1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wireshark - Ethereal Tutorial - Part one

Discussion in 'Networks' started by zebulebu, Aug 11, 2006.

  1. zebulebu

    zebulebu Terabyte Poster

    Righto - here goes. Its pretty long, because its been written for second-line peeps at work who haven't got that much networking knowledge. I'm sure some of you will be able to skip the obvious bits... :biggrin

    What is Ethereal?

    Long known as the Rolls-Royce of open-source Network Monitoring tools, Ethereal is a Network Packet Analyzer – allowing you to capture raw packet data and display it in a helpful form. This can be a massive benefit when attempting to troubleshoot misbehaving networks, and the functionality of Ethereal is simply staggering. This presentation will only scratch the surface of what Ethereal is actually capable of, but, once you understand the basics, you will be able to progress to more advanced capture techniques. Pretty soon, you’ll be seeing the world in green 1nes and 0eroes, like Neo in the Matrix…

    To explain what Ethereal does, its common to use the analogy of an electrician’s voltmeter. Although the level of information that can be captured by Ethereal is far more detailed than the basic reading given off by a voltmeter, they perform the same basic function – allowing you to ‘look inside the wire’ and see what is going on.

    Installing Ethereal

    The installation process for Ethereal is pretty straightforward. It runs on almost every platform commonly in use today, including most flavours of UNIX, Macs, Linux and Windows. Since the most commonly used O/S is Windows, I’ll cover the installation process for that platform here. If you wish to run it on another system, you can find detailed installation instructions here.

    Ethereal requires the WinPCap driver installed underneath it to perform the packet capture process. You used to have to download this separately, happily, it now comes as part of the Ethereal program download itself. You can download the latest version of Ethereal here. One thing to bear in mind is that Ethereal is very much a constant ‘work in progress’. Improvements to functionality and stability are made on an extremely regular basis, so it is definitely worth checking back to get an updated version regularly.

    To start the installation, download the latest stable release from the link above and double-click the .exe file.

    Click ‘Next’ on the Welcome screen

    Click ‘I Agree’ on the License screen

    The next screen is where you can fiddle with the installation components of Ethereal. Since the defaults are fine for what you will need, don’t change anything, just click ‘Next’

    On the ‘Additional Tasks’ screen, decide whether you want shortcuts on your desktop and all that hoo-hah. This is up to you and your personal preferences, but make sure you leave the check box to associate capture files with Ethereal checked. Click ‘Next’

    Choose the location you want Ethereal installed in, then click ‘Next’

    The next screen tells you to install WinPCap. As stated above, WinPCap is the ‘engine room’ of Ethereal – without it, Ethereal cannot capture packets to analyse them. If you want an overview of what WinPCap is, click the button – this will provide you with a brief outline of what it is and does. Make sure you leave the check-box marked ‘Install WinPCap’ – you decide whether you want to allow non-admin users to capture. You might think this is a no-brainer, security wise, but it can often be helpful to run a network trace whilst logged in as a non-admin user, especially when troubleshooting problems caused by user rights. Just something to bear in mind when you make your choice! Once you’ve decided, click ‘Install’

    The installation process begins. It can take some time on slower PCs, but is usually reasonably fast (well under a minute in most cases). When its finished, the dialogue box will change to ‘Installation Complete’. Click the ‘Next’ button one more time.

    The Installation Completion dialogue will be displayed, asking you whether you want to receive an update on the current status of Ethereal (‘Show News’), and whether you want to run the program there and then. These choices are up to you – it is usually well worth a visit to the Ethereal update page. If you want to dive straight in and start capturing, you may do so at this stage. However, it is still advisable to reboot following the installation – if only to clear out any temp files created by the install process.

    Configuring Ethereal to capture packets

    The configuration process once Ethereal is installed is extremely simple. All you need to do is ‘point’ Ethereal at the NIC you will be performing the capture from and make a couple of decisions about the manner in which you are going to capture traffic.

    Ethereal’s interface can seem utterly confusing at first, but once you have performed your first basic trace, you will be off and running and, believe it or not, this can be achieved within less than five minutes of installing it!

    First off the bat, you need to configure Ethereal for your NIC. When you open Ethereal, an unfriendly grey window will be displayed. Fear not – the magic is about to begin! First of all, go to ‘Capture’, then ‘Interfaces’. A list of the Network Interfaces on your PC will be displayed. All you need to do is select the interface you will be using, and Ethereal will go off and start peering into the wire. However, at this point it makes sense to configure a few properties on your chosen capture interface, so that Ethereal makes a little more sense to you than it otherwise might. In order to do this, click the ‘Prepare’ button associated with your capture interface.

    This displays a dialogue box where you can configure all sorts of parameters for the capture, including whether you want to resolve names on the network, the timing of the capture, a predefined filter for the capture and a whole range of other options. All you need to concern yourself with at the moment are two of the options available to you.

    Promiscuous Sniffing

    The first is the check-box labelled ‘Capture packets in promiscuous mode’. To understand what this means, you first need a fundamental understanding of how networks operate, and the difference between a ‘Hub’ and a ‘Switch’. If your device is plugged into a hub, since hubs operate by broadcasting packets out of every interface, you will be able to ‘sniff’ all traffic flowing to and from any other devices connected to this hub. If, however, your device is connected to a switch, this will not ordinarily be the case, as each port on a switch acts as a ‘Broadcast Domain’ – meaning that only packets destined for the device associated with the MAC address registered to that switch port will be forwarded out of that port. To complicate matters further for you, this isn’t strictly true, as all high-end network switches can make use of a feature known as ‘Port Mirroring’ or ‘SPAN ports in Cisco-Speak which enables an administrator to configure an interface on a switch to receive a copy of traffic destined to one, more or all other ports on that switch. However, we won’t go into that here – suffice it to say that if you are connected to a 10Mb hub, you may be able to capture in promiscuous mode, if you’re connected to any other device (a 10/100Mb hub, a switch or a router for example) you probably won’t be able to.

    Once you’ve got your head round that, you may be wondering ‘All well and good Zeb, but what on Earth does capturing packets in ‘promiscuous’ mode entail?’. Well, basically, it enables you to sniff ALL traffic travelling through a hub – not just the traffic destined either to your NIC alone or broadcast traffic. This can be exceptionally powerful – but is also very dangerous to you if, for instance, you’re playing around with it at work without the requisite authority! Personally, at this stage of your understanding of Ethereal I would leave this check-box unticked!

    Display Options

    The second set of options you will want to look at is the ‘Display Options’ group. In order for you to see exactly what is going on during your trace, in real time, tick the ‘Update list of packets in real time’ check-box. Once you do this, you can also decide whether you want capture information to scroll up automatically as it is received. This is personal preference – I usually check it, but it is entirely up to you. For this tutorial I strongly advise that you check this box to start with, just so you can see what is going on during the capture. You can always go back and change it later if it gets on your nerves!

    At this stage, it isn’t worth bothering with applying a filter, since this tutorial will only perform a short capture you are unlikely to see a huge quantity of ‘chatty’ traffic – but remember later on that, once you are a little more familiar with Ethereal and the way it works, you can preconfigure a filter so that you only collect information relating to a particular application, Protocol, Network Address, MAC address or any number of other options. Did I mention Ethereal was powerful? 

    Your first capture

    Now that you’ve selected the options you require, you’re ready to begin your first trace. Go ahead and click ‘Start’. You will see that the Ethereal display immediately changes to show three separate windows. You may start to see some traffic instantly – if you have any applications open, or a web browser for instance. Indeed, if you leave this long enough, even without any applications being open you WILL start to see traffic hitting your NIC. This is the ‘background noise’ of your network, and it can be an interesting experience to watch this traffic, just to give you an idea of how ‘chatty’ your LAN is. If, for instance, you have any laser printers on your LAN (and I bet you do), you’d be surprised how often they advertise themselves to all and sundry via broadcasts…

    Of course, this information isn’t that much use to you – what you want to do is capture and analyse a ‘real’ trace. For that, we’ll be using the good old PING, as its short, sharp and simple – whilst still allowing you to get a decent understanding of how to read Ethereal’s captures.
    Incidentally, if you followed my earlier advice and set Ethereal to scroll in real time as packets are captured, you’ll be able to follow along with the PING as it takes place. This will definitely aid your understanding of the Ethereal capture process.

    Go ahead and open up a command prompt & PING another box on your LAN. It helps to choose a host you know is up – otherwise you may end up confusing yourself when trying to analyse the capture later! If you watch the top window as you perform the PING, you should see a number of lines appear. These lines are the information for each packet that enters or leaves your NIC. You’ll recall that ICMP is the protocol used by PING. If you look at the ‘Protocol’ column, you should see the PING probe detailed as ICMP packets.

    What you SHOULD see at this stage, is a series of four PING requests – made from your machine to the machine you PINGed. Each one of these requests SHOULD be followed by a reply from the machine you PINGed. All this, of course, is provided you kept the PING as the default option of four requests!

    Once this process has completed, and the PING probe is finished, you can go ahead and click ‘Stop’. You have now completed your first trace using Ethereal! At the moment, this may not be much use to you, since all you have done is watch the PING transaction take place. In the next part of the tutorial, I’ll show you how to analyse the trace so that you get a full understanding of how the different elements of Ethereal combine to give you a complete picture of the network session you are tracing unfolded.

    Any comments, please post them under this tutorial and I’ll answer them as helpfully as I can.

    Hope you find this useful
    Certifications: A few
    WIP: None - f*** 'em
  2. _omni_

    _omni_ Megabyte Poster

    I'll comment...Ethereal is no longer Ethereal - it now goes by the name of Wireshark, and can be found at http://www.wireshark.org/ :biggrin
    Certifications: MCSE 2003, MCSA:M
  3. zebulebu

    zebulebu Terabyte Poster

    LOL - trust an Italian to be pedantic...

    (I presume you're italian by the ridiculously coloured facial hair your Av is sporting?...)

    Certifications: A few
    WIP: None - f*** 'em
  4. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    That's very good Zeb looking forward to the next lesson 8)
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  5. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    Excellent, thanks.

    Simon <looking forward to more lessons>
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  6. mattwest

    mattwest Megabyte Poster

    Excellent, looking forward to Part 2! :D
    Certifications: See my signature...
    WIP: Maybe re-certify my CCNA
  7. _omni_

    _omni_ Megabyte Poster

    Half...but the pedantic part is cuz I'm a Virgo :p
    Certifications: MCSE 2003, MCSA:M
  8. Rik

    Rik Nibble Poster

    Thanks very much mate.

    Very helpful for a Ethereal Noob like myself :D
  9. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    Thanks for that mate - def looking forward to Part 2? :D
  10. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    Rethpeck, Zeb :respct
    Certifications: MCP, A+, Network+
    WIP: Clarity
  11. Theprof

    Theprof Petabyte Poster Forum Leader

    good tutorial Zeb
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV

Share This Page