One of the best security and network troubleshooting tools available on the Internet is a protocol analyzer (or packet sniffer) named Ethereal. Ethereal runs on both Windows and Linux, sports features not found in many commercial sniffers, and, unlike the regular version of Microsoft Network Monitor, captures all packets promiscuously. And it's free!

Installing Ethereal
Installing Ethereal on Windows 9x and later is a two-step process. You must first download and install the most recent version of the WinPcap driver (version 3.0) from http://winpcap.polito.it/install. The WinPcap driver is a free Windows port of the UNIX libpcap packet-capture library. Ethereal uses WinPcap to pull packets off the network. To learn more about WinPcap's other important uses, see the Web-exclusive sidebar "WinPcap and Security Tools," http://www.winnetmag.com/windowssecurity, InstantDoc ID 40950.

To install WinPcap, double-click the downloaded setup executable; you typically don't have to reboot. If you want to cleanly uninstall WinPcap later, you'll find it listed in the Control Panel Add/Remove Programs applet.

Next, download the most recent Ethereal setup executable (version 9.16) from http://www.ethereal.com/distribution/win32 and double-click it. You'll see a list of optional components, but go ahead and install everything (the download requires 33MB of space). When installation is finished, you'll have an Ethereal shortcut on your desktop and an Ethereal folder on your Start menu. You don't typically have to reboot at this point. If you have any problems, see the Ethereal FAQ at http://www.ethereal.com/faq.html. One common problem is not having the most recent version of WinPcap installed.

Capturing Packets
Capturing and displaying packets is easy. Launch Ethereal and select Start from the Capture menu. In the Capture Options dialog box, which Figure 1 shows, select the network interface from which you'd like to catch packets, select the Update list of packets in real time and Automatic scrolling in live capture check boxes, and click OK. Don't select the two check boxes if your CPU runs at consistently more than 90 percent while sniffing. You can also turn off network name resolution and use capture filters (which I discuss later) to improve performance. While Ethereal is capturing packets, a pop-up dialog box will present a Stop button that you can click to quit capturing. After capturing a few hundred packets, click Stop.

Similar to Network Monitor, Ethereal shows the list of ensnared packets in the top pane of its application window, as Figure 2 shows. If you click a packet, Ethereal parses it into its named fields in the middle pane and shows the packet's hexadecimal/ASCII dump in the bottom pane. When you highlight a particular field in the middle pane, the corresponding bytes are highlighted in the bottom hex/ASCII pane. To view a statistical breakdown of your capture, select Tools, Protocol Hierarchy Statistics.

Display Filters
You can filter the captured packets so that Ethereal shows only the packets that interest you, and Ethereal has built-in tools to simplify the construction of display filters. Let's try using one of these tools: the Prepare feature. Begin a Prepare by capturing traffic that includes the types of packets or sessions you want to view; for example, if you want to see HTTP requests to a particular Web server, attach a laptop with Ethereal to the hub or segment directly connected to your Web server, then send the desired traffic from a client machine. (You won't be able to sniff a switched network unless you put your port on the switch into all-packets or "spanned" mode.) In the top pane of the application window, select a packet in your capture that's representative of the data you're interested in. You'll need to be able to identify the packet by its distinctive characteristics (e.g., IP addresses, port numbers, protocol ID numbers). If you aren't sure you have the right packet, you can do a Google search on the protocols or software involved to find their ID numbers.

Drill down to the desired packet characteristic in the middle pane of the application window. For example, for a captured packet containing an HTTP request to your Web server, double-click the Transmission Control Protocol layer of that packet in the middle pane and find the Destination Port field. Right-click Destination Port: 80 (80), click Prepare, then click Selected, as Web Figure 1 (http://www.winnetmag.com/windowssecurity, InstantDoc ID 40949) shows. Notice that you've added tcp.dstport

80

in the Filter text box at the bottom of the window. Click Apply at the bottom of the window. The top pane now shows only packets with a destination of TCP port 80. To display all packets again by clearing your filter, click Reset at the bottom of the window. To see a list of recently used filters that you can select from, click the down arrow next to the Filter text box.

What if you want to see both HTTP requests to your Web server and its HTTP replies? The real power of Ethereal display filters lies in your ability to combine them by using Boolean operators and parentheses. Click Reset, click the down arrow next to the Filter text box, and select tcp.dstport 80. Now, find a packet in the top pane from the Web server, open its TCP layer in the middle pane, right-click Source Port: 80 (80), click Prepare, then click Or Selected. Your filter should now look like (tcp.dstport

80) || (tcp.srcport

80). Two pipe symbols (||) represent the Boolean Or operator, two ampersands (&&) mean And, and an exclamation point (!) means Not. Click Apply, and you'll see entire HTTP sessions, not just the clients' requests to the server. You can build extremely precise and sophisticated filters this way.

To save your filter so that you can reuse it later, click Filter. The Display Filter dialog box appears with your filter loaded. Change the filter name to HTTP Sessions Only (TCP/80), click New, then click Save. Note that the dialog box, which Figure 3 shows, stays open so that you can select a filter and apply it without closing the dialog box. The idea is that you can create your own library of saved filters and quickly switch between the filters on the fly by selecting them from the list as needed.

As I mentioned earlier, the Display Filter dialog box lets you build a display filter. In the dialog box, change the name of the filter we just created to HTTP Sessions With 10.4.2.2 Only (substitute the IP address of your Web server) and clear the Filter string text box. Click Add Expression to display a list of all the protocols Ethereal understands. Scroll down to and expand the TCP protocol, select Source or Destination Port, click the

relation, type 80 in the text box, and click Accept. These steps will enter tcp.port

80 in the Filter text box in the application window; this shorter filter means exactly the same thing as the more explicit filter we built before. To narrow the HTTP sessions to just those with your desired server, add at the end of your filter a blank space, two ampersands, and another blank space, then click Add Expression again. This time, scroll down to the IP protocol, select Source or Destination Address, click the

relation, enter the IP address of your Web server, and click Accept. In the Display Filter dialog box, click New, Save, then click Apply. The Filter text box should now read tcp.port

80 && ip.addr

10.4.2.2, and Ethereal should be showing only HTTP sessions with the server at 10.4.2.2. You'll sometimes need to add parentheses to complex expressions to tell Ethereal how to apply your operators. For example, the expression !(tcp.dstport

80 && ip.addr

207.68.171.245) is different from the expression !tcp.dstport

80 && ip.addr

207.68.171.245.

One last tip about working with packet captures is that you can change the background and foreground color of the packets you're interested in to make them easier to find. After capturing an HTTP session, for example, select Colorize Display from the Display menu in Ethereal's application window. In the resulting dialog box, click New, type HTTP in the Name text box, delete the word filter from the String text box, and click Add Expression. When a protocol list appears, scroll down and highlight HTTP, click is present in the Relation column, and click Accept. Next, click Background Color, choose a color, and click OK, OK, Save, Apply, OK. The HTTP packets in the capture are now colorized.

Capture Filters
Display filters limit the packets that Ethereal displays, but they don't limit the packets that Ethereal snags in the first place. Capture filters, however, do limit the packets captured. Using capture filters, you can log just the packets you want and ignore the rest. Capture filters are important for optimizing Ethereal's performance and for keeping your capture files as small as possible.

The Capture Options dialog box has a Filter text box in which you can type a filter string. (You can also click the Filter button to save your filter string and reuse it later.) Because the WinPcap driver, rather than Ethereal, enforces capture filters, the capture filter syntax is different from display filter syntax. For example, the capture string ip host 10.4.1.1 and tcp port 80 selects packets to and from TCP port 80 on IP address 10.4.1.1. The operators available in capture strings permit you to form precise filters, but usually a basic capture filter that mentions only IP addresses or port numbers is sufficient to keep the size of the capture file manageable. Then, you can easily create more precise display filters by using Ethereal's built-in tools. You can find the documentation for capture filters at http://windump.polito.it/docs/manual.htm, which is the manual for another WinPcap-driven application, WinDump.

Following TCP Streams
A slick feature is Ethereal's ability to extract TCP payloads from client/server sessions and display these reconstructed streams in one window. To try out this feature, capture a session during which you download a text file from an FTP server, right-click a TCP port 21 packet from that session, and select Follow TCP Stream. A window, which
Web Figure 2 shows, displays the ASCII text of the client's requests (highlighted in black) and the server's responses to them. You can even see the contents of the downloaded file. Reset your display filter at the bottom of the window, right-click a TCP port 20 packet in the top pane, and select Follow TCP Stream. Ethereal will display the reconstructed ASCII contents of the file you downloaded.

If you can capture the packets of a malicious user while he or she attacks your servers, the ability to reconstruct the attacker's sessions will be a big help in handling the incident. Following TCP streams is a wonderful way to learn how protocols work and to troubleshoot problems with them. However, following TCP streams is also a feature that can get you into trouble—be careful not to misuse it.

Saving Captures to Disk
I've showed you how to use Ethereal to sniff network traffic and work with packets in memory. However, Ethereal can also write packet data directly to disk. And Ethereal can save packets to, and read packets from, a variety of file formats, including the capture file formats that Network Monitor, Network Associates' Sniffer, and other products use. Thus, you could, for example, use Network Monitor to capture from agents on remote segments, then use Ethereal for your data analysis.

By default, Ethereal uses the libpcap capture format, which tcpdump, WinDump, the Snort Intrusion Detection System (IDS), and many other applications use. (Libpcap format is something of a lingua franca for packet-manipulation and packet-analysis tools.) If you need to translate one vendor's file format into another's or render heterogeneous capture files into libpcap, you can use Ethereal's editcap.exe and text2pcap.exe utilities.

When you intend to capture a lot of data to files, you should use capture filters to snare only the packets you need. You should also enable ring buffer logging, which writes data to a set of smaller files rather than one big, hard-to-handle file. You specify a time or size limit that, when reached, causes Ethereal to create and use a new capture file. For example, if you intend to capture many gigabytes of data, set a 100MB limit so that Ethereal creates a new capture file after each 100MB of data captured. Each file in the "ring" of files will have the same base name with a different successive index number and timestamp appended to it—for example, if your capture file base name is HTTPcode500, you'll have files named HTTPcode500_indexnumber_yearmonthdayhourminsec.

To create a ring buffer that consists of files that contain no more than 100MB of data each, select Start from the Capture menu to open the Capture Options dialog box. In the Display options section, clear the Update list of packets in real time check box (if selected). In the Capture file(s) section, select the Use ring buffer option and set the Number of files value to 0 to let Ethereal create an unlimited number of files. Note that when you select the Use ring buffer option, the Stop capture after n kilobyte(s) captured option in the Capture limits section changes to Rotate capture file every n kilobyte(s). Enter 100000 in the Rotate capture file every n kilobytes box so that Ethereal will create a new file for each 100MB of data written.

If you set the number of ring buffer files to, say, 50, Ethereal will have only fifty 100MB files at one time no matter how much data it captures because Ethereal will always delete the oldest file to make space for the newest one—you'll have one 5GB buffer (50 × 100MB) of capture data. You might want to use this approach to always keep on hand the most recent 5GB of HTTP requests to your public Microsoft IIS servers as you wait for the next unpredictable (but inevitable) attack against your Web farm.

If you do plan to write packets to files on a continuous or scheduled basis, you'll probably want to script the process from the command line. Ethereal doesn't have to run in GUI mode.

Tethereal
Tethereal is the command-line version of Ethereal. Use Tethereal anytime you need to schedule captures or trigger capturing when a scriptable event occurs. Some examples of such events are a threatening SQL ADO error occurring in an Active Server Pages (ASP) page, the SMTP service failing on your smart host (see the Recovery tab of any service in the Control Panel Administrative Tools applet's Services tool for configuring automatic script execution), or a System Monitor alert being triggered.

To get started, run cmd.exe, navigate to the folder in which you installed your Ethereal binaries (probably C:\program files\ethereal), and type

tethereal.exe

with no command-line switches. You should start to see live packet header information. If you want to see more detail, type

tethereal.exe -n -x -V

where -n suppresses name resolution, -x prints an ASCII translation of the hex values, and -V parses the protocol (the switches are case sensitive). If you get an error, type

tethereal.exe -D

to get a list of the interfaces from which Tethereal can capture, but keep in mind that VPN, dial-up, and other WAN interfaces likely won't work, and WinPcap can't currently capture promiscuously from 802.11 wireless cards.

Tethereal typically captures from the first interface it finds, but you can specify the interface you want with the -i switch. Hence, if you run Tethereal with the -D switch and it returns something like ORINOCO PC Card: \Device\NPF_ \{4AB1A41F-9F93-4808-9C89-D51565C8B2F1\},

try the command

tethereal.exe -i "\Device\NPF_
   \{4AB1A41F-9F93-4808-9C89-
   D51565C8B2F1\}"

Notice that you don't use the friendly name of the interface but rather the device's Windows internal name (the text after the colon when you run Tethereal with the -D switch), and you can't simply use the interface number either.

If Ethereal works but Tethereal doesn't, specifying the interface by name usually solves the problem. Also, make sure you're using the correct case-sensitive switches with no syntax errors or missing double quotes.

You can use a capture filter with the -f switch or a display filter with the -R switch when viewing packets on screen or saving them to a file. The following is an example of using a display filter on the command line:

tethereal.exe -R "tcp.port 80 && ip.addr == 10.4.2.2"

A nice way to have a variety of Tethereal filters and switches ready to go is to add a folder to your Start menu and fill it with shortcuts that run your Tethereal commands in a command shell that stays open with the /k switch, for example

cmd.exe /k tethereal.exe -n -x
   -f "ip host 10.4.2.2"

You could have a dozen shortcuts preconfigured with just the filters you need so that you can have the sniffer running instantly when needed.

Ethereal and Tethereal are easy to use and incredibly useful. Whether you need them for troubleshooting, security reasons, or just because you're curious, they'll tell you what's really happening on your network.