Networking

How do I... Monitor traffic on a network for free with Ethereal

If you want to monitor traffic on your network, you can purchase a packet analyzer. However if your budget is tight, you don't have to spend any money at all. Here's how you can do so using Ethereal.

This article is also available as a TechRepublic download.

This article was originally published on April 3, 2006.

What is going on with the network? Why is the network running slow? Who is using all the bandwidth? Do you have unwanted traffic on the network? Why is my network application not working? These are all questions that can drive a network administrator crazy. These are also questions you can answer without breaking your budget with Ethereal.

What is it?

Ethereal is an open source protocol analyzer available for a variety of operating systems. As the source is freely available, it could, theoretically, be compiled on just about any operating system. You can run it on Windows, Linux/Unix, and Mac OS X.

Protocol Analyzers are commonly known as "packet sniffers." Many times they are also called just "sniffers." A Sniffer, however, is a specific brand of commercial (think expensive) protocol analyzer made by Network General. Ethereal, on the other hand is completely free and offers most of the same features. Protocol analyzers are used to troubleshoot the network, analyze what is going on, understand protocol /traffic flow. If you are having a mysterious problem on the network, a protocol analyzer is your best tool. Ethereal is the most popular, freely available, protocol analyzer available.

At this point you may be asking "if this is such a critical tool, why does everyone doesn't have one installed on their PC"? The answer to that is that understanding what a protocol analyzer tells you can be difficult. Actually running the analyzer and clicking through the menus is not difficult. However, understanding the output is. For example, turning on debug mode in Windows might not be too hard but understanding the debug output is. The output you receive from Ethereal could be compared to "debug output."

In other words, Ethereal understands the packets and protocols that are sent across the network and can decode these into a readable, English format for a network administrator to analyze. Ethereal also provides its own intelligent analysis in many instances. This can be Live network data, as it is sent across the network or a saved file that you play back.

How do you get it?

To obtain a copy of Ethereal for your Windows PC, go to the Ethereal website and click on Download. As you can see, Ethereal can be downloaded in binary format for Windows, Solaris, and Red Hat from this website. You can also download the source code. On this same webpage, there are links to other sites where you can download the binary version for operating systems like Mac OS X, Palm, HPUX, IBM AIX, and other Linux variants.

Download Ethereal for Windows by clicking the Download button next to Windows. Once you have downloaded Ethereal, click Run, to begin the installation. The installation runs like most Windows Setup Wizards.

The first point where you have a decision to make is shown in Figure A. This screen asks you if you want winpcap installed.

Figure A

Deciding what you want to do about Winpcap.

Winpcap is a library that Ethereal uses for capturing packets without having to go through the operating system's protocol stack. Winpcap must be installed for Ethereal to be able to capture packets off of the network. Click Next to install Winpcap and Ethereal.

After copying files, the Winpcap window shown in Figure B will pop up over the Ethereal install window.

Figure B

This window appears after you install Winpcap.

Click Next, then click Next, to agree to the license. Winpcap will be installed. When it is done, click Finish and you will be returned to the Ethereal Installation. The Ethereal install will complete by copying files. Click Next. Check the box that says Run Ethereal. Click Finish and the installation is done. Ethereal will now start.

How do you use it?

When Ethereal runs, you will see screen shown in Figure C.

Figure C

Ethereal's startup screen is rather plain.

From here, it isn't very obvious what to do. There are full week-long courses on Ethereal. Because of that, this article isn't meant to teach you fully how to use Ethereal. Instead, let me show you how to capture some basic packets off the network.

Keep in mind that a system will only see what packets are sent to it by the switch or hub that it is connected to. In the case of a switch, it is intelligent and only forwards traffic meant for the MAC address of your workstation an broadcast/multicast packets. If you had a hub, you would see all traffic on the network. So, proper placement of your workstation to capture the right amount of packets is critical. Many times, "port mirroring" is enabled on switches to mirror the port with the relevant traffic to your port. For example, you could mirror the core router's Ethernet port to your port.

To capture packets, first select the interface that you want to capture packets from. To do this, click the top left icon on the toolbar that says "List the available capture interfaces." You'll see a window that looks like the one in Figure D.

Figure D

Select where you want to capture packets from.

Notice that only one interface is seeing packets. That is because that is my primary network interface and also the interface I want to capture packets from. Click Capture and you'll see a window like the one in Figure E showing you the status of the capture.

Figure E

You can track the status of the captures as they go.

Once you have some number of packets, click Stop. Your packets will be decoded and available for analysis as seen in Figure F.

Figure F

You can view all of the captures here.

If you haven't used a protocol analyzer before, you will have to spend some time learning about them. Ethereal can do so many different things with the traffic. For example, you can see the actual conversation flow, as seen in Figure G.

Figure G

You can see many details of traffic, including conversation flow.

Free for all

Ethereal is a very powerful program with so many different uses. It is amazing with all its features and uses that it is still freely available to anyone.

22 comments
georgelawlor16
georgelawlor16

It occurred to me that a virus or other problem could generate a load of internet traffic and an easy way to know about that would be to record daily internet traffic on our wired gigabit LAN [gigabit because we backup data over our LAN]. I am using Wireshark to capture LAN packets. DHCP is turned off and assigned IPv4 addresses are goruped so that the PC's are sequential. We use a Cisco gigabit managed switch with LAN port one connected to the router and mirrored to LAN port 8 which is connected to the second NIC on my PC. All the PC's are equipped with gigabit NIC's. My ISP provider is via a satellite and traffic beyond the monthly limit is billable. I am looking for a way to know what the traffic is from my side of the internet connection. After hours combing the Wireshark site I still do not know how to filter the capture to the packets that carry that billable data. I plan to find an automatic way to convert the *.cap files [they look like binary files ] to *.CSV and use Liberty Basic to extract the traffic data I want. I would love to limit captures to just the packets that would provide the information I am after. I really don't care about the content, we are four adults and two dogs using the LAN {the dogs not so much} I wish to have a number that agrees with our ISP and shows where the traffic comes from by IP our local address. Any suggestions would be most appreciated.

makhlukat
makhlukat

It is always a great help. Thank you.

MorrellF
MorrellF

The network security in my LAN and PCs is preventing downloads of etheral. The site does not show where it is downloaded from. I would like to give this a go, but it looks sus to my security.

mb.techrepublic
mb.techrepublic

Firstly, I do use Wireshark as my preferred network analyser for a host of reasons, not least is the timeline graphing showing traffic peaks. The small issue is that Winpcap (the driver portion of Wireshark) relies on promiscuous mode support in the underlying NDIS driver of the NIC in use. For most (if not all) desktops NICs I've encountered this isn't a problem, but for many laptop (PCMCIA / PC-Card) NICs this can be. What this means is that Winpcap effectively only collects traffic destined for the laptop running Wireshark - that is unicast traffic for the laptop, all broadcasts (and some multicasts). What is missing is other unicast traffic to other devices. Aside from buying a NIC with proper promiscuous mode support in the NDIS driver (how many vendor sites tell you this?), the other option is to capture with Microsoft's updated NetMon (v3.1 is now "free" - try here https://www.microsoft.com/downloads/details.aspx?familyid=18B1D59D-F4D8-4213-8D17-2F6DDE7D7AAC&displaylang=en) - this uses a lower level interface to the NIC driver and seems to avoid the promiscuous mode problem - or, at least, it has in my experience. This does mean you have to use Netmon to capture and then separately use Wireshark to analyse. Hope this helps

bfrericks
bfrericks

Observer from NI is probably the best in my opinion. Yes Ethereal is great and has lots of features especially for free but Observer is far above Ethereal and for the price it's unbeatable even for smaller IT shops. (No I don't work for them!) I don't know about you, but I don't have a whole lot of time to mess with a packet trace so any assistace that can be provided to me to make it quicker is fine by me, especially for only a few thousand.

zczc2311
zczc2311

Development on the open source product known as Ethereal finished a while ago. The application has a new name. It is now called Wireshark The current version and ALL information regarding this application can be found at http://www.wireshark.org/ Wireshark will replace Ethereal in most new up coming distro versions of Linux

djdawson
djdawson

I agree with all the wonderful comments about Ethereal, but would like to add that it has recently become "Wireshark". The ethereal.com web site just recently added a news item about the latest release of Wireshark, and the wireshark.org web site has more details, along with a short description of why it changed.

stress junkie
stress junkie

Start Ethereal Click on Capture Click on Options A new window will appear Find the Display Options section Enable "Update list of packets in real time" Enable "Automatic scrolling in live capture" Find the Name Resolution section Enable "Enable network name resolution" Enable "Enable transport name resolution" Click on the Start button You will see two windows. One is like the one in the article that shows percentage of traffic by packet type. The other window will show the actual packets and their contents. When it comes to diagnosing, or just discovering, network problems Ethereal will show you retransmitted packets and out of order packets. Those often point to some hardware or software problem on one or more computers. I discovered a problem on my ISPs network this way. I was experiencing terrible network performance. I happened to be the only person on my section of the cable modem WAN. The ISP technicians tried to say that my network problems were caused by my computer. Using Ethereal I showed them that their equipment was dropping packets which caused retransmitted packets and out of order packets. They verified my findings with their own test equipment. They replaced a piece of their equipment and my problems went away. You can learn a lot about network packets by using Ethereal. You will see an awful lot of ARP traffic. You may want to filter that out. You can see how users authenticate on a security domain. You can see how DNS works. You can see peoples' passwords in POP3 mail client traffic or telnet traffic. You can easily see the text part of http traffic. You can see the contents of Microsoft Messenger traffic. I discovered a MS Messenger "trojan" that broadcast a message similar to "Your Windows machine has encountered a serious error. Go to http://bad.guys.com and run the system updater." HAH!!! I run Linux. I wonder how many people went to that bad guy site and ran their "system updater". I watched this MS Messenger traffic over several months. I noticed that they would change their IP address about every two months. I also noticed that their favorite registrar was Go Daddy dot com. I couldn't get Comcast interested in this malicious traffic. They should have stopped traffic on the MS Messenger port. They didn't. I'm waiting for the day that I see NetBIOS share broadcasts over the cable modem WAN. I know that two of my neighbors are now using Comcast network. I fully expect to eventually see their home computers become fully exposed. Naturally I will let them know if that happens. I don't want to go to prison. I will charge them to fix it, though. :) So if you are interested in network operations then Ethereal is great. You could also run tcpdump on Unixes or snoop on Solaris, but Ethereal's interface makes it much better than any command line utility.

Mark W. Kaelin
Mark W. Kaelin

Which packet analyzer do you use? How effective is it? Is there something missing that you wish it could do?

it
it

Hi, We have a hardware FireWALL with both internal & external IP address's. Would it be possible with Ethereal/WireShark to monitor just these 2 IPs so I can gather stats on traffic? I have tried but can only monitor traffic through my local NIC.. Thanx

stress junkie
stress junkie

Dana Dawson already brought that to our attention.

stress junkie
stress junkie

I looked at the web site. The "explanation" for the name change doesn't doesn't make any sense as it is presented. I think that the subject deserves more than 3 sentences. 1) The original author obtained a job and consequently was required to give up his trademarks. Why? I don't see the causal relationship there. 2) Fact 1 put the project in an awkward state which was resolved by changing the name of the project. Again, why? Again I don't see how one thing caused the other.

paul.cook
paul.cook

Used it for the first time yesterday and easily isolated the two computers that were ARP-flooding our network. (BTW, be careful of Nvidia NForce network diagnostics....that was the culprit.)

Mark W. Kaelin
Mark W. Kaelin

Thanks for the additional information -- very helpful.

info
info

Edited Message was edited by: beth.blakely@...

BernieG
BernieG

To monitor more than your own NIC card traffic, you would have to connect the devices your want to monitor to a passive hub (not a switch, which connects network devices point to point) that sends traffic to all devices connected to it. This will allow you to see the traffic intended for the other devices.

zczc2311
zczc2311

Why call it ethereal when the new Product is Wireshark. Perhaps you should read why I said more closely - Go take a stress pill...Key Word "Development"

djdawson
djdawson

Here's a link to an article that describes the change in more detail: http://tinyurl.com/olhez The short version is that the old company owned the "Ethereal" trademark and wouldn't allow the developers to take it with them, so they had to come up with a new name. It all seems reasonable to me, but it doesn't really matter, since it's still the same software and the same developers. Dana

stress junkie
stress junkie

I remember when free software wasn't worth the disk space that it occupied. Ethereal is the highest quality that you could ask for in any software.

mnleone
mnleone

On most newer managed switches, there is an option for port mirroring. You can mirror your uplink port on the switch that goes to your internet connection, and have it mirror it to another port. Configure that other port as a secondary network interface on your computer and you can snoop on that.

stress junkie
stress junkie

Too bad the wireshark web site didn't just put that letter for the reason that they changed names. The letter makes sense. :D

Editor's Picks