This article is also available as a TechRepublic download.
This article was originally published on April 3, 2006.
What is going on with the network? Why is the network running slow? Who is using all the bandwidth? Do you have unwanted traffic on the network? Why is my network application not working? These are all questions that can drive a network administrator crazy. These are also questions you can answer without breaking your budget with Ethereal.
What is it?
Ethereal is an open source protocol analyzer available for a variety of operating systems. As the source is freely available, it could, theoretically, be compiled on just about any operating system. You can run it on Windows, Linux/Unix, and Mac OS X.
Protocol Analyzers are commonly known as "packet sniffers." Many times they are also called just "sniffers." A Sniffer, however, is a specific brand of commercial (think expensive) protocol analyzer made by Network General. Ethereal, on the other hand is completely free and offers most of the same features. Protocol analyzers are used to troubleshoot the network, analyze what is going on, understand protocol /traffic flow. If you are having a mysterious problem on the network, a protocol analyzer is your best tool. Ethereal is the most popular, freely available, protocol analyzer available.
At this point you may be asking "if this is such a critical tool, why does everyone doesn't have one installed on their PC"? The answer to that is that understanding what a protocol analyzer tells you can be difficult. Actually running the analyzer and clicking through the menus is not difficult. However, understanding the output is. For example, turning on debug mode in Windows might not be too hard but understanding the debug output is. The output you receive from Ethereal could be compared to "debug output."
In other words, Ethereal understands the packets and protocols that are sent across the network and can decode these into a readable, English format for a network administrator to analyze. Ethereal also provides its own intelligent analysis in many instances. This can be Live network data, as it is sent across the network or a saved file that you play back.
How do you get it?
To obtain a copy of Ethereal for your Windows PC, go to the Ethereal website and click on Download. As you can see, Ethereal can be downloaded in binary format for Windows, Solaris, and Red Hat from this website. You can also download the source code. On this same webpage, there are links to other sites where you can download the binary version for operating systems like Mac OS X, Palm, HPUX, IBM AIX, and other Linux variants.
Download Ethereal for Windows by clicking the Download button next to Windows. Once you have downloaded Ethereal, click Run, to begin the installation. The installation runs like most Windows Setup Wizards.
The first point where you have a decision to make is shown in Figure A. This screen asks you if you want winpcap installed.
|Deciding what you want to do about Winpcap.|
Winpcap is a library that Ethereal uses for capturing packets without having to go through the operating system's protocol stack. Winpcap must be installed for Ethereal to be able to capture packets off of the network. Click Next to install Winpcap and Ethereal.
After copying files, the Winpcap window shown in Figure B will pop up over the Ethereal install window.
|This window appears after you install Winpcap.|
Click Next, then click Next, to agree to the license. Winpcap will be installed. When it is done, click Finish and you will be returned to the Ethereal Installation. The Ethereal install will complete by copying files. Click Next. Check the box that says Run Ethereal. Click Finish and the installation is done. Ethereal will now start.
How do you use it?
When Ethereal runs, you will see screen shown in Figure C.
|Ethereal's startup screen is rather plain.|
From here, it isn't very obvious what to do. There are full week-long courses on Ethereal. Because of that, this article isn't meant to teach you fully how to use Ethereal. Instead, let me show you how to capture some basic packets off the network.
Keep in mind that a system will only see what packets are sent to it by the switch or hub that it is connected to. In the case of a switch, it is intelligent and only forwards traffic meant for the MAC address of your workstation an broadcast/multicast packets. If you had a hub, you would see all traffic on the network. So, proper placement of your workstation to capture the right amount of packets is critical. Many times, "port mirroring" is enabled on switches to mirror the port with the relevant traffic to your port. For example, you could mirror the core router's Ethernet port to your port.
To capture packets, first select the interface that you want to capture packets from. To do this, click the top left icon on the toolbar that says "List the available capture interfaces." You'll see a window that looks like the one in Figure D.
|Select where you want to capture packets from.|
Notice that only one interface is seeing packets. That is because that is my primary network interface and also the interface I want to capture packets from. Click Capture and you'll see a window like the one in Figure E showing you the status of the capture.
|You can track the status of the captures as they go.|
Once you have some number of packets, click Stop. Your packets will be decoded and available for analysis as seen in Figure F.
|You can view all of the captures here.|
If you haven't used a protocol analyzer before, you will have to spend some time learning about them. Ethereal can do so many different things with the traffic. For example, you can see the actual conversation flow, as seen in Figure G.
|You can see many details of traffic, including conversation flow.|
Free for all
Ethereal is a very powerful program with so many different uses. It is amazing with all its features and uses that it is still freely available to anyone.