A lesser-known packet sniffing tool for Linux with a nice GUI
is Ethereal. Most Linux distributions
come with Ethereal pre-packaged so it is very easy to install.
To begin, Ethereal should be run as root because it can put
your network interface into promiscuous mode so that it can listen to all
traffic, even if it isn’t destined for the system. Once Ethereal is started,
select Capture | Options from the toolbar. Here you can select what network interface
to listen to (eth0 by default) as well as a number of other options. Click the
Start button to start the packet capture session.
A little pop-up window will appear, indicating how many
packets have been captured and what type they are (UDP, TCP, ICMP, etc.). Once
you have enough packets, click the Stop button, and you can begin to analyze
what has been captured.
The data that Ethereal shows is similar to tcpdump in many respects but far easier
to browse. It shows the source and destination of any packet, the protocol
used, and a basic information string. If you click on a packet in the list, you
can examine the packet’s contents. At the bottom of the screen you’ll see the
raw contents of the packet and if you select any item of the packet to view, such
as the frame information, you’ll see the corresponding part of the raw packet
highlighted as well.
You can filter output based on expressions, and defining
filters is easy with a GUI expression “builder.” For instance, to see
all Samba-related packets:
- Click the Expression button.
- Select SMB from the field name, and select Is Present
for the relation.
- Click OK. Now only Samba-related packets will be
Ethereal is a powerful tool to use when debugging network
problems or potential threats, and its ease-of-use make it far simpler to use