207.68.171.245.
One last tip about working with packet captures is that you can change the background and foreground color of the packets you're interested in to make them easier to find. After capturing an HTTP session, for example, select Colorize Display from the Display menu in Ethereal's application window. In the resulting dialog box, click New, type HTTP in the Name text box, delete the word filter from the String text box, and click Add Expression. When a protocol list appears, scroll down and highlight HTTP, click is present in the Relation column, and click Accept. Next, click Background Color, choose a color, and click OK, OK, Save, Apply, OK. The HTTP packets in the capture are now colorized.
Capture Filters
Display filters limit the packets that Ethereal displays, but they don't limit the packets that Ethereal snags in the first place. Capture filters, however, do limit the packets captured. Using capture filters, you can log just the packets you want and ignore the rest. Capture filters are important for optimizing Ethereal's performance and for keeping your capture files as small as possible.
The Capture Options dialog box has a Filter text box in which you can type a filter string. (You can also click the Filter button to save your filter string and reuse it later.) Because the WinPcap driver, rather than Ethereal, enforces capture filters, the capture filter syntax is different from display filter syntax. For example, the capture string ip host 10.4.1.1 and tcp port 80 selects packets to and from TCP port 80 on IP address 10.4.1.1. The operators available in capture strings permit you to form precise filters, but usually a basic capture filter that mentions only IP addresses or port numbers is sufficient to keep the size of the capture file manageable. Then, you can easily create more precise display filters by using Ethereal's built-in tools. You can find the documentation for capture filters at http://windump.polito.it/docs/manual.htm, which is the manual for another WinPcap-driven application, WinDump.
Following TCP Streams
A slick feature is Ethereal's ability to extract TCP payloads from client/server sessions and display these reconstructed streams in one window. To try out this feature, capture a session during which you download a text file from an FTP server, right-click a TCP port 21 packet from that session, and select Follow TCP Stream. A window, which Web Figure 2 shows, displays the ASCII text of the client's requests (highlighted in black) and the server's responses to them. You can even see the contents of the downloaded file. Reset your display filter at the bottom of the window, right-click a TCP port 20 packet in the top pane, and select Follow TCP Stream. Ethereal will display the reconstructed ASCII contents of the file you downloaded.
If you can capture the packets of a malicious user while he or she attacks your servers, the ability to reconstruct the attacker's sessions will be a big help in handling the incident. Following TCP streams is a wonderful way to learn how protocols work and to troubleshoot problems with them. However, following TCP streams is also a feature that can get you into trouble—be careful not to misuse it.
^^^^ ^^^^
Saving Captures to Disk
I've showed you how to use Ethereal to sniff network traffic and work with packets in memory. However, Ethereal can also write packet data directly to disk. And Ethereal can save packets to, and read packets from, a variety of file formats, including the capture file formats that Network Monitor, Network Associates' Sniffer, and other products use. Thus, you could, for example, use Network Monitor to capture from agents on remote segments, then use Ethereal for your data analysis.
By default, Ethereal uses the libpcap capture format, which tcpdump, WinDump, the Snort Intrusion Detection System (IDS), and many other applications use. (Libpcap format is something of a lingua franca for packet-manipulation and packet-analysis tools.) If you need to translate one vendor's file format into another's or render heterogeneous capture files into libpcap, you can use Ethereal's editcap.exe and text2pcap.exe utilities.
When you intend to capture a lot of data to files, you should use capture filters to snare only the packets you need. You should also enable ring buffer logging, which writes data to a set of smaller files rather than one big, hard-to-handle file. You specify a time or size limit that, when reached, causes Ethereal to create and use a new capture file. For example, if you intend to capture many gigabytes of data, set a 100MB limit so that Ethereal creates a new capture file after each 100MB of data captured. Each file in the "ring" of files will have the same base name with a different successive index number and timestamp appended to it—for example, if your capture file base name is HTTPcode500, you'll have files named HTTPcode500_indexnumber_yearmonthdayhourminsec.
To create a ring buffer that consists of files that contain no more than 100MB of data each, select Start from the Capture menu to open the Capture Options dialog box. In the Display options section, clear the Update list of packets in real time check box (if selected). In the Capture file(s) section, select the Use ring buffer option and set the Number of files value to 0 to let Ethereal create an unlimited number of files. Note that when you select the Use ring buffer option, the Stop capture after n kilobyte(s) captured option in the Capture limits section changes to Rotate capture file every n kilobyte(s). Enter 100000 in the Rotate capture file every n kilobytes box so that Ethereal will create a new file for each 100MB of data written.
If you set the number of ring buffer files to, say, 50, Ethereal will have only fifty 100MB files at one time no matter how much data it captures because Ethereal will always delete the oldest file to make space for the newest one—you'll have one 5GB buffer (50 × 100MB) of capture data. You might want to use this approach to always keep on hand the most recent 5GB of HTTP requests to your public Microsoft IIS servers as you wait for the next unpredictable (but inevitable) attack against your Web farm.
If you do plan to write packets to files on a continuous or scheduled basis, you'll probably want to script the process from the command line. Ethereal doesn't have to run in GUI mode.
Tethereal
Tethereal is the command-line version of Ethereal. Use Tethereal anytime you need to schedule captures or trigger capturing when a scriptable event occurs. Some examples of such events are a threatening SQL ADO error occurring in an Active Server Pages (ASP) page, the SMTP service failing on your smart host (see the Recovery tab of any service in the Control Panel Administrative Tools applet's Services tool for configuring automatic script execution), or a System Monitor alert being triggered.
To get started, run cmd.exe, navigate to the folder in which you installed your Ethereal binaries (probably C:\program files\ethereal), and type
tethereal.exe
with no command-line switches. You should start to see live packet header information. If you want to see more detail, type
tethereal.exe -n -x -V
where -n suppresses name resolution, -x prints an ASCII translation of the hex values, and -V parses the protocol (the switches are case sensitive). If you get an error, type
tethereal.exe -D
to get a list of the interfaces from which Tethereal can capture, but keep in mind that VPN, dial-up, and other WAN interfaces likely won't work, and WinPcap can't currently capture promiscuously from 802.11 wireless cards.
Tethereal typically captures from the first interface it finds, but you can specify the interface you want with the -i switch. Hence, if you run Tethereal with the -D switch and it returns something like ORINOCO PC Card: \Device\NPF_ {4AB1A41F-9F93-4808-9C89-D51565C8B2F1},
try the command
tethereal.exe -i "\Device\NPF_
{4AB1A41F-9F93-4808-9C89-
D51565C8B2F1}"
Notice that you don't use the friendly name of the interface but rather the device's Windows internal name (the text after the colon when you run Tethereal with the -D switch), and you can't simply use the interface number either.
If Ethereal works but Tethereal doesn't, specifying the interface by name usually solves the problem. Also, make sure you're using the correct case-sensitive switches with no syntax errors or missing double quotes.
You can use a capture filter with the -f switch or a display filter with the -R switch when viewing packets on screen or saving them to a file. The following is an example of using a display filter on the command line:
tethereal.exe -R "tcp.port