BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


FreeBSD Basics

Using Ethereal

08/16/2000

One of my favorite utilities in the ports collection is the network analyzer, Ethereal. I've used NT's Network Monitor and Novell's Lanalyzer, but I've found that neither matches the functionality of Ethereal.

If you've never used a network analyzer before, you may wonder why you'd want to use such a utility. If a network administrator is experiencing slow network performance, a network analyzer can help him pinpoint which NICs, cable segments, and protocols are generating the most traffic. The results can be used to determine if he needs to upgrade his cabling, change a faulty NIC, install a bridge, reorder his network bindings, consider using less chatty protocols, etc.

A security engineer can use the results to determine if his firewall system is responding to requests according to his security policy.

And finally, the results of a network analyzer provide the best learning environment to gain a practical understanding of the OSI model and how protocols actually interact with each other.

One word of caution before firing up any network analyzer: These utilities are designed to capture and show the contents of every frame that passes through a cable segment. Don't monitor a cable segment that is not part of your LAN unless you have explicit permission to do so.

Before you can use Ethereal, you'll need to configure your X Server and Window Manager. Once you have these, the easiest way to build Ethereal is from the ports collection. As root, and while connected to the Internet:

cd /usr/ports/net/ethereal
make && make install

Once this is finished:

whereis ethereal
/usr/X11R6/bin/ethereal

Running a network analyzer is an administrative task. If you want to add Ethereal to a menu in your favorite Window Manager, you'll have to start your X Windows session as root. Alternately, you can start your X Window session as a regular user, open up an xterm, su to root, and start Ethereal from the xterm. If you start Ethereal as a regular user, the utility will launch but it won't display any interfaces to monitor.

Ethereal has the ability to use display and capture filters; creating these is beyond the scope of this article, but you can get more information on using filters by doing a:

man ethereal

and by checking out the main website for Ethereal. The FAQ will get you started and the useful links page is outstanding, especially if you wish to do more research on protocols and network analysis. Don't forget to order your free protocol posters when you visit the protocols.com site.

Let's do some example captures. We'll start with a simple ping. I have a computer named alpha with an IP address of 10.0.0.1 and another computer named gamma at 10.0.0.3. I've fired up Ethereal on gamma, clicked on the capture menu, and pressed start. Because I'm root, I'm presented with the list of interfaces on gamma; I choose the one attached to my LAN cable segment and click OK. To make things a little more interesting, I'll forget to power on the computer named alpha.

Don't be afraid to try this exercise yourself; just ping a host that is either down or non-existent. I open up an xterm and type:

ping 10.0.0.1

and wait; not surprisingly, nothing happens. I press Ctrl-C to end the ping and my xterm now reads:

PING 10.0.0.1 (10.0.0.1): 56 data bytes
ping: sendto: Host is down
^C
--- 10.0.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

Going back to Ethereal, I stop the capture and look at the results. I do have 7 packets listed, but they are all ARP (address resolution protocol) packets, not the ICMP echo/reply packets you would expect with ping.

For those of you who never had the opportunity to yawn your way through a lecture on the OSI model, I've just demonstrated the first rule of transmission on a TCP/IP network. No unicast packets can enter the wire until the MAC address of the NIC who will receive the packets is known; this is the job of ARP, the address resolution protocol.

As you can see from your capture, ARP isn't that complicated a protocol. It sends out a broadcast (the destination of ff:ff:ff:ff:ff:ff) onto the cable segment that asks who has 10.0.0.1? tell 10.0.0.3. This is the equivalent of your four-year-old yelling into a crowded room, "Where is my Mommy?" It's not the most elegant way of accomplishing a task, but it's usually quite effective.

Because 10.0.0.1 wasn't available to answer, there was no MAC address to send packets to, and ping was unable to send out its ICMP packets.

Pages: 1, 2

Next Pagearrow





Sponsored by: