhave captured simultaneous

Prepend packets to existing file Prepend the packets from the selected file before the currentlyloaded packets.Merge packets chronologically Merge bot