These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Monitoring Attacks With Ethereal

Classnotes | UNIX03 | RecentChanges | Preferences

Ethereal is a well-designed and easy to use GUI-based program for sniffing an Ethernet interface for packets and making sense of them. It is the program of choice for this task.

Ethereal maps IP addresses, MAC addresses, and high- and low-level protocol fields to symbolic names for easier interpretation. It allows an interpretive look at any part of a packet, but avoids showing you the overwhelming but normally uninteresting portions of a packet.

USing Ethereal

The following will do a basic "sniff everything from eth0 and show the results in real time":

 # ethereal -k -l -S -i eth0 &

The -k flag starts packet capture immediately. -l causes scrolling, and -S causes immediate display of received packets. The -i flag specifies the interface. It defaults to the first non-loopback interface, which will probably be eth0. Ethereal will show the text data in the first captured packet and it will show source and destination addresses of all packets.

This is the results of such a call from my home system:

The middle pane shows the different logical components of each pached. IP addresses, MAC addresses, DNS, NFS, SMTP, and other high-level protocols' components are interpreted, etc. Clicking on any one of these components will expand it into its constituent components. These too may be expanded. At each level, the data is interpreted.



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 28, 2003 3:40 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.