Wireshark and Ethereal Network Protocol Analyzer Toolkit
Ethereal is the number 2 most popular open source security tool used by system administrators
and security professionals. This book provides complete information and step-by-step Instructions
for analyzing protocols and network traffic on Windows, Unix or Mac OS X networks. First, readers
will learn about the types of sniffers available today and see the benefits of using Ethereal.
Readers will then learn to install Ethereal in multiple environments including Windows, Unix and
Mac OS X as well as building Ethereal from source and will also be guided through Ethereal's graphical
user interface. The following sections will teach readers to use command-line options of Ethereal
as well as using Tethereal to capture live packets from the wire or to read saved capture files.
This section also details how to import and export files between Ethereal and WinDump, Snort, Snoop,
Microsoft Network Monitor, and EtherPeek.
The book then teaches the reader to master advanced tasks such as creating sub-trees, displaying
bitfields in a graphical view, tracking requests and reply packet pairs as well as exclusive coverage
of MATE, Ethereal's brand new configurable upper level analysis engine. The final section to the book
teaches readers to enable Ethereal to read new Data sources, program their own protocol dissectors,
and to create and customize Ethereal reports.
What is Network Analysis and Sniffing?
Network analysis (also known as traffic analysis, protocol analysis, sniffing, packet analysis,
eavesdropping, and so on) is the process of capturing network traffic and inspecting it closely to
determine what is happening on the network. A network analyzer decodes the data packets of
common protocols and displays the network traffic in a readable format. A sniffer is a program that
monitors data traveling over a network. Unauthorized sniffers are dangerous to network security
because they are difficult to detect and can be inserted almost anywhere, which makes them a
favorite weapon of hackers.
A network analyzer can be a standalone hardware device with specialized software, or software
that is installed on a desktop or laptop computer. The differences between network analyzers
depends on features such as the number of supported protocols it can decode, the user interface,
and its graphing and statistical capabilities. Other differences include inference capabilities (e.g.
expert analysis features) and the quality of packet decodes. Although several network analyzers
decode the same protocols, some will work better than others for your environment.
Who Uses a Network Analyzer?
System administrators, network engineers, security engineers, system operators, and
programmers all use network analyzers, which are invaluable tools for diagnosing and
troubleshooting network problems, system configuration issues, and application difficulties.
The art of network analysis is a double-edged sword. While network, system, and security
professionals use it for troubleshooting and monitoring the network, intruders use network
analysis for harmful purposes. A network analyzer is a tool, and like all tools, it can be used
for both good and bad purposes.
A network analyzer is used for:
• Converting the binary data in packets to readable format
• Troubleshooting problems on the network
• Analyzing the performance of a network to discover bottlenecks
• Network intrusion detection
• Logging network traffic for forensics and evidence
• Analyzing the operations of applications
• Discovering faulty network cards
• Discovering the origin of virus outbreaks of Denial of Service (DoS) attacks
• Detecting spyware
• Network programming to debug in the development stage
• Detecting a compromised computer
• Validating compliance with company policy
• As an educational resource when learning about protocols
• Reverse-engineering protocols to write clients and supporting programs