Quote from the description on www.ethereal.com:Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.If you want to see what ethereal looks like, check out screen shots from www.ethereal.com.
To run ethereal, just type "ethereal" at your command prompt. If you get "command not found", try "/usr/sbin/ethereal".
To capture packets, you need to have root privilege to that machine which you probably don't have it. So I have written a wrapper for ethereal to capture packets. Run "wp_ethereal" or "/usr/local/bin/wp_ethereal" from the prompt (you have to provide proper parameters, see below for detail.) For example, you type this following command on Linux machine "redhat00"./usr/local/bin/wp_ethereal -c 200 -w outputfile -f "'host redhat00'"Please note that the filter should be enclosed by double quote (") and then use single quote (') to enclose the filter expression. The reason is first pair of double quote (") will be stripped by wrapper program and then ethereal will pick up the filter expression enclosed by single quote ('). I know it's awkward. But at lease it works.This will capture 200 packets (-c 200) and save the output to "outputfile" (-w outputfile) and capture filter is set to capture the packets to and from redhat00 (-f "'host redhat00'"). You can also add "-n" if you want to do name resolve (which will give you hostname, instead of IP address).
You can also reverse the order of single quote and double quote, e.g.,/usr/local/bin/wp_ethereal -c 200 -w outputfile -f '"host redhat00"'
If you get "/bin/touch: outputfile: Permission denied", don't panic. There is a problem with suid program (wp_ethereal) trying to write mounted file system (your directory). All you have to do is change directory to /tmp (cd /tmp) and repeat the process. Remind you to move output file(s) to your home directory after you are done, or delete it (them). Sorry for the inconvenience.
The syntax for capture filter can be found in
And there is also a display filter and the syntax can be found in
If you just want to print out on packet, under "File" menu, choose
For those who using Windows 98/NT, you can get
Win32 binary distribution.
You should get ethereal-*-capture.zip and gtk-libs*.zp, and
Last modified: November 1, 2000.
How to view the captured packets?
Say your captured output file is called "outputfile". The following command
will read in your captured output file to ethereal.
/usr/sbin/ethereal -r outputfile
There is a very convenient function to keep track HTTP (and SMTP, POP3, etc.)
The function is called "Follow TCP Stream" and is located in "Tools" menu.
You have to move high-lighted bar to a TCP or HTTP packet, so
"Follow TCP Stream" option would be visible (otherwise, it would show
If you want to turn off this function, click "reset" button at the bottom
of the screen.
Network is noisy. How can I filter un-needed packets?
You can use (-f "'host redhat00'") (assume you are running on "redhat00")
which will only capture packets to and from "redhat00".
If you want get rid of ARP also, you can use
(-f "'host redhat00 and not arp'").
How can I print out the packets that I captured?
Under the "File" menu, choose "Print". I would suggest you to
"Print summary" only, otherwise it would be very very long (since all
packets are expeneded by default). Most lines in summary are longer than
80 characters, so you can either save it to a file first (use
"enscript -r filename" to print) or put "enscript -r" in the command field.
Where can I get ethereal and run it at my PC?
You can download from
ethereal's official site to your Linux
box. If you are using RedHat, you will need ethereal-*.i386.rpm and
libpcap-*ethereal.i386.rpm, and ucd-snmp*.i386.rpm from your RedHat CD.
Where can I get more information about ethereal?
Other similar packet sniffer programs:
tihuang at cs . uh . edu
The syntax for capture filter can be found in tcpdump(8). And there is also a display filter and the syntax can be found in ethereal(1).
If you just want to print out on packet, under "File" menu, choose "Print Packet".
For those who using Windows 98/NT, you can get Win32 binary distribution. You should get ethereal-*-capture.zip and gtk-libs*.zp, and WinPcap.
Last modified: November 1, 2000.