Recipe 9.17 Observing Network Traffic (GUI)

9.17.1 Problem

You want to watch network traffic via a graphical interface.

9.17.2 Solution

Use Ethereral and tethereal.

9.17.3 Discussion

Prolonged perusing of tcpdump output [Recipe 9.16] can lead to eyestrain. Fortunately, alternatives are available, and Ethereal is one of the best.

Ethereal is a GUI network sniffer that supports a number of enhancements beyond the capabilities of tcpdump. When Ethereal starts, it presents three windows:

Packet List

A summary line for each packet, in a format similar to tcpdump.

Tree View

An expandable protocol tree for the packet selected in the previous window. An observer can drill down to reveal individual fields at each protocol level. Ethereal understands and can display an astounding number of protocols in detail.

Data View

Hexadecimal and ASCII dumps of all bytes captured in the selected packet. Bytes are highlighted according to selections in the protocol tree.

Ethereal uses the same syntax as tcpdump for capture filter expressions. However, it uses a different, more powerful syntax for display filter expressions. Our previous tcpdump example, to select packets related to FTP transfers to or from a server: [Recipe 9.16]

tcp port ftp or ftp-data and host

would be rewritten using Ethereal's display filter syntax as:

ftp or ftp-data and ip.addr ==

The display filter syntax is described in detail in the ethereal(1) manpage.

If you receive confusing and uninformative syntax error messages, make sure you are not using display filter syntax for capture filters, or vice-versa.

Ethereal provides a GUI to construct and update display filter expressions, and can use those expressions to find packets in a trace, or to colorize the display.

Ethereal also provides a tool to follow a TCP stream, reassembling (and reordering) packets to construct an ASCII or hexadecimal dump of an entire TCP session. You can use this to view many protocols that are transmitted as clear text.

Menus are provided as alternatives for command-line options (which are very similar to those of tcpdump). Ethereal does its own packet capture (using libpcap), or reads and writes network trace files in a variety of formats. On Red Hat systems, the program is installed with a wrapper that asks for the root password (required for packet sniffing), and allows running as an ordinary user (if only display features are used).

The easiest way to start using Ethereal is:

  1. Launch the program.

  2. Use the Capture Filters item in the Edit menu to select the traffic of interest, or just skip this step to capture all traffic.

  3. Use the Start item in the Capture menu. Fill out the Capture Preferences dialog box, which allows specification of the interface for listening, the snapshot (or "capture length"), and whether you want to update the display in real time, as the packet capture happens. Click OK to begin sniffing packets.

  4. Watch the dialog box (and the updated display, if you selected the real time update option) to see the packet capture in progress. Click the Stop button when you are done.

  5. The display is now updated, if it was not already. Try selecting packets in the Packet List window, drill down to expand the Tree View, and select parts of the protocol tree to highlight the corresponding sections of the Data View. This is a great way to learn about internal details of network protocols!

  6. Select a TCP packet, and use the Follow TCP Stream item in the Tools menu to see an entire session displayed in a separate window.

Ethereal is amazingly flexible, and this is just a small sample of its functionality. To learn more, browse the menus and see the Ethereal User's Guide for detailed explanations and screen shots.

tethereal is a text version of Ethereal, and is similar in function to tcpdump, except it uses Ethereal's enhanced display filter syntax. The -V option prints the protocol tree for each packet, instead of a one-line summary.

Use the tethereal -b option to run in "ring buffer" mode (Ethereal also supports this option, but the mode is designed for long-term operation, when the GUI is not as useful). In this mode, tethereal maintains a specified number of network trace files, switching to the next file when a maximum size (determined by the -a option) is reached, and discarding the oldest files, similar to logrotate. [Recipe 9.30] For example, to keep a ring buffer with 10 files of 16 megabytes each:

# tethereal -w ring-buffer -b 10 -a filesize:16384

9.17.4 See Also

ethereal(1), tethereal(1). The Ethereal home page is

    Chapter 9. Testing and Monitoring