Slashdot Mirror


Ethereal Packet Sniffing

nazarijo writes "I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible. Sniffers and protocol analyzers are part of my bread and butter, and I'd be foolish to not use Ethereal. Tcpdump for a quick capture, but I use Ethereal when I need detailed information in a better, more navigable fashion. Because of that, I was pretty interested to see a book on Ethereal coming out." Read on for Jose's review of Ethereal Packet Sniffing from Syngress. Ethereal Packet Sniffing author Angela Orebaugh with Greg Morris and Ed Warnick pages 468 publisher Syngress rating 7 reviewer Jose Nazario ISBN 1932266828 summary Solid coverage of an excellent networking tool. Offers value beyond free documentation, insight available nowhere else, and plenty of handy tips and tricks.

I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs. While the book comes out favorably for me, I'll start with the things I didn't like, first.

One of the big things that is missing from this book is any coverage of Ethereal on OS X. Given how many people are migrating to OS X (from UN*X or from Windows), and the coverage of Ethereal on Windows, I would have expected some mention of it. Luckily it's available in both Darwin Ports and the Fink project, but some mention of any of the quirks people may encounter would have been welcome. Amy (from Syngress) tells me that they will have a paper in their Solutions center on Ethereal on OS X, which would be great to see.

Another annoyance with the book is the repeated coverage in some sections of various aspects of Ethereal. One that stands out is the coverage of the additional tools which are installed alongside Ethereal, like Editcap and Text2pcap. They are covered in chapter 2 for a bit and then more completely in chapter 6. Covering these tools only once would have sufficed, but it does let chapter 2 stand on its own. Amy tells me that they do this intentionally, because it makes some chapters stand on their own as "units" for others to use. That makes sense.

A final bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.

Now, on to the real strengths of the book. Like I said earlier, The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).

The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).

Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.

Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.

Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.

Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.

The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think.

All in all I would say this is probably worth picking up if you're looking at becoming a network operator or network security junkie. You'll learn a lot about a powerful tool, how to integrate it into your use, and even how to dissect real traces of traffic. I give it a 7 out of 10 for the above weaknesses, but that shouldn't stop you from strongly considering it.

You can purchase Ethereal Packet Sniffing from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

20 of 147 comments (clear)

  1. Additional note: by Anonymous Coward · · Score: 5, Funny

    I purchased this book using credit card information I picked up using Ethereal.

    1. Re:Additional note: by MisanthropicProgram · · Score: 1, Funny

      Ah HA! Now, I can blame that $543.21 porn bill on you!
      I'm off the hook with my girlfriend! Pfew!

    2. Re:Additional note: by Anonymous Coward · · Score: 3, Funny

      I should also thank you for not posting a joke like:
      In Soviet Russia Ethereal you!
      or ...
      Ethereal
      ???
      Profit!

      There! I just earned my second "Troll" mod for the week.

      --
      Getting modded as "Troll" let's me know that I'm not succumbing /. groupthink.


      Getting modded as "Troll" lets everyone else know your an idiot.

    3. Re:Additional note: by Otter · · Score: 3, Funny
      Getting modded as "Troll" lets everyone else know your an idiot.

      If you're going to be an apostrophe troll, you need to make sure you get your own apostrophes right!

    4. Re:Additional note: by Anonymous Coward · · Score: 0, Funny

      Maybe it's just a development of that whole trolling technique... hooking as many people as possible :)

  2. I love this tool by jxs2151 · · Score: 3, Funny

    Can only understand about half of what it does though. Maybe I'll buy the book.

  3. Just Wondering.... by Dr.+Bent · · Score: 4, Funny

    I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.

    So what's it like working for the N.S.A.? Do they have a decent benefits package?

    1. Re:Just Wondering.... by bfg9000 · · Score: 2, Funny

      Missing line that fills in the details, deleted for length reasons:

      I look at packets for a living. I generate them, I capture them and dissect them, and I try and make sense of them as quickly as possible.... ... and they turn into boobies and peepee bums on my screen when I've done it right. And if my mom finds out I'm dead meat, which is why I also like crypto.

      By this measure, I look at packets for a living too... well, I don't get paid for it, but it takes more time than my day job at Twinkles Bar and Grill.

      --

      I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."

  4. ethereal plus google's locator service... by 192939495969798999 · · Score: 2, Funny

    I would like to see an integration of Ethereal with google's locator service, or one of those ip to geographical coordinate services. It could bring up a map of the world, and where people are coming from to get to you. Finally, I could project that map on the wall, and be just like in DEFCON 5 the movie! HA HA HA!

    --
    stuff |
  5. Re:possible? by dubdays · · Score: 2, Funny

    Why? They already smell like crap.

  6. Too late by KalvinB · · Score: 2, Funny

    I used Ethereal back when I was playing with Try2Hack and discovered what information was being sent for The Kill Everyone Project. I then fired up my custom "hacker" program and proceeded to destroy the world approximatly five times per packet.

    After crashing the high score page from an integer overflow caused by my rediculously high score, I decided that maybe I should stop.

    So after beating the internet, what purpose does a book on Ethereal serve?

    What would actually be handy is a browser that you can tell to "step" through message transmissions. The owner of the "Kill Everyone Project" challenged me to hack his other games after I e-mailed him to explain what I did and how he could fix it. The only reason I couldn't do it was because after some cookie passing with my program I couldn't quite get the SWF file with the session ID. With a real browser with "step" it would be possible to let it load up the game session like normal but then set it to "step" mode and be able to edit packets before they go to the server.

    I don't imagine it would be too terribly difficult to add such a feature to Mozilla. It would be nice to have a text window that shows what data is actually being sent up to the server with the option to have to manually okay each packet so you could edit out any info you'd rather the server didn't have.

    Like when certain Javascript pages try to grab system information.

    Ben

  7. Great every idiot on slashdot will be sniffing now by DR+SoB · · Score: 3, Funny

    Here we go with the n00b questions.. ie. Can it sniff spam packets? Answer: No, spam packets are so mysterious and powerful, no available NIC is capable of passing them to a sniffer program.

    Please people, leaving SNIFFING to the professionals!

    --
    Mod +5 Drunk
  8. Re:possible? by SquadBoy · · Score: 3, Funny

    No spam packets are unlike other packets. They are marked with the "spam bit" and this means that sniffers will not capture them or display them.

    --

    Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
  9. If you *really* need to sniff, by pair-a-noyd · · Score: 1, Funny

    Get your own Carnivore device...
    http://www.systemrecycler.com/shomiti/

  10. Re:Ethereal in University Setting by dr_dank · · Score: 3, Funny

    My professor is working on a book that uses Ethereal to study networks, but provides all the relevant captures and such to keep students from running traces on active networks

    Is this Prof on crack that he/she doesn't think that any of their students is going to try sniffing their neighbors packets on the dorm network? Hell, thats the first thing I'd do!

    --
    Where does the school board find them and why do they keep sending them to ME?
  11. packet sniffing by Cruciform · · Score: 4, Funny

    Ever mention 'packet sniffing' in a public place?

    Suddenly people across the room are hanging on your every word, until they realize you didn't say "panty sniffing" and they can't get vicarious thrills/outrage from the perverted geeks in the corner.

  12. Re:Sounds Good by Brando_Calrisean · · Score: 1, Funny

    ...thats the way i learn alot of stuff u know poking it. Must... contain... jokes...

    --
    Don't call me a cowboy, and don't tell me to slow down!
  13. Flameon by g0bshiTe · · Score: 3, Funny

    Not to mention the 13 root exploits for Ethereal.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  14. Mordekainen's Ethereal Packet Sniffing by quantaq · · Score: 3, Funny

    Yes, but what are the material componants? Area of effect? Your review of this "Ethereal Packet Sniffing" leaves me wanting.

    Why oh why did I have to play so much D&D in high school...

  15. Ethereal, nmap, nessus by mnemotronic · · Score: 2, Funny
    It would be nice to get a single usage guide for all these tools together. How to use them individually or in combinations.
    • nmap for basic port sniffing.
    • nessus for more extensive security sweeping.
    • ethereal for packet capture & analysis.
    • snort for intrusion detection.
    • magnum marine for spammer management (I feel a mod-down comin on!)
    (Apologies if I've left your favorite tool out of this list)

    I have a vague notion about how to use some of them in limited fashion, but I'm handicaped by not having an intimate knowledge of how IP and TCP really work (down at the packet level).

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.