|
Etheral Tethereal and Tcpdump!
Before we start a disclaimer!
Packet sniffing (looking at live or pre captured network traffic) is a fascinating process to be involved in BUT!! This article and implementing the information in it could lose you your job, get you arrested or have your ISP terminate your account or worse!
Don't sniff the network packets at work or on any network without some form of written permission and may be even have this relate to a company policy.Be aware of the issues involved. YOU HAVE BEEN WARNED
The author is not responsible for misuse of this information, and deny any liability what so ever. This information is published for educational purposes only.
End disclaimer
Background
Ethereal as a number of you will be aware is a graphical network packet sniffer it's free open source and is the sort of thing that is nearly as good as a lot of commercially available packet sniffers (and in some cases possibly better!). Tethereal is the command line interface that is also the internal engine of Ethereal. Both of these need x11 and the apple developers tools to build / run. Although good at what they do, they are not the most readily available tools. This is where tcpdump comes into it.
tcpdump
Tcpdump is the grandaddy of all packet sniffers (so I'm told!) and the great thing about tcpdump is that it's available on all standard macintosh computers! (mac osX ones that is) The only caveat is that to use it you need to be an admin or sudo level user.
Why is this useful?
Ok take this scenario as an example. Something weird is going on with your network you don't know what. All your machines are running live important stuff that you would rather not interrupt, you don't have an ip number spare what to do? Answer run tcpdump on one of the existing machines and then take the packets back to another machine with ethereal on it for some good graphical insight.
The tcpdump commands
sudo tcpdump -s 0 -w /myfile
This will capture everything (not just the headers) and write to the file "myfile" if you just want the packet headers drop the -s 0
sudo tcpdump -s 0 -w "/myfile2" ' host www.apple.com && tcp port 80'
This will pick up all web related traffic to apple.com
sudo tcpdump -s 0 -w "/myfile" '192.168.1.1 && tcp port 21'
A more general approach
sudo tcpdump -c 3 -w "/myfile4"
If your looking at capturing large amounts of data or want some control over things the above will capture a specific number of packets. This is good if your doing your analysis on an older machine I've found that about 5 megs is a good file size for say an older 400 Mgh Imac to deal with.
tcpdump -X -r /myfile2
The above will read the file back to you in a moderately useful manner (may be good to get a basic idea of what the machine is up to) you can also read this back into etheral.
Have Fun!
Post Script
As of Sun Jan 29 18:16:07 EST 2006
Ethereal useed to be easy to install via fink, but at the time of writing it seems as if you need to make sure you have manually installed the gtk+2 package (possibly the developers version first before you install ethereal). This situation may change for the better soon lets hope so!
Related Links
ethereal
tcpdump
fink
x11
|
|