One of the best security and network troubleshooting tools available on the Internet is a protocol analyzer (or packet sniffer) named Ethereal. Ethereal runs on both Windows and Linux, sports features not found in many commercial sniffers, and, unlike the regular version of Microsoft Network Monitor, captures all packets promiscuously. And it's free!
Installing Ethereal
Installing Ethereal on Windows 9x and later is a two-step process. You must first download and install the most recent version of the WinPcap driver (version 3.0) from http://winpcap.polito.it/install. The WinPcap driver is a free Windows port of the UNIX libpcap packet-capture library. Ethereal uses WinPcap to pull packets off the network. To learn more about WinPcap's other important uses, see the Web-exclusive sidebar "WinPcap and Security Tools," http://www.winnetmag.com/windowssecurity, InstantDoc ID 40950.
To install WinPcap, double-click the downloaded setup executable; you typically don't have to reboot. If you want to cleanly uninstall WinPcap later, you'll find it listed in the Control Panel Add/Remove Programs applet.
Next, download the most recent Ethereal setup executable (version 9.16) from http://www.ethereal.com/distribution/win32 and double-click it. You'll see a list of optional components, but go ahead and install everything (the download requires 33MB of space). When installation is finished, you'll have an Ethereal shortcut on your desktop and an Ethereal folder on your Start menu. You don't typically have to reboot at this point. If you have any problems, see the Ethereal FAQ at http://www.ethereal.com/faq.html. One common problem is not having the most recent version of WinPcap installed.
Capturing Packets
Capturing and displaying packets is easy. Launch Ethereal and select Start from the Capture menu. In the Capture Options dialog box, which Figure 1 shows, select the network interface from which you'd like to catch packets, select the Update list of packets in real time and Automatic scrolling in live capture check boxes, and click OK. Don't select the two check boxes if your CPU runs at consistently more than 90 percent while sniffing. You can also turn off network name resolution and use capture filters (which I discuss later) to improve performance. While Ethereal is capturing packets, a pop-up dialog box will present a Stop button that you can click to quit capturing. After capturing a few hundred packets, click Stop.
Similar to Network Monitor, Ethereal shows the list of ensnared packets in the top pane of its application window, as Figure 2 shows. If you click a packet, Ethereal parses it into its named fields in the middle pane and shows the packet's hexadecimal/ASCII dump in the bottom pane. When you highlight a particular field in the middle pane, the corresponding bytes are highlighted in the bottom hex/ASCII pane. To view a statistical breakdown of your capture, select Tools, Protocol Hierarchy Statistics.
Display Filters
You can filter the captured packets so that Ethereal shows only the packets that interest you, and Ethereal has built-in tools to simplify the construction of display filters. Let's try using one of these tools: the Prepare feature. Begin a Prepare by capturing traffic that includes the types of packets or sessions you want to view; for example, if you want to see HTTP requests to a particular Web server, attach a laptop with Ethereal to the hub or segment directly connected to your Web server, then send the desired traffic from a client machine. (You won't be able to sniff a switched network unless you put your port on the switch into all-packets or "spanned" mode.) In the top pane of the application window, select a packet in your capture that's representative of the data you're interested in. You'll need to be able to identify the packet by its distinctive characteristics (e.g., IP addresses, port numbers, protocol ID numbers). If you aren't sure you have the right packet, you can do a Google search on the protocols or software involved to find their ID numbers.
Drill down to the desired packet characteristic in the middle pane of the application window. For example, for a captured packet containing an HTTP request to your Web server, double-click the Transmission Control Protocol layer of that packet in the middle pane and find the Destination Port field. Right-click Destination Port: 80 (80), click Prepare, then click Selected, as Web Figure 1 (http://www.winnetmag.com/windowssecurity, InstantDoc ID 40949) shows. Notice that you've added tcp.dstport in the Filter text box at the bottom of the window. Click Apply at the bottom of the window. The top pane now shows only packets with a destination of TCP port 80. To display all packets again by clearing your filter, click Reset at the bottom of the window. To see a list of recently used filters that you can select from, click the down arrow next to the Filter text box.
What if you want to see both HTTP requests to your Web server and its HTTP replies? The real power of Ethereal display filters lies in your ability to combine them by using Boolean operators and parentheses. Click Reset, click the down arrow next to the Filter text box, and select tcp.dstport 80. Now, find a packet in the top pane from the Web server, open its TCP layer in the middle pane, right-click Source Port: 80 (80), click Prepare, then click Or Selected. Your filter should now look like (tcp.dstport 80). Two pipe symbols (||) represent the Boolean Or operator, two ampersands (&&) mean And, and an exclamation point (!) means Not. Click Apply, and you'll see entire HTTP sessions, not just the clients' requests to the server. You can build extremely precise and sophisticated filters this way.