Keeping tabs on network traffic is an inexact science, and finding the right software (or combination of programs) to do it is no easy task either. Some network analysis software is expensive, while other programs are difficult to use. Fortunately, neither of these conditions applies to the Ethereal protocol analyzer.
Ethereal is a freely available open source program that runs on almost any operating system. Data from a network scan can be scanned in real time or scanned and saved for analyzing later. For example, you could set up a script or schedule a scan to pinpoint something specific on your network, save it to a network drive, and analyze it at your convenience.
Ethereal is capable of dissecting 385 protocols including SMTP, ATM, IGRP, PPP, IPX and many more. The program supports real-time scanning of Ethernet, FDDI, Token Ring, IP over ATM, and even loopback interfaces on some machines. Ethereal also supports configurable filters to allow you to drill down on the particular data that you are interested in.
The program is distributed in binary form for a wide variety of platforms including Windows, Linux, and Mac OS X. Sources are also available to support manual compiling and building of the product.
For this article, I will be installing Ethereal on a Windows Server 2003 machine and showing you how to get started with this powerful network protocol analyzer.
With the Windows version of Ethereal, you must first download WinPcap, which will allow you to capture traffic from the wire. Download the WinPcap autoinstaller and execute the simple install by following the screen instructions. On my WS2K3 system, it didn't even require a reboot. If you choose not to install WinPcap, you won't be able to view live network traffic.
After installing the capture driver, you can download and install the latest version of Ethereal; as of this writing, that is version 0.9.14. Once you download the single executable, run it. The first screen in the installation is the license screen indicating that Ethereal is distributed under the open source GPL (GNU General Public License).
The second screen asks you to choose the individual components that you would like to install. Included in this list are the GUI and command line versions of Ethereal, SNMP MIBs, shortcut icons, and more. Select the options you like and click Next. For this example, I will install all of the options (Figure A).
Next, you are asked for an installation location which defaults to C:\Program Files\Ethereal, the location that I will use for this example (Figure B).
To complete the installation, click the Install button. No reboot was required on my WS2K3 system, and a shortcut was placed on the desktop.
With installation complete, you can run Ethereal by double-clicking the desktop icon or choosing Start | (All) Programs | Ethereal | Ethereal. This will open a blank Ethereal Network Analyzer window, as shown in Figure C.
To begin capturing live network traffic, select Capture | Start. This will open the Capture Option window and allow you to define how you would like the capture to be performed. For this example, I'm going to use the default capture options but will choose to automatically end the process after 45 seconds (Figure D).
During the capture period, I visited a couple of Web sites. For the entire capture period, Ethereal provided me with an at-a-glance analysis of what kind of traffic was running on my network. An example of this quick analysis is shown in Figure E.
After the 45 seconds expired, I saw the window in Figure F with a lot of raw data in it.
Analysis of the traffic
With a little analysis, you can follow a conversation flow between systems. For example, in Figure G, the highlighted line shows a broadcast ARP packet. The machine 192.168.1.106 is looking for the MAC address associated with 192.168.1.1 so that it can communicate with it. Immediately below it, you see the response including the requested MAC address.
In addition to following conversation flows, you can also see very detailed information about each packet in the list. For example, if I open a DNS query packet by right-clicking it and choosing Open Packet In New Window, I receive the mass of information in Figure H.
As you can see from Figure H, Ethereal provides you with the full contents of the packet, including its size, frame type, included protocol, and even its data content.
TCP stream analysis
When you visit a Web site, there is consistent back and forth communication between your PC and the site you are trying to access. Ethereal provides the capability to track these conversations in the correct order so that you can see exactly what is taking place relative to that communication. This is accomplished by selecting any TCP packet in the data list and, from the menu, choosing Tools | Follow TCP Stream.
Where might this come in handy? The screen in Figure I shows one-half of the conversation my PC had with Google during the most recent capture. In the highlighted section, you can see that Google is sending gzipped content down to my PC in order to preserve bandwidth. While this example may not help to solve a major problem, it does show you that Ethereal is capable of capturing a significant amount of information and will show you exactly what took place during a transaction.
In addition to the specific data that can be drilled into using Ethereal, you can also get a higher level overview of what kind of traffic is on your network by selecting Tools | Protocol Hierarchy Statistics. As you would imagine, this provides a hierarchical breakdown of the traffic on your network (Figure J). For example, HTTP is categorized under TCP, and so forth.
Ethereal provides powerful packet info
Ethereal is an incredibly powerful and useful tool for monitoring network traffic. You can use it as an aid to determine what kind of traffic is running on your network as well as exactly what is inside each packet going across your network. At the very reasonable price of "free," this easy-to-install package can be put to use by many administrators.