Viewing Packet Flows with tethereal
The tethereal program is a text version of the graphical Ethereal product that is part of the Fedora Linux RPM suite. The command-line options and screen output mimic that of tcpdump in many ways, but tethereal has a number of advantages.
The tethereal command has the capability of dumping data to a file like tcpdump and creating new files with new filename extensions when a size limit has been reached. It can additionally limit the total number of files created before overwriting the first one in the queue, which is also known as a ring buffer.
The tethereal screen output is also more intuitive to read, though the dump file format is identical to tcpdump. Tables 4.4 and 4.5 show some popular command switches and expressions that can be used with tethereal.
Table 4.4. Possible tethereal Switchestethereal Command Switch | Description |
|---|
-c | Stop after viewing count packets. | -i | Listen on interface. If this is not specified, tethereal will use the lowest numbered interface that is UP. | -w | Dump the output to a specially formatted tethereal dump file. | -C | Specify the size the dump file must reach before a new one with a numeric extension is created. | -b | Determine the size of the ring buffer when the -C switch is selected. |
Table 4.5. Useful tethereal Expressionstethereal Command Expression | Description |
|---|
host host-address | View packets from the IP address host-address. | Icmp | View icmp packets. | tcp port port-number | View TCP packets with packets either a source or destination TCP port of port-number. | udp port port-number | View UDP packets with either a source or destination UDP port of port-number. |
In the next example we're trying to observe an HTTP (TCP port 80) packet flow between server smallfry at address 192.168.1.102 and bigboy at IP address 192.168.1.100. The tethereal output groups the IP addresses and TCP ports together and then provides the TCP flags, followed by the sequence numbering. It may not be apparent on this page, but the formatting lines up in neat columns on your screen, making analysis much easier. Also notice how the command line mimics that of tcpdump:
[root@smallfry tmp]# tethereal -i eth0 tcp port 80 and host
192.168.1.100
Capturing on eth0
0.000000 192.168.1.102 -> 192.168.1.100 TCP 1442 > http [SYN]
Seq=3325831828 Ack=0 Win=5840 Len=0
0.000157 192.168.1.100 -> 192.168.1.102 TCP http > 1442 [SYN, ACK]
Seq=3291904936 Ack=3325831829 Win=5792 Len=0
0.000223 192.168.1.102 -> 192.168.1.100 TCP 1442 > http [ACK]
Seq=3325831829 Ack=3291904937 Win=5840 Len=0
2.602804 192.168.1.102 -> 192.168.1.100 TCP 1442 > http [FIN, ACK]
Seq=3325831829 Ack=3291904937 Win=5840 Len=0
2.603211 192.168.1.100 -> 192.168.1.102 TCP http > 1442 [ACK]
Seq=3291904937 Ack=3325831830 Win=46 Len=0
2.603356 192.168.1.100 -> 192.168.1.102 TCP http > 1442 [FIN, ACK]
Seq=3291904937 Ack=3325831830 Win=46 Len=0
2.603398 192.168.1.102 -> 192.168.1.100 TCP 1442 > http [ACK]
Seq=3325831830 Ack=3291904938 Win=5840 Len=0
[root@smallfry tmp]#
Using graphical Ethereal to analyze tethereal dump files is beyond the scope of this book, but that shouldn't discourage you from using it. The application is part of the Fedora RPM suite and a Windows version is also available.
 | 
