Istrancis

Ethereal Help

18 posts in this topic

Okay, so I've got Ethereal running in Ubuntu, and I have run a capture file (only a few packets on my own wireless network) but I can't make much sense of it. Is there any advice that anyone can offer for understanding Ethereal, and all of the packets etc that it captures? As usual, any advice would be appreciated, thanks! ;)

0

Share this post


Link to post
Share on other sites

Okay, so I've got Ethereal running in Ubuntu, and I have run a capture file (only a few packets on my own wireless network) but I can't make much sense of it. Is there any advice that anyone can offer for understanding Ethereal, and all of the packets etc that it captures? As usual, any advice would be appreciated, thanks! ;)

could you give us a little more info to go on please

-Enigma

0

Share this post


Link to post
Share on other sites

just a stupid question... how do we pronounce "Ethereal"?

I'm not a native English speaker, and I always wondered...

0

Share this post


Link to post
Share on other sites

I don't understand how I'm supposed to make sense of any of the sniffed traffic. Are they the individual packets of information that I'm looking at? Also, how do I make sense of any of the numbers etc. down at the bottom of the window? I think it's the encrypted packet or something. I suppose it would be, since I use a WEP enabled network.

Just any advice really would be helpful, thanks a lot eth0enigma, you two s.in. Oh, and Aghaster, I've wondered that two, and I do speak English natively! Thanks for those links, DanielG.

0

Share this post


Link to post
Share on other sites

Yes, they are individual packets with the packet details given in the lower window. you can filter based on a whole lot of options such as source/destination/protocol. Also ethereal lets you see the complete converation for related packets.

Essentially what you see are the raw packets. If you are looking for specific details, you will have to poke inside these, and use the appropriate tools to handle the packets.

May I suggest that you have a look at these sites?

http://www.ethereal.com/docs/eug_html_chunked/

http://www.linuxjournal.com/article/6842

You could also try ettercap.

Edited by s.in
0

Share this post


Link to post
Share on other sites

hi, you could try SmartSniff just to start with because it's alot simpler

http://www.nirsoft.net/utils/smsniff.html

i just noticed you're using ubuntu. nice one lol so forget about SmartSniff

another networking program that's easy to play with in ubuntu is p0f -

sudo aptitude install p0f

apt-cache show p0f <----that will tell you abit about it if you're interested??? that's an 0, as in 012345 between the p and f :D

and here are some links about the 'TCP/IP Suite' which are the rules governing the internet.

http://www.cisco.com/warp/public/535/4.html

http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM

http://www.wdvl.com/Authoring/Tools/Tutori...P_IPbasics.html

edit forget what i said about the pronouncation, it's not correct :|

Edited by iceni
0

Share this post


Link to post
Share on other sites

Some good links posted there to get started. But if you *really* want to understand what ethereal is showing you the key document is <a href="http://www.faqs.org/rfcs/rfc793.html"> RFC 793</a> - especially section 3 - the Functional Specification. This is basically required reading for any aspiring network hacker. It may be a bit hard going and full on, but the benefits from understanding this RFC are well worth the effort. BTW, you should upgrade to Wireshark by now :)

0

Share this post


Link to post
Share on other sites

hi, you could try SmartSniff just to start with because it's alot simpler

http://www.nirsoft.net/utils/smsniff.html

edit forget what i said about the pronouncation, it's not correct :|

Tried smartSniff... a question- what is the domain service

Protocol : UDP

Local Port : 1027

Remote Port : 53

Service Name : domain

Packets : 12

0

Share this post


Link to post
Share on other sites

Tried smartSniff... a question- what is the domain service

Protocol : UDP

Local Port : 1027

Remote Port : 53

Service Name : domain

Packets : 12

Domain Name Service. /etc/services gives you a pretty complete list.

0

Share this post


Link to post
Share on other sites

Tried smartSniff... a question- what is the domain service

Protocol : UDP

Local Port : 1027

Remote Port : 53

Service Name : domain

Packets : 12

Domain Name Service. /etc/services gives you a pretty complete list.

soreeeeeeeee.

i feel so stupid. got thrown by the 'domain'

0

Share this post


Link to post
Share on other sites

Thanks a lot for all the help, guys. I haven't gotten around to looking through it all, but hopefully I will soon enough. Thanks again, and feel free to keep theadvice comin'!

Hmm...clickable smilies don't seem to be working... It was a 404, so it looks like they've been taken off the server. Weird. Ah well, the smiley codes still work! :D

Edited by Istrancis
0

Share this post


Link to post
Share on other sites

The best way to understand wireshark/ethereal output is to understand how internet communications work.

Start with the OSI model http://en.wikipedia.org/wiki/OSI_model

While data is being transfered across a network, each layer adds its own header to the data. Eventually this creates the entire packet with the protocols used at each layer. This is the stuff you need to familiarize yourself with if you wish to be fluent at reading network traffic.

0

Share this post


Link to post
Share on other sites

Hey at least I didnt say go read all the RFC documents on the following protocols...

look when it comes down to it, you have to ask yourself

Do you know how ports work?

Do you understand not all network traffic utilizes ports?

Do you know what a SYN or an ACK is? what about a ARP or RARP

Do you understand what protocols utilize these? Why? How?

Because what you are looking at in ethereal/wireshark is the ASCII representation of each one of those packets. If you dont understand how the packets relate to one another you will be lost.

0

Share this post


Link to post
Share on other sites

Hey at least I didnt say go read all the RFC documents on the following protocols...

Do you understand not all network traffic utilizes ports?

Because what you are looking at in ethereal/wireshark is the ASCII representation of each one of those packets. If you dont understand how the packets relate to one another you will be lost.

I was'nt aware of this. I thought for any traffic to enter the network, a port was neccessarily opened. Could you point me to something that would clarify this?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now