Wireshark and Ethereal Network Protocol Analyzer Toolkit

Ethereal is the number 2 most popular open source security tool used by system administrators and security professionals. This book provides complete information and step-by-step Instructions for analyzing protocols and network traffic on Windows, Unix or Mac OS X networks. First, readers will learn about the types of sniffers available today and see the benefits of using Ethereal.

Readers will then learn to install Ethereal in multiple environments including Windows, Unix and Mac OS X as well as building Ethereal from source and will also be guided through Ethereal's graphical user interface. The following sections will teach readers to use command-line options of Ethereal as well as using Tethereal to capture live packets from the wire or to read saved capture files. This section also details how to import and export files between Ethereal and WinDump, Snort, Snoop, Microsoft Network Monitor, and EtherPeek.

The book then teaches the reader to master advanced tasks such as creating sub-trees, displaying bitfields in a graphical view, tracking requests and reply packet pairs as well as exclusive coverage of MATE, Ethereal's brand new configurable upper level analysis engine. The final section to the book teaches readers to enable Ethereal to read new Data sources, program their own protocol dissectors, and to create and customize Ethereal reports.

What is Network Analysis and Sniffing?

Network analysis (also known as traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping, and so on) is the process of capturing network traffic and inspecting it closely to determine what is happening on the network. A network analyzer decodes the data packets of common protocols and displays the network traffic in a readable format. A sniffer is a program that monitors data traveling over a network. Unauthorized sniffers are dangerous to network security because they are difficult to detect and can be inserted almost anywhere, which makes them a favorite weapon of hackers.

A network analyzer can be a standalone hardware device with specialized software, or software that is installed on a desktop or laptop computer. The differences between network analyzers depends on features such as the number of supported protocols it can decode, the user interface, and its graphing and statistical capabilities. Other differences include inference capabilities (e.g. expert analysis features) and the quality of packet decodes. Although several network analyzers decode the same protocols, some will work better than others for your environment.

Who Uses a Network Analyzer?

System administrators, network engineers, security engineers, system operators, and programmers all use network analyzers, which are invaluable tools for diagnosing and troubleshooting network problems, system configuration issues, and application difficulties.

The art of network analysis is a double-edged sword. While network, system, and security professionals use it for troubleshooting and monitoring the network, intruders use network analysis for harmful purposes. A network analyzer is a tool, and like all tools, it can be used for both good and bad purposes.

A network analyzer is used for:

Converting the binary data in packets to readable format
Troubleshooting problems on the network
Analyzing the performance of a network to discover bottlenecks
Network intrusion detection
Logging network traffic for forensics and evidence
Analyzing the operations of applications
Discovering faulty network cards
Discovering the origin of virus outbreaks of Denial of Service (DoS) attacks
Detecting spyware
Network programming to debug in the development stage
Detecting a compromised computer
Validating compliance with company policy
As an educational resource when learning about protocols
Reverse-engineering protocols to write clients and supporting programs

A reader from Ann Arbor, MI says, "For the most part this book is an updated version of Ethereal Packet Sniffing. The title has been changed to more accurately reflect that it's about using Wireshark and not so much about analyzing traffic (although that's covered some), and also to denote that the project changed the name of the software recently. That said, it's an improvement over Ethereal Packet Sniffing with some new material and some reorganization.

Chapter 1 is an intro to network analysis, specifically with packet sniffing. It's very cursory, and they could do a better job of teaching this subject, but honestly that's a whole book unto itself and years of practice. The chapter is reasonably comprehensive and accurate.

Chapter 2 introduces Wireshark and how to begin using it. This chapter is very short given what it says it will cover, but most of that is brought up in the following chapters. There's a brief bit about Wireshark security, but again it's too cursory (2 paragraphs for a program that has a constant stream of security issues). Also, the authors keep calling it Etehreal in places and Wireshark in others. This inconsistency doesn't instill a great amount of trust in me that everything was reviewed well.

Chapter 3 covers getting and installing Wireshark for Windows, Linux, OS X, and how to build it from source. It also covers packet capture drivers (ie on Windows). A very straightforward, direct chapter.

Using Wireshark is the next chapter, and this is where we start the meat of the book. It's about 80 pages long and covers the UI and the command line options. The screen captures are better than the previous version of the book (and they often times use just a portion of the screen), but they could still be improved for legibility and for usefulness. This chapter covers the uncommon graphing and stats sections, and also following streams.

Filters are covered in Chapter 5, and the PCAP and Wireshark filter languages are covered. These are rich languages that allow for complex selectivity, and the chapter is clear and pretty comprehensive.

A new topic is introduced in Chapter 6, specifically wireless sniffing. This is a good addition to the book, and even topics such as decoding EAP and WEP are covered. This is a good, concise overview of the topic of sniffing wireless networks.

Real world packet captures are covered in Chapter 7, which is sadly too short (it could easily be a whole book). Several representative traces are included on the CD ROM that are good to study and review in this chapter. They include Linux worms and Windows malware, and also some coverage of active response packets is given.

Just like the corresponding chapter in Ethereal Packet Sniffing, Chapter 8 covers developing plugins for Wireshark, specifically new protocol decodes. Because Wireshark has a framework to extend, it supports dozens of application and network layer protocols. You can add your favorite new protocol with ease if you follow this chapter. Who knows, you may even get it included. This is a real gem of the book.

Finally, Chapter 9 covers many of the auxiliary programs that are included with Wireshark. These programs let you manage packet traces and marge them or cut them down to size. These are useful even outside of Wireshark if you work with packet traces at all.

This book is a good update to the Ethereal Packet Sniffing book and material. Sadly, in many places the editors didn't do a good job of auditing the book, so there are some mistakes and sometimes even references to the now obsolete name of Ethereal. However, the additions and improvements over the older version make this book worthwhile for anyone who needs to learn how to fully utilize this powerful sniffer.

Click here for more information.

Learn more at

More Networking Basics:
• Network Servers
• Workgroups and Domains
• What is Microsoft Azure?
• Networking Foundation Topic - Routing
• Cisco-Linksys Network Magic Pro
• Network Cabling For Beginners
• Cable Broadband Internet Service
• Network Administrator Street Smarts: A Real World Guide to CompTIA Network+ Skills
• What is DNS?
• Cloud Service Models