Ethereal filters

From Edgar BV Wiki
Jump to navigation Jump to search

Ethereal Matt Lesko

Packet sniffers, sometimes referred to as protocol or network analyzers, are invaluable tools for network and systems administrators. With an abundance of commercial and free software products available, it may be difficult to choose a good product. This article describes Ethereal, a free packet sniffer that not only decodes network traffic, but can filter and analyze it, all with an advanced, GTK-based GUI. Additionally, Ethereal can read the data files from a multitude of other packet sniffers, letting you analyze previously collected data. The files can even be compressed with gzip, and Ethereal will read and write to them invisibly.

Installation

Ethereal can be downloaded from the main Web site: http://www.ethereal.com/download.html or from any of their mirrors worldwide. The latest version (as of this writing) is 0.8.19. It requires GTK+ 1.2 or greater, which can be downloaded from: http://www.gtk.org/download/ and the libpcap packet capture library, which can be downloaded from: http://www.tcpdump.org. Perl is also required to build the included documentation. Additionally, it is recommended that you download and install zlib, available at: http://www.info-zip.org/pub/infozip/zlib/ so that Ethereal can work with gzipped files on the fly, and NET-SNMP libraries, if you want to enable SNMP support, available at: http://net_snmp.sourceforge.net/. Pre-compiled binary packages are available for all the major UNIX flavors, as well as for Windows NT. However, the Windows NT version requires more effort to get working and will not be covered here.

Starting It Up

After you have successfully compiled the software (or installed the binary packages available), you can start up the program with the command /usr/local/bin/ethereal &. Change this if you installed Ethereal in a location other than the default. You must be root to execute this program; it will not run otherwise. If you do not want to be root to execute the program, you can set the setuid bit on as root by executing the following command:

# chmod 4755 /usr/local/bin/ethereal & chmod 4755/usr/local/bin/tethereal 

Be aware that this command lets anyone execute the program with root privilege. So, not only can any user capture data on the network, but should any security holes be found in Ethereal, an attacker could gain control through it. Once Ethereal starts up, you will see a standard packet-sniffer GUI with three panes: the top pane, where captured packets are displayed; the middle pane, which contains the protocol tree for the currently selected packet and displays each field and value for the packet; and the bottom pane, which contains a hex dump of the selected packet (Figure 1). There is also a small text-entry box below the bottom pane, with the title "Filter". Filtering will be described later in this article.

Capturing Packets

Now it's time to capture your first packets. To do this, Ethereal must put your Ethernet card into promiscuous mode, which is why it must be executed with root user privileges. Some cards do not support promiscuous mode, but these are extremely rare, so it's safe to assume that your card will work. Before you proceed, make sure you have the system or network administrator's permission. Putting a card into promiscuous mode and capturing traffic on the network may not only set off various intrusion detection systems (IDS), but may cause general discontent to the network administrator. The presence of a sniffer can be a sign that one of the machines in the network has been cracked.

Go to the top menu, select "Capture", then "Start". A new dialog box should appear asking for information (Figure 2). The first entry box asks which interface should be put into promiscuous mode. This is eth0 in my computer, but this may vary from computer to computer. The next entry box is the packet count, which tells Ethereal how many packets to capture before stopping. A value of "0" will capture packets indefinitely, or until the user presses "Stop".

The "Filter" option allows a tcpdump-style capture filter to be used (which will be covered later). The "File" option designates a file to which the data can be saved. This can also be ignored for now. Next, the "Capture Length" option allows the user to select the maximum byte size of each packet to capture. Next is the "Capture packets in promiscuous mode" option, which is turned on by default. If you turn off this option, you will only be able to capture data going directly to and from your computer. The next two options, "Update list of packets in real time" and "Automatic scrolling in live capture" are not necessary if you are saving the capture to a file, but are very useful for watching the network on the fly.

The last three options all deal with name resolution: "Enable MAC name resolution", "Enable network name resolution", and "Enable transport name resolution". These three options can create additional traffic that grows with the amount of data collected, so users that do not want to disturb the network may want to turn these options off. After you have made your selections, press "OK", and the packet capturing begins. A small dialog box will appear with the packet collection statistics, and a "Stop" button appears that you can use to end the capture (Figure 3).

For the first demonstration of Ethereal's power, let's make a connection to a Solaris machine via telnet and see the importance of using secure connections whenever possible. First, we will clean up the captured packets to make it a bit easier to find what we're looking for.

Go down to the "Filter" entry box and type tcp.port == 23, and then press return. The top pane should now display only packets that involved that port. The middle pane displays a very useful breakdown of all the fields for each packet, which can be a great way to examine TCP/IP from the inside.

Now let's use one of the most useful functions of Ethereal -- the ability to follow an entire TCP stream from start to finish. First, in the main frame select a packet that has traveled from the computer to the server of our choosing (in my case, a computer called Nietzsche). Go to "Tools" on the menu, and then select "Follow TCP Stream". The stream shows two lines of control characters followed by the banner for the system. "SunOS 5.7" is displayed, then a prompt for the username, which is "matt". After this is the password prompt, and because telnet sends all of its data in the clear, the password is visible to anyone who happens to be listening on the network. In this case, we can see that the correct password is "trustno1" and the server logs in the user. The user then types "who" (the letters are doubled up because each character is echoed back to the user), and a list of other users is displayed. We can also watch the user type "ls" in his home directory. After this, the user executes a CTRL-D (^D), which logs him out (Figure 4).

To further demonstrate the insecurity of telnet, make the same connection as last time, but this time use a Secure Shell (SSH) client. I recommend OpenSSH (see http://www.openssh.com for more information and downloads). When we attempt to follow the TCP stream in this case, we can read only the first part of the connection protocol, containing both computers' versions of the software (Figure 5). The rest of the channel becomes encrypted, and cannot be sniffed. If this demonstration hasn't convinced you of the need for secure shell access on your machines, then nothing will. This is just a demonstration of the information that can be gathered from watching a network. With a bit of practice, Ethereal can even be used to diagnose network problems (e.g., a server that mistakenly sends out too many ARP requests that eat up precious bandwidth).

Writing Filters

There are two sorts of filters in Ethereal -- display filters and capture filters. The display filters were designed as part of the Ethereal package and, as such, are quite powerful and improving all the time. The capture filters are based on pcap code and use the same syntax as tcpdump.

Display Filters

Because most readers will probably be most familiar with the TCP/IP protocol suite, the information here will pertain to them, but this does not mean that Ethereal does not have support for other networking protocols. The simplest filter is one that simply checks for the presence of a particular protocol. For example, to display only TCP packets, all that would be required for the filter is "tcp". The information can further be broken down by protocol field, but to use these, you must learn to use the comparison operators. Table 1 shows the operators, with the C-style syntax and the English abbreviation-style syntax, as well as a description of their use.

To filter out all packets except those destined to port 80 (http traffic), we could write "tcp.port == 80" or "tcp.port eq 80". When referring to host addresses, either a dotted decimal address or a hostname can be used. The following two examples are the same: "ip.addr == www.sysadminmag.com" and "ip.addr == 66.35.216.85". Additionally, you can subject the filter to allow only those from a certain subnet. To do this, use the Classless InterDomain Routing (CIDR) standard for writing subnets (e.g., "ip.addr == 192.168.0.0./24"). The filters can become really powerful when combined with logical expressions, which, once again, can be expressed in either C-style syntax or English abbreviated syntax:

and && Logical AND
or || Logical OR
xor ^^ Logical XOR
not ! Logical NOT

Furthermore, enclosing them in parentheses can combine the expressions. Thus, the following expression:


(ip.addr == 192.168.0.1 && tcp.port == 80) || \
(ip.addr != 192.168.0.1 && tcp.port == 443)

can be written in English as: any packet from 192.168.0.1 going to or from port 80 (http), or any packet not from 192.168.0.1 and going to or from port 443 (https). That sums up the basic functionality of display filters. Read the Ethereal manpage for an extensive list of protocols that can be filtered in this manner.

Capture Filters

Capture filters, based upon those of tcpdump, are based upon the notion of primitives. Each primitive has an id, usually a numerical or textual representation of what is being looked for, preceded by a qualifier, which tells the program what the id is referring to.

There are three main categories of qualifier: type, dir, and proto. The first qualifier (type) includes host, net, and port. The host qualifier is true only for traffic to and from that host, so "host mycomputer.mydomain.com" would only print traffic to and from that particular computer. Multiple addresses can be given for a host qualifier and each address will be checked. Next, net operates on a dotted decimal network (e.g., net 192.168 to record all traffic within that network). The final form, port, operates in a similar manner; therefore, port 80 would record all traffic traveling to and from port 80.

The next qualifier, dir, is short for direction, and specifies a direction of traffic from a computer. The possible values are src, dst, src or dst, and src and dst. Thus, to collect only traffic with a destination port of 80, the syntax would be src port 80.

The last form, proto, restricts the filter to one particular form of protocol with possible options of ether, ip, arp, rarp, tcp, udp, and few other more esoteric protocols. Any host expression can be prepended with ip, arp, or rarp to collect only packets with the host in the protocol. To collect only those protocols that fall under the TCP/IP suite, the following syntax is used: ip proto protocol, where protocol is one of the following protocols: icmp, igrp, tcp, udp, or nd.

Unlike the display filters, the capture filters can only use the following keywords for filtering: and, not, and or. These can also be written in the standard C syntax (&&, ||, and !, respectively). Some examples are in order:


net 192.168 -- True for all packets with that as part of the network address.

dst host hostname -- Only data that has hostname as the destination.

src port port -- Only data with a source port of port. This sort of option can be preceded with either tcp or udp in order to differentiate the two. If it's not given, both protocols will return true.


Peering inside the packet is slightly more arcane with the capture filter style, and it is done by the following convention:

proto [ expr : size ]

where proto is a protocol (listed previously), expr is the offset in bytes from the beginning of the packet, and size is an optional argument giving the length of the desired field (it can be either one, two, three, or four bytes, and defaults to one). After this, a mathematical expression is written, followed by another number. Thus, to check an Ethernet packet for multicast, ether[0] & 1 != 0 is used. All of the standard mathematical notations (>, <, >=, <=, =, !=), as well as the binary operators (+, -, *, /, &, |), can be used as the expression. Using this form effectively requires an intimate knowledge of the protocols involved, and it may be more trouble than it is worth. That's a pretty basic, yet useful summary of the filtering capabilities of Ethereal. It is important to recognize when you are supposed enter a display filter and when you are supposed to enter a capture filter. The capture filter can be entered, or selected from a list, in the "Start Capture" dialog box, and the display filter is entered at the bottom of the main GUI frame and can be entered after a capture. You'll also notice that when using the "Follow TCP Stream" tool that it will automatically filter the data for you.

Tethereal

Ethereal also comes with a command-line version, which can provide the same functionality as the GUI version, but can be easily accessed through a terminal (Figure 6). Tethereal uses the same decoding engine as Ethereal and, as such, accepts the same types of filtering keywords. Tethereal calls display filters "read filters", but other than that, filters are written the same in Tethereal and Ethereal. Here is a list of the most commonly used options:


-w writefile -- Specifies a file for the data to be written to; otherwise, prints it to the screen.

-f expression -- Uses the capture filter-style expression expression for the traffic dump.

-i interface -- Uses the network interface interface.

-n -- Disables network name resolution (i.e., hostname lookups).

-r readfile -- Reads in packet data from file readfile.

-R filter -- Uses the read (or display) filter filter with the program.

-V -- Prints a protocol tree for each packet rather than a summary.

-x -- Prints a hex and ASCII dump following a protocol tree for each packet.


It is also important to remember that when giving filters on the command line, most of the special characters, such as not ('!') and the grouping parentheses, must be escaped from the shell, usually by preceding them with a "\".

Conclusion

With the powerful display and capture filters, an extensible, portable GUI, and a command-line client that provides a similar level of functionality as the GUI, Ethereal is a program that should be in every systems or network administrator's toolbox.

Matt Lesko has worked as a systems administrator supporting Solaris, AIX, Linux, and OpenBSD for the past three years. He can be contacted at: matt@advancedatatools.com.