DiggJoin DiggAbout

Packet School 101

chrissanders.org — A great guide on using Ethereal to sniff packets and how to use that information to diagnose various network problems. Contains some great example trace files with information on how to interpret them.

made popular 2 years 186 days ago

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community.Take the Tour to learn more.

Related by Keyword BETA!

A Person in Britain is Diagnosed with Diabetes every 3 mins

  • 275 diggs
  • Made popular 8 hr 20 min ago
  • 97
  • www.dailymail.co.uk

AIM Sniff

  • 89 diggs
  • Made popular 3 years 254 days ago
  • 17
  • www.aimsniff.com

Scientists See Brain Aging Before Symptoms Appear

  • 401 diggs
  • Made popular 20 hr 40 min ago
  • 17
  • newsroom.ucla.edu

How are these related stories? Tell us!

show profanity settings
expand all
  • cyclescott, on 10/12/2007, -7/+4Good intro for budding network app developers and admin troubleshooting. Final project should be to write your own sniffer based on libpcap :)
    • jpesicka2, on 10/12/2007, -45/+1I farted...


















      ...and it smells.
    • thegreatsam, on 10/12/2007, -1/+5Something that I've beem looking for. Dugg!
    • Blazer, on 10/12/2007, -0/+13I find it interesting that people are still writing articles about Ethereal (including a presentation at a local LUG), without mentioning that the Ethereal site is now deprecated, and that Ethereal is now known as "WireShark" http://www.wireshark.org
    • osbjmg, on 10/12/2007, -0/+2Wiresark FTW
    • livewirelp, on 10/12/2007, -0/+0FYI to you OSX users... ethereal is available through Fink (http://fink.sourceforge.net/). Make sure you have X11 installed (on your OSX DVD if you have tiger)
    • livewirelp, on 10/12/2007, -0/+0double post... sorry
  • CypherXero, on 10/12/2007, -2/+3Nothing beats tcpdump, tcpreplay, and dsniff
  • LegendarySock, on 10/12/2007, -0/+5http://duggmirror.com/software/Packet_School_101
    Just in case the site goes down.
    Back on topic, ya I recently got into the pen testing scene, and I've been learning about Nmap, Nessus and other tools, and I've come about several Ethereal tutorials. This one is excellent for beginners. Even if you have little knowledge about pen testing you should be able to pick up from this article with ease. I look forward to the next lesson in "Packet School":P
  • JimmyJohnJedi, on 10/12/2007, -3/+11PROBLEMS ABOUND! From the start, the author refers you to Ethereal. Ethereal's development team abandoned that project and are now working on Wireshark (http://www.wireshark.org). Ethereal is now basically a dead project and has been replaced by Wireshark. Problem number two.... the author of the article states that you will only be able to sniff the traffic sent to and from your own machine if you are on a switched network.... wrong! Sniffer's put your NIC in "promiscuous mode". You won't be able to see all of the traffic, but you will see a huge chunk of valuable broadcast traffic. There are several more errors in the article as well. It does have some very very basic information but... read on at your own risk.
    • LegendarySock, on 10/12/2007, -2/+8Ethereal isn't an abandoned project. Ethereal IS Wireshark because of a name change due to copyright infringement and right now, the current Wireshark and Ethereal versions are very similar.
    • kurth, on 10/12/2007, -2/+6You are wrong. Partly.

      When sniffing a switched network, ONLY packets for your nic are sent down the wire. To sniff a switched network, you need to put one port in a "mirror" mode. (Vendors call it different things). Then all switch traffic,, will be sent down your wire.

      Makes sense if you don't have your head up your ass. :-)
    • mmuthanna, on 10/12/2007, -3/+1@kurth:

      You are wrong, almost completely.

      Apart from packets destined to your address, a switch also forwards broadcast traffic to all ports (intelligently, or stupidly, depending on the switch). Multicast traffic may also be forwarded, depending on the switch type.

      There are other ways to monitor switch traffic: 1) Overload the switch using various storming techniques and have it switch to "hub"mode. 2) Poison ARP tables and pretend to be the default router. 3) Other more devious ways.
    • nonsequitor, on 10/12/2007, -4/+1You sir do not know the difference between a hub and a switch. Switches route based on MAC addresses, therefore you only receive traffic which has a Destination MAC equal to that of your PC's NIC regardless of whether or not the NIC is in promiscuous mode. A Hub on the other hand will send all traffic to all ports which it did not originate from. Most Hubs for sale are really switches making things more difficult. However if you overload a switch it MAY fail into Hub mode, assuming its not French, because then it would just surrender.
    • mmuthanna, on 10/12/2007, -1/+1@nonsequitor:

      Not true. Switches DO respect broadcast addresses. ___Even at the MAC layer___. Broadcast addresses are not restricted to IP; Ethernet addresses also have (and use) them.

      Secondly, if you've not been around this last decade, Layer 3 switches are quite the rave. They're not restricted to Layer 2 (MAC) based packet routing. Most corporate switches now-a-days employ layer-3 switching. It just makes life easier.

      I'm sure you already know this, but my point was that you don't only receive traffic that is destined to your MAC address. Most of todays switches are quite intelligent, and there are many other factors that determine whether you receive a packet or not.
    • VashTSPD, on 10/12/2007, -1/+1no...you're not exactly right there on the wireshark part, the main guy split, and he had the copyright to the Ethereal code BUT not the "Ethereal" trademark, so he started Wireshark, which uses Pcap library instead of the Wincap (but I think they both use Pcap now, w/e). En.wikipedia.org/wiki/wireshark

      That's a great article if you want a quick summary of what happened.
    • aphexcoil, on 10/12/2007, -1/+2I am a network administrator for a beer distributor and use ethereal once in a while. We use many 24 port HP switches. If you want to see all of the traffic going into your switch from all attached nodes, you'll want to set up your port to mirror mode (someone else already mentioned this -- they are correct). In mirror mode, the switch will duplicate all packets meant for other ports to also mirror to your own port. It does not matter if your NIC is set to "promiscuous mode" mode -- without the mirror set correctly, you will only see packets meant for your node and various broadcast packets.

      I will tell you this much -- using ethereal and actually studying packets can help you immensely with complex network issues. I once was faced with a problem between two branch offices and DHCP set up at one of the offices via a superscope in Active Directory. It was not working correctly and I needed to find out why. Using ethereal I was able to determine that our Cisco 1721 routers were not set up correctly to pass the appropriate DHCP Discover packets, requests, etc.

      From an old-school network engineer I will offer this little tibit of wisom -- forget certifications, books ( to an extent), etc. -- the best way to learn is to do!

      good luck!
    • ripcord, on 10/12/2007, -2/+2Wow. Such disinformation. =)

      I'm a periodic contributor to Ethereal/Wireshark and have been using the software daily for the past 5 years.

      First, The main guy "split" and couldn't continue to use the Ethereal name because of trademark issues, that's true. However, every one of the core developers (and, so far, every one of the contributors) is moving to the Wireshark product. Ethereal is effectively dead - people are welcome to continue it if they want but so far no one has expressed any plans to.

      Gerald (the core Ethereal/Wireshark guy) didn't drop Winpcap for "pcap" (or, rather, "libpcap"). Winpcap is just a Windows implementation of the pcap libraries that exist on Linux, Solaris, etc. It's developed by a totally different group of people, and Gerald now works for the company that's been developing winpcap (the Windows version of Ethereal/Wireshark has used Winpcap for years, and still uses libpcap on most *nixes).

      Second, mmuthanna is 100% correct. The rest of you are missing the point with half-knowledge about what you speak of. Switches flood broadcast traffic out ports within broadcast domains (usually VLANs, though on smaller switches there may be no concept), period (well, I say that, but "smart" switches can get more complex). Flooded traffic may include unicast traffic if MAC entries aren't in the switch's CAM/MAC address table. This can be useful, but is rarely extremely useful. Port mirroring is usually the best option for doing more complete recording/analysis of traffic destined to port(s), but mmuthanna is spot on with what he/she said.

      I agree with aphexcoil, too - protocol analysis is definitely one of the most useful and by far under-used tools in a network admin's toolbox. It can just have a somewhat steep learning curve =(
    • osbjmg, on 10/12/2007, -1/+1ripcord - agreed, such disinformation and marketing terms flying around. The concepts there are not easy to argue with. You only need worry about a bridge vs. router vs. a hub. L3 switches do exist but they keep routing and switching separate and merge it together in hardware - again the word switch itself is still a bit of a marketing term anyway and not worthy of being argued about.

      Let's focus on Ethereal/Wireshark for this article okay? I will say that I appreciate all the contributors to this project, it's way cheaper than Sniffer Pro. Honestly, I see people use sniffer at work and wonder how they get anything done. Setting up a filter is so "point and click" that it takes 5 minutes and doesn't really follow logic.

      The one thing holding Wireshark back now is packet playback.
  • sirsteveh, on 10/12/2007, -0/+7Scratch www.ethereal.com - it's now wireshark at www.wireshark.org . Ethereal.com is still up, but it's outdated. Wireshark is the _same product_, though - just at a later version, with a non-trademark-disputed name.

    EDIT: drat, JimmyJohnJedi beat me by a few seconds.
  • jiminoc, on 10/12/2007, -7/+2how did this get to the front page? maybe when all the parts are written but jeez this guy has two paragraphs on ethereal and boom, front page. wtf
    • LegendarySock, on 10/12/2007, -1/+2There are two pages, part one and part two.
  • bdigit, on 10/12/2007, -2/+2Looks like a nice copycat of http://www.novell.com/img/flash/load_stream.html?temp=1&id=webex_converts&stream=iograph-chappel0106&w=640&h=520

    by Laura Chapelle. The similarties are a little too close
    • revka, on 10/12/2007, -0/+4no wai!
      from TFA:
      I obtained this trace file as well as a lot of others I will be using from Laura Chappell, Sr. Protocol Analyst for the Packet Level Protocol Analysis Institute (http://www.packet-level.com).
  • TheKillDoctor, on 10/12/2007, -0/+1I'm stuck with sniffing between two servers tomorrow. I "plan" on mirroring the port on the switch to trap all the traffic between the two servers on my laptop using a commercial sniffer.
  • Keruo, on 10/12/2007, -1/+1The article is missing obvious warning, never sniff traffic on network where you aren't authorized to do so.
    • clueless, on 10/12/2007, -0/+2now that's my question:
      if a 10/100 Hub just happen to be lying arround, couldn't any average joe just connect the hub to thier connection and sniff the data of all the users on that little network?
    • clueless, on 10/12/2007, -0/+2(damn that 50 second time...)
      or will it be too obvius in the eye of the admin?
    • aphexcoil, on 10/12/2007, -0/+4clueless,

      It depends on the network topology. If you're connected to a hub, you'll be able to sniff out traffic to all other nodes connected to that hub. However, don't think you can piggyback a hub into a switch and then magically be able to see all nodes on the switch.

      For a quick and dirty educational read, please check out this link:

      http://computer.howstuffworks.com/lan-switch.htm

      Remember, there are never stupid questions. We all started from 0 knowledge and worked our way upward. With a little curiousity, you can really go far!
  • jordan314, on 10/12/2007, -0/+3Is there any way to read the content of the packets captured with Ethereal? I'm a newbie with packet capturing but all I could do was see what sites the packets were coming from, not what they contained.
    • aphexcoil, on 10/12/2007, -0/+3Yes, with a packet sniffing program, you can actually see the information in the packets. However, if the transmission is encrpyted, you won't be able to make anything intelligible out of the packets. As an experiment, run a packet sniffing program and browse a normal website. You will see a lot of HTML code in the packets. Do the same thing, but this time log into your bank and sniff packets from an secure HTTP connection.

      Cool, eh?
    • jimmyblake, on 10/12/2007, -0/+0Yes, Ethereal has some very powerful drill down capabilities even going to the extent of completely rebuilding a Web-browsing session from all of the component HTTP traffic. You can filter traffic based on port numbers, for example to search port 80 (Web) traffic for the text phrase 'password:' - what comes back in embedded in the HTTP response might be quite interesting

      There are several really good books on Ethernet, the one from Syngress is especially good. I used to have to pay a fortune for commercial products, such as Network Instrument's observer, but now everyone has access to a tool just as powerful for free.
  • spiritflare1, on 10/12/2007, -0/+0You don't need to turn on mirroring on a switch just to see all the packets - Tcpdump has an option (i think default) to go into promiscuous mode, and it will see everything on the wire, not just the broadcasts destined to the sniffing NIC, but traffic between other sources/destinations.
    • aphexcoil, on 10/12/2007, -0/+0Incorrect -- a switch won't even put traffic on a wire unless it is knows a MAC address is on that port or it is a broadcast.

      You're right that promiscuous mode will see everything on the wire but a switch doesn't put everything on a wire running to a specific port. That's one of the central advantages of a switch over a hub and also another reason why VLANS are possible.

    • jimmyblake, on 10/12/2007, -0/+5Until recently I worked for the World's second largest Ethernet switch manufacturer - 3Com - in their security division. A lot of what is written above is, well, bollocks. Some of it is also well researched and informative.

      Both hubbed and switched Ethernet can utilise both broadcast and multicast addresses. Infact RARP (Reverse Address Resolution Protocol defined in RFC 903) which is used to resolve MAC addresses (physical OSI Layer 2 addresses) into IP addresses (logical OSI Layer 3 addresses) utilises Ethernet ARP so all machines on an Ethernet network can see the RARP packet.

      Running an interface in promiscuous mode will not show you all traffic flowing through a switch to which you are attached, but it will show you all traffic following through a hub to which you are attached. Ethernet's original standard worked without anything like a hub or a switch, it had a bus topology and utilised a single piece of cable with terminators at each end to stop the signal being reflected back down the wire:

      [T]============================[T]

      With the think coaxial version known commonly as 10BASE5 or thicknet, physical 'taps' cut through the cable casing into the cable and 'drop' cables utilised Media Access Unit (MAU) interfaces to attach between the Network Interface card on the PC and the tap.

      [T]=====[TAP]=====[TAP]=====[TAP]=====[T]
      [MAU] [MAU] [MAU]
      I I I
      I I I
      [MAU] [MAU] [MAU]
      [NIC] [NIC] [NIC]

      As it is a bus, a piece of traffic going from the first station to the third station would be visible to the MAU/NIC of the second station. In non promiscuous *IGNORES* any traffic it sees for which is not address to its MAC address. In promiscuous mode it cares not for the address in the Ethernet segment and brings the traffic in for processing.

      Passing over thinnet or 10BASE2 which is practically the same architecture as 10BASE5 but utilised thinner coax and used small BNC connectors to form 'T's in the network cable instead of taps and skipping to 10BASET you introduce hubs into the equation.

      Hubs still utilise the same underlaying bus architecture as a 10BASE5/2 network. All they do is create a bus and the connection to the bus is made via a RJ45-ended cable.

      ------------------ HUB -------------------
      ------[ ]------[ ]------[ ]------[ ]------
      I I I I
      I I I I
      [NIC] [NIC] [NIC] [NIC]

      Within the hub itself is the bus and all traffic is visible to all NICs, in non promiscuous again the NICs choose to ignore the traffic. In promiscuous mode it cares not for the address in the Ethernet segment and brings the traffic in for processing.

      The best way of looking at a switch without starting to talk about things like Carrier Sense Multiple Access/Collision Detect and Collision Domains (which is the mechanism Ethernet uses to avoid two of the stations on the same shared bus talking at the same time), is to look at a crossover cable connection between two PCs.

      [PC1]==================X===============[PC2]

      A cross over cable is exactly the same as a straight bit of Ethernet cable but wired so the transmit from one end goes to the receive at the end, and vice versa. A cross over cable enables a direct connection between only two Ethernet devices.

      When data enters a switch, the switch contains an internal table that lists the MAC addresses of all of the attached stations attached to each of its ports. Typically the switch will create in effect a virtual cross over cable between the source port of the packet and the port to which the table indicates that the destination MAC address is attached - no other ports on the switch will see the traffic even if their interfaces are set to promiscuous because in effect the two machines on either side of the connection have a direct one-to-one connection (this is a gross oversimplification because the switches may be cascaded but the basic principle remains).

      The only real way to see the switched traffic is to poison the table of the switch utilising something like ARP spoofing (Google it for further explanation, two of the best ARP spoofing tools IMHO have been mentioned already: dsniff and ettercap) or by utilising a switch vendor feature called SPAN ports (for Cisco) or mirror ports (for the rest of the World). Mirror ports are configured to circumvent the direct one-to-one connection by directing all or specific ports traffic down an additional port. This is most used to attach a packet sniffer such as Ethernet or an Intrusion Detection System to monitor the traffic.

      VLANs have been mentioned, these effectively group ports on a switch so that only certain ports can set up the one-to-one communications, effectively dividing one switch into several mini-switches.

      Blah digg screwed my lovely text diagrams up :-/
  • spiritflare1, on 10/12/2007, -0/+0jimmyblake - nice tutorial on Switches and Vlans, but this statement:
    "Running an interface in promiscuous mode will not show you all traffic flowing through a switch to which you are attached, but it will show you all traffic following through a hub to which you are attached"

    Is not true. I current am running tcpdump on a firewall interface plugged into a Cisco 6509 SWITCH and I can see traffic not only destined to my firewall NIC, but broadcasts from other servers to respective clients.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2009 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.