Using Ethereal - Packet Capturing & Analysis Tool 2006. 4. 12 Sungkyunkwan University UTRI 2006710998 Park Aehui

Contents What is Ethereal? Installing Ethereal Using Ethereal Tool under Windows Using Ethereal Tool Packet Capturing Packet Filtering Ethereal Basic Interface Main window Filter toolbar Packet List pane Packet Detail pane Packet Byte Pane Menu Making use of Ethereal Reference

What is Ethereal? (cont’d) Network packet analyzer Capture network packet Display that packet as detailed as possible an open source software project / GPL(GNU General Public License) Principal Purpose To troubleshoot network problems To examine security problems To debug protocol implementations To learn network protocol internals Features Available for UNIX and Windows Capture live packet data from a network interface Open and Save packet data Filter packets So on..

What is Ethereal? Platforms Ethereal runs on Unix Linux Apple Mac OS X, BeOS, FreeBSD, HP-UX, IBM AIX, NetBSD, OpenBSD, SCO UnixWare/OpenUnix, SGI Irix, Sun Solaris/Intel, Sun Solaris/Sparc, Tru64 UNIX Linux Debian GNU/Linux, Gentoo Linux, IBM S/390 Linux, Mandrake Linux, PLD Linux, Red Hat Linux, Rock Linux, Slackware Linux, Suse Linux Microsoft Windows Window Server 2003 / XP / 2000 / NT4.0 , Window ME / 98

Installing Ethereal under Windows (Cont’d) Install Ethereal Download a binary installer http://www.ethereal.com/download.html#release Since Ethereal Version 0.10.12, the WinPcap installer has become part of the main Ethereal installer If you need, Install WinPcap To Capture live network traffic Can go up to Application from low packet http://winpcap.polito.it Linux version - libpcap 알다시피 운영체제의 NIC들은 자신의 인터페이스로 들어오는 패킷 중 목적지 하드웨어 어드레스가 자신이 아닐 경우는 상위로 올려보내지 않고 버리게 돼 있다. 그래서 이런 패킷들을 모두 애플리케이션단까지 올리려면 별도의 툴을 설치해야 한다. 그것이 바로 WinPcap다. WinPcap는 해당 홈페이지(http://winpcap.polito.it)에서 다운로드 받을 수 있다.

Installing Ethereal under Windows

Packet Capturing

Packet Filtering (Cont’d) How to Use Filtering Capture Options -> Capture Filter Dialog Main Toolbar Filter Edit Box Filter Button -> Display Filter Dialog Using the libpcap filter language for capture filter Example Src host 10.10.10.1 ip.addr == 10.0.0.5 or http Basic Filtering expression Logical Operations English C-like Description and && Logical AND ex) ip.addr==10.0.0.5 and tcp.flags.fin or || Logical OR ex) tcp or arp xor ^^ Logical XOR Not ! Logical NOT ex) not tcp […] Substring Operator ex) ip[2:2] =92

Packet Filtering (Cont’d) Basic Filtering expression Display Filter comparison operators Display Filter Types Unsigned integer ex) ip.len le 1500, ip.len le 0x436 Boolean ex) tcp.flag.syn Ethernet address(6byte) ex) eth.addr == ff:ff:ff:ff:ff:ff IPv4 address ex) ip.addr == 192.168.0.1 Signed integer String … English C-like Description eq == Equal ex) ip.addr==10.0.0.5 ne != Not equal ex) ip.addr !=10.0.0.5 gt > Greater than ex) frame.pkt_len > 10 lt < Less than ex) frame.pkt_len < 128 ge >= Greater than or equal to ex) frame.pkt_len ge 0x100 le <= Less than or equal to ex) frame.pkt_len <= 0x20

Packet Filtering Capture Filter Example

The Main window After some packets captured or loaded menu main toolbar filter toolbar Packet detail pane Packet Byte Pane Statusbar packet list pane

Filter toolbar Quickly edit and apply display filters Filter Bring up the filter construction dialog Expression.. Open a dialog box that lets you edit a display filter from a list of protocol fields Clear Reset the current display filter and clears the edit area Apply Apply the current value in the edit area as the new display filter

The Packet List pane Display all the packets in the current capture file Each line in the packet list corresponds to one packet default columns No The number of the packet in the capture file Time The timestamp of the packet ( presentation format can be changed) Source The address where this packet is coming from Destination The address where this packet is going to Protocol Info

The Packet Detail pane Show the current packet (selected in the “Packet List”) in a more detailed form Show the protocols protocol fields Display using a tree (expand / collapsed)

The Packet Byte Pane Show the current packet (selected in the “Packet List”) in a hexdump style Contain data picketed from multiple packets Packet Reassembling ex) large chunks of data

The Menu (Cont’d) File Open Open Recent Marge… Save Save As.. File Set Export as “Plan Text” file… as “PostScript” file… as “CVS” (Comma Separated Values packet summary) file… as XML-”PSML”(packet summary) file… as XML-”PDML”(packet details) file… Print Quit

The Menu (Cont’d) Edit Find Packet Find Next Find Previous Find a packet by many criteria ex) source address find : ip.addr==203.252.50.24 Find Next Find Previous Time Reference Mark Packet (toggle) Mark currently selected packet Mark All Packets Unmark All Packets Preferences… Set preferences for many parameters User Interface – Layout / Columns / Font / Color Capture Printing Name Resolution Protocols

The Menu (Cont’d) View Setting show or hide Setting view format

The Menu (Cont’d) Go Back Forward Go to Packet Jump to the recently visited packet in the packet history Forward Jump to the next visited packet in the packet history Go to Packet specify a packet number, then go to the packet Go to Corresponding Packet If the selected field doesn’t correspond to a packet, the item is grey out First Packet Jump to first packet of the capture file Last Packet Jump to last packet of the capture file

The Menu (Cont’d) Capture (1) Interface Showing live captured data The interface description provided by the operation system Open the Capture Options The number of packets captured, Since this dialog was open Number of packets captured In the last second

The Menu (Cont’d) Capture (2) Options select interface to capture specify the maximum amount default : 65535 file name to save Buffer size to be used while capturing Stop capture after n packet(s) / n megabytes / n minutes(s) Display option

The Menu (Cont’d) Analyze Display Filter Apply as Filter Bring up a dialog of display filters Apply as Filter Change the current display filter and changed filter immediately Prepare a Filter Change the current display filter but won’t apply the change filter Enabled Protocol.. Enable/disable protocol dissectors Decode As.. / User Specified Decodes… To decode certain packets as a particular protocol Follow TCP Stream Expert Info Expert Info Composite

The Menu Statistics Summery Protocol History Conversations Show information about the data captured Protocol History Display a hierarchical tree of protocol statistics Conversations Display a list of conversations (traffic between endpoints) Endpoint List Display a list of endpoints (traffic to/from an address) TCP Stream Graph Round Trip Time Graph Throughput Graph

Making use of Ethereal (Cont’d) Analyzing web page (HTTP) packets (1) web page : http://www.skku.ac.kr (203.252.32.90:80)

Making use of Ethereal (Cont’d) Analyzing web page (HTTP) packets (2) Packet Summary

Making use of Ethereal Analyzing web page (HTTP) packets (3) Contents “Get” Request “Post” Response

Reference http://www.ethereal.com/ http://ethereal.secuwiz.com/docs/eug_html/ http://www.infoage.co.kr/newspaper/list.php http://blog.naver.com/blueysh98/100012090262