Instruction to use ethereal

What is ethereal?

Quote from the description on
Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
If you want to see what ethereal looks like, check out screen shots from

How to run ethereal on Linux machines in 547 PGH?

To run ethereal, just type "ethereal" at your command prompt. If you get "command not found", try "/usr/sbin/ethereal".

To capture packets, you need to have root privilege to that machine which you probably don't have it. So I have written a wrapper for ethereal to capture packets. Run "wp_ethereal" or "/usr/local/bin/wp_ethereal" from the prompt (you have to provide proper parameters, see below for detail.) For example, you type this following command on Linux machine "redhat00".

    /usr/local/bin/wp_ethereal -c 200 -w outputfile -f "'host redhat00'"
Please note that the filter should be enclosed by double quote (") and then use single quote (') to enclose the filter expression. The reason is first pair of double quote (") will be stripped by wrapper program and then ethereal will pick up the filter expression enclosed by single quote ('). I know it's awkward. But at lease it works.

You can also reverse the order of single quote and double quote, e.g.,

    /usr/local/bin/wp_ethereal -c 200 -w outputfile -f '"host redhat00"'
This will capture 200 packets (-c 200) and save the output to "outputfile" (-w outputfile) and capture filter is set to capture the packets to and from redhat00 (-f "'host redhat00'"). You can also add "-n" if you want to do name resolve (which will give you hostname, instead of IP address).

If you get "/bin/touch: outputfile: Permission denied", don't panic. There is a problem with suid program (wp_ethereal) trying to write mounted file system (your directory). All you have to do is change directory to /tmp (cd /tmp) and repeat the process. Remind you to move output file(s) to your home directory after you are done, or delete it (them). Sorry for the inconvenience.

How to view the captured packets?

Say your captured output file is called "outputfile". The following command will read in your captured output file to ethereal.
    /usr/sbin/ethereal -r outputfile
There is a very convenient function to keep track HTTP (and SMTP, POP3, etc.) messages. The function is called "Follow TCP Stream" and is located in "Tools" menu. You have to move high-lighted bar to a TCP or HTTP packet, so "Follow TCP Stream" option would be visible (otherwise, it would show grey color). If you want to turn off this function, click "reset" button at the bottom of the screen.

Network is noisy. How can I filter un-needed packets?

You can use (-f "'host redhat00'") (assume you are running on "redhat00") which will only capture packets to and from "redhat00". If you want get rid of ARP also, you can use (-f "'host redhat00 and not arp'").

The syntax for capture filter can be found in tcpdump(8). And there is also a display filter and the syntax can be found in ethereal(1).

How can I print out the packets that I captured?

Under the "File" menu, choose "Print". I would suggest you to "Print summary" only, otherwise it would be very very long (since all packets are expeneded by default). Most lines in summary are longer than 80 characters, so you can either save it to a file first (use "enscript -r filename" to print) or put "enscript -r" in the command field.

If you just want to print out on packet, under "File" menu, choose "Print Packet".

Where can I get ethereal and run it at my PC?

You can download from ethereal's official site to your Linux box. If you are using RedHat, you will need ethereal-*.i386.rpm and libpcap-*ethereal.i386.rpm, and ucd-snmp*.i386.rpm from your RedHat CD.

For those who using Windows 98/NT, you can get Win32 binary distribution. You should get ethereal-* and gtk-libs*.zp, and WinPcap.

Where can I get more information about ethereal?

Other similar packet sniffer programs:

Last modified: November 1, 2000.
tihuang at cs . uh . edu