Lucent Technologies Ethereal instruction

Ethereal User's Guide
6.6. Finding packets	113
6.6.1. The "Find Packet" dialog box	113
6.6.2. The "Find Next" command	114
6.6.3. The "Find Previous" command	114
6.7. Go to a specific packet	115
6.7.1. The "Go Back" command	115
6.7.2. The "Go Forward" command	115
6.7.3. The "Go to Packet" dialog box	115
6.7.4. The "Go to Corresponding Packet" command	115
6.7.5. The "Go to First Packet" command	115
6.7.6. The "Go to Last Packet" command	115
6.8. Marking packets	116
6.9. Time display formats and time references	117
6.9.1. Packet time referencing	117
7. Advanced Features	120
7.1. Introduction	120
7.2. Following TCP streams	121
7.2.1. The "Follow TCP stream" dialog box	121
7.3. Packet Reassembling	123
7.3.1. What is it?	123
7.3.2. How Ethereal handles it	123
7.3.3. Reassembling is disabled by default!	123
7.4. Name Resolution	124
7.4.1. Ethernet name resolution (MAC layer)	124
7.4.2. IP name resolution (network layer)	124
7.4.3. IPX name resolution (network layer)	125
7.4.4. TCP/UDP port name resolution (transport layer)	125
8. Statistics	127
8.1. Introduction	127
8.2. The "Summary" window	128
8.3. The "Protocol Hierarchy" window	130
8.4. Endpoints	132
8.4.1. What is an Endpoint?	132
8.4.2. The "Endpoints" window	132
8.4.3. The protocol specific "Endpoint List" windows	133
8.5. Conversations	134
8.5.1. What is a Conversation?	134
8.5.2. The "Conversations" window	134
8.5.3. The protocol specific "Conversation List" windows	134
8.6. The "IO Graphs" window	135
8.7. Service Response Time	137
8.7.1. The "Service Response Time DCE-RPC" window	137
8.8. The protocol specific statistics windows	139
9. Customizing Ethereal	141
9.1. Introduction	141
9.2. Start Ethereal from the command line	142
9.3. Packet colorization	146
9.4. Control Protocol dissection	149
9.4.1. The "Enabled Protocols" dialog box	149
9.4.2. User Specified Decodes	151
9.4.3. Show User Specified Decodes	152
9.5. Preferences	153
A. Configuration (and other) Files and Folders	156
A.1. Windows folders	159
A.1.1. Windows profiles	159
A.1.2. Windows NT/2000/XP roaming profiles	160
A.1.3. Windows temporary folder	160
B. Protocols and Protocol Fields	162
C. Related command line tools	163
C.1. Introduction	163
C.2. tcpdump: Capturing with tcpdump for viewing with Ethereal	164
C.3. tethereal: Terminal-based Ethereal	165
C.4. capinfos: Print information about capture files	166

vi

Image 6

Lucent Technologies Ethereal manual

Contents

Ethereal Users Guide V2.0.2 16376 for Ethereal Ethereal Users Guide V2.0.2 16376 for Ethereal Page Table of Contents Page Page Page Preface Foreword Who should read this document? Acknowledgements About this document Where to get the latest copy of this document? Providing feedback about this document Preface Xiv Introduction What is Ethereal?Features Some intended purposes Export files for many other capture programs Many protocol decodersOpen Source Software What Ethereal is not Platforms Ethereal runs on UnixLinux Microsoft Windows Where to get Ethereal? Rose by any other name Brief history of Ethereal Development and maintenance of Ethereal Website Wiki Reporting problems and getting helpFAQ Mailing Lists Reporting Problems Reporting Crashes on UNIX/Linux platforms Reporting Crashes on Windows platforms Introduction Building and Installing Ethereal Introduction Obtaining the source and binary distributions Download all required files Before you build Ethereal under Unix Example 2.1. Building GTK+ from source Example 2.2. Building and installing libpcap Example 2.5. Installing debs under Debian Building Ethereal from source under UnixPage Installing the binaries under Unix Installing from rpms under RedHat and alikeInstalling from debs under Debian Troubleshooting during the install on Unix Building from source under Windows Installing Ethereal under Windows Install Ethereal Install WinPcap Update Ethereal Update WinPcapUninstall Ethereal Uninstall WinPcap Building and Installing Ethereal User Interface Start Ethereal Main window Main window User Interface Current program state and the captured data Menu Open Recent File menuMenu Item Accelerator Description Open Merge File Set List Menu Item Accelerator Description SaveSave As Files Export Selec Menu Item Accelerator Description ExportPdml file Ted Packet Bytes Edit menu User Interface Marking packets for details View menu View Menu View menu items Previous Packet are mutually exclusive Fields Time of Day, Date and Time of DaySeconds Since Beginning of Capture and Seconds Since Beginning Normal Size Menu Item Accelerator Description ZoomZoom Out Resize All Go menu Menu Item Accelerator Description Last Packet Capture menu Saving filters Analyze menu Analyze Menu Analyze menu items Follow TCP Statistics menu Statistics menu items Types 225Message VoIP Calls Help menu 10. The Help Menu Help menu itemsPage Main toolbar 11. The Main toolbar Main toolbar items First Go BackGo Forward Packet Go To Last Pack Tion 9.3, Packet colorization Filter toolbar 12. The Filter toolbar Packet List pane 13. The Packet List pane Packet Details pane 14. The Packet Details pane Packet Bytes pane 15. The Packet Bytes pane Statusbar 17. The initial Statusbar User Interface Capturing Live Network Data Prerequisites Start Capturing Capture Options dialog box Capture Interfaces dialog box Packets/sPrepare Capture Options dialog box Capture frameInterface Buffer size n megabytes IP addressLink-layer header type Capture packets in promiscuous Capture Files frame Stop Capture... frame Name Resolution frame Display Options frameButtons Capture file mode selected by capture options Capture files and file modes Multiple files, continuous Multiple files, ring buffer Link-layer header type Srcdst host host Filtering while capturingExample 4.2. Capturing all telnet traffic not from Ether srcdst host ehost Masklen len Gateway host hostSrcdst net net mask Tcpudp srcdst port port While a Capture is running Stop the running capture Using the toolbar item Restart a running capture Capturing Live Network Data File Input / Output and Printing Open capture files Open Capture File dialog box Input File Formats Page Saving captured packets Save Capture File As dialog box Tip Output File Formats Merging capture files Merge with Capture File dialog boxPage File Sets List Files dialog box Exporting data Export as Plain Text File dialog boxExport as PostScript File dialog box Export as CSV Comma Seperated Values File dialog box Export as Psml File dialog box Export as Pdml File dialog box Export as Psml File dialog box Export selected packet bytes dialog box Export Selected Packet Bytes dialog boxPage Printing packets Print dialog boxPrinter Lpr -Pmypostscript Packet Range frame 10. The Packet Range frame Packet Format frame 11. The Packet Format frame File Input / Output and Printing Working with captured packets Viewing packets you have captured Function overview of the pop-up menus New Window Resolve name Lis Byt Menu Description TailDecode As Copy Mark Packet toggle Follow TCP Stream Filter Field Reference Protocol PropertiesGo to Corresponding Packet Export Selected Packet Bytes Filtering packets while viewing Filtering on the TCP protocolPage Comparing values Building display filter expressionsDisplay filter fields Display Filter comparison operators Combining expressions Display Filter Field Types Display Filter Logical Operations Common mistake Filter Expression dialog box Filter Expression dialog box Predefined values CancelValue Range Defining and saving filters Capture Filters and Display Filters dialog boxes Filter NewDelete Filter name Display filter Finding packetsFind Packet dialog box Hex Value Find Next command Find Previous commandDown Go to a specific packet Marking packets Time display formats and time references Packet time referencingPage Working with captured packets 119 Advanced Features Following TCP streams Follow TCP stream dialog boxPage Packet Reassembling What is it?Reassembling is disabled by default How Ethereal handles it Name Resolution Ethernet name resolution MAC layerIP name resolution network layer IPX name resolution network layer TCP/UDP port name resolution transport layer Advanced Features 126 Statistics Summary window Summary windowPage Protocol Hierarchy window Protocol Hierarchy windowPage What is an Endpoint? EndpointsEndpoints window Protocol specific Endpoint List windows Conversations window What is a Conversation?Conversations Protocol specific Conversation List windows IO Graphs window GraphsAxis Page Service Response Time Service Response Time DCE-RPC windowFibre Channel 225 RAS DCE-RPC Statistic for ... window Protocol specific statistics windows Statistics 140 Customizing Ethereal Duration ue Start Ethereal from the command lineExample 9.1. Help information available from Ethereal Filesize ue Capture buffer size Win32 DurationueFilesizeue Only Name resolving flags Preference/recent settingsFont Ethereal -o mgcp.displaydissecttreeTRUE Capture link type Time stamp formatSavefile Statistics-string Packet colorization Coloring Rules dialog box Choose color dialog box Using color filters with Ethereal Enabled Protocols dialog box Control Protocol dissectionPage User Specified Decodes Decode As dialog box Show User Specified Decodes Decode As Show dialog box Preferences Preferences dialog box Customizing Ethereal 154 Customizing Ethereal 155 Appendix A. Configuration and other Files and Folders Table A.1. Configuration files and folders overview Windows folders Preferences/ethereal.conf Disabledprotos Configuration files and folders overview. If an address is Windows folders Windows profilesPlugins folder Windows temporary folder 98/ME with enabled user proWindows NT/2000/XP roaming profiles 95/98/ME Configuration and other Files Folders 161 Appendix B. Protocols and Protocol Fields Appendix C. Related command line tools Tcpdump Capturing with tcpdump for viewing with Ethereal Tethereal Terminal-based Ethereal Capinfos Print information about capture files Example C.1. Help information available from capinfos Editcap Edit capture files Example C.2. Help information available from editcap Related command line tools Capture type Time adjustmentEncap type Snaplen Mergecap Merging multiple capture files into one Example C.3. Help information available from mergecap 171 Example C.4. Simple example of using mergecap Text2pcap Converting Ascii hexdumps to network captures Example C.5. Help information available for text2pcap Filename Hexoct L3pid Srcport destport Prerequisites to using idl2eth Why do this?How to use idl2eth Idl2eth Creating dissectors from Corba IDL files Todo Limitations Related command line tools 179 Appendix D. This Documents License GPL GNU General Public License 181 182 183 184 185