forked from osmocom/wireshark
615 lines
21 KiB
XML
615 lines
21 KiB
XML
<!-- EUG Chapter Introduction -->
|
|
<!-- $Id$ -->
|
|
|
|
<chapter id="ChapterIntroduction">
|
|
<title>Introduction</title>
|
|
<!-- Introduction -->
|
|
<section id="ChIntroWhatIs">
|
|
<title>What is <application>Ethereal?</application></title>
|
|
<para>
|
|
Ethereal is a network packet analyzer. A network packet
|
|
analyzer will try to capture network packets and tries to display
|
|
that packet data as detailed as possible.
|
|
</para>
|
|
<para>
|
|
You could think of a network packet analyzer as a measuring device used to
|
|
examine what's going on inside a network cable, just like a voltmeter is
|
|
used by an electrician to examine what's going on inside an electric cable
|
|
(but at a higher level, of course).
|
|
</para>
|
|
<para>
|
|
In the past, such tools were either very expensive, proprietary, or both.
|
|
However, with the advent of Ethereal, all that has changed.
|
|
</para>
|
|
<para>
|
|
<application>Ethereal</application> is perhaps one of the best open
|
|
source packet analyzers available today.
|
|
</para>
|
|
|
|
<section id="ChIntroPurposes"><title>Some intended purposes</title>
|
|
<para>
|
|
Here are some examples people use Ethereal for:
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
network administrators use it to <command>troubleshoot network
|
|
problems</command>
|
|
</para></listitem>
|
|
<listitem><para>
|
|
network security engineers use it to <command>examine security
|
|
problems</command>
|
|
</para></listitem>
|
|
<listitem><para>
|
|
developers use it to <command>debug protocol implementations</command>
|
|
</para></listitem>
|
|
<listitem><para>
|
|
people use it to <command>learn network protocol</command>
|
|
internals
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
Beside these examples, Ethereal can be helpful in many other situations
|
|
too.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroFeatures"><title>Features</title>
|
|
<para>
|
|
The following are some of the many features Ethereal provides:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Available for <command>UNIX</command> and <command>Windows</command>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Capture</command> live packet data from a network interface.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Display packets with <command>very detailed protocol information</command>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Open and Save</command> packet data captured.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Import and Export</command> packet data from and to a lot of
|
|
other capture programs.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Filter packets</command> on many criteria.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Search</command> for packets on many criteria.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Colorize</command> packet display based on filters.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create various <command>statistics</command>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>... and <command>a lot more!</command></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
However, to really appreciate its power, you have to start using it.
|
|
</para>
|
|
<para>
|
|
<xref linkend="ChIntroFig1"/> shows <application>Ethereal</application>
|
|
having captured some packets and waiting for you to examine
|
|
them.
|
|
<figure id="ChIntroFig1">
|
|
<title>
|
|
<application>Ethereal</application> captures packets and allows
|
|
you to examine their content.
|
|
</title>
|
|
<graphic entityref="EtherealMain1" format="PNG"/>
|
|
</figure>
|
|
</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Live capture from many different network media</title>
|
|
<para>
|
|
Despite its name, Ethereal can capture traffic from
|
|
network media other than Ethernet. Which media types are
|
|
supported, depends on many things like the operating system you are
|
|
using. An overview of the supported media types can be found at:
|
|
<ulink url="&EtherealMediaPage;"/>.
|
|
</para>
|
|
</section>
|
|
|
|
<section><title>Import files from many other capture programs</title>
|
|
<para>
|
|
Ethereal can open packets captured from a large number of
|
|
other capture programs. For a list of input formats see
|
|
<xref linkend="ChIOInputFormatsSection"/>.
|
|
</para>
|
|
</section>
|
|
<section><title>Export files for many other capture programs</title>
|
|
<para>
|
|
Ethereal can save packets captured in a large number of formats of
|
|
other capture programs. For a list of output formats see
|
|
<xref linkend="ChIOOutputFormatsSection"/>.
|
|
</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Many protocol decoders</title>
|
|
<para>
|
|
There are protocol decoders (or dissectors, as they are
|
|
known in Ethereal) for a great many protocols:
|
|
see <xref linkend="AppProtocols"/>.
|
|
</para>
|
|
</section>
|
|
|
|
<section><title>Open Source Software</title>
|
|
<para>
|
|
Ethereal is an open source software project, and is released under
|
|
the <ulink url="&GPLWebsite;">GNU General Public Licence</ulink> (GPL).
|
|
You can freely use Ethereal on any number of computers you like, without
|
|
worrying about license keys or fees or such. In addition, all source
|
|
code is freely available under the GPL. Because of that, it is very easy
|
|
for people to add new protocols to Ethereal, either as plugins, or built
|
|
into the source, and they often do!
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroNoFeatures"><title>What Ethereal is not</title>
|
|
<para>
|
|
Here are some things Ethereal does not provide:
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
Ethereal isn't an intrusion detection system. It will not warn you when
|
|
someone does strange things on your network that he/she isn't allowed to
|
|
do. However, if strange things happen, Ethereal might help you figure
|
|
out what is really going on.
|
|
</para></listitem>
|
|
<listitem><para>
|
|
Ethereal will not manipulate things on the network, it will only
|
|
"measure" things from it. Ethereal doesn't send packets on the network
|
|
or do other active things (except for name resolutions, but even
|
|
that can be disabled).
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="ChIntroPlatforms">
|
|
<title>Platforms Ethereal runs on</title>
|
|
<para>
|
|
Ethereal currently runs on most UNIX platforms and various Windows
|
|
platforms. It requires GTK+, GLib, libpcap and some other libraries in
|
|
order to run.
|
|
</para>
|
|
<para>
|
|
If a binary package is not available for your platform, you should
|
|
download the source and try to build it. Please report your experiences
|
|
to <ulink url="mailto:&EtherealDevMailList;">&EtherealDevMailList;</ulink>.
|
|
</para>
|
|
<para>
|
|
Binary packages are available for at least the following platforms:
|
|
</para>
|
|
|
|
<section><title>Unix</title>
|
|
<para>
|
|
<itemizedlist>
|
|
<listitem><para>Apple Mac OS X</para></listitem>
|
|
<listitem><para>BeOS</para></listitem>
|
|
<listitem><para>FreeBSD</para></listitem>
|
|
<listitem><para>HP-UX</para></listitem>
|
|
<listitem><para>IBM AIX</para></listitem>
|
|
<listitem><para>NetBSD</para></listitem>
|
|
<listitem><para>OpenBSD</para></listitem>
|
|
<listitem><para>SCO UnixWare/OpenUnix</para></listitem>
|
|
<listitem><para>SGI Irix</para></listitem>
|
|
<listitem><para>Sun Solaris/Intel</para></listitem>
|
|
<listitem><para>Sun Solaris/Sparc</para></listitem>
|
|
<listitem><para>Tru64 UNIX (formerly Digital UNIX)</para></listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</section>
|
|
|
|
<section><title>Linux</title>
|
|
<para>
|
|
<itemizedlist>
|
|
<listitem><para>Debian GNU/Linux</para></listitem>
|
|
<listitem><para>Gentoo Linux</para></listitem>
|
|
<listitem><para>IBM S/390 Linux (Red Hat)</para></listitem>
|
|
<listitem><para>Mandrake Linux</para></listitem>
|
|
<listitem><para>PLD Linux</para></listitem>
|
|
<listitem><para>Red Hat Linux</para></listitem>
|
|
<listitem><para>Rock Linux</para></listitem>
|
|
<listitem><para>Slackware Linux</para></listitem>
|
|
<listitem><para>Suse Linux</para></listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</section>
|
|
|
|
<section><title>Microsoft Windows</title>
|
|
<para>
|
|
Maintained:
|
|
<itemizedlist>
|
|
<listitem><para>Windows Server 2003 / XP / 2000 / NT 4.0</para></listitem>
|
|
<listitem><para>Windows Me / 98</para></listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<para>
|
|
Unsupported/Unmaintained (because lack of required libraries):
|
|
<itemizedlist>
|
|
<listitem><para>Windows CE</para></listitem>
|
|
<listitem><para>Windows NT / XP Embedded</para></listitem>
|
|
<listitem><para>Windows 95 is no longer actively maintained by WinPcap,
|
|
but still may work perfectly</para></listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<para>
|
|
No experiences (fresh versions):
|
|
<itemizedlist>
|
|
<listitem><para>Windows XP 64-bit Edition</para></listitem>
|
|
<listitem><para>Windows Vista (aka Longhorn)</para></listitem>
|
|
</itemizedlist>
|
|
Please provide your experiences about these fresh versions to:
|
|
<ulink url="mailto:&EtherealDevMailList;">&EtherealDevMailList;</ulink>.
|
|
</para>
|
|
</section>
|
|
|
|
</section>
|
|
|
|
<section id="ChIntroDownload">
|
|
<title>Where to get Ethereal?</title>
|
|
<para>
|
|
You can get the latest copy of the program from the Ethereal website:
|
|
<ulink url="&EtherealDownloadPage;">&EtherealDownloadPage;</ulink>. The
|
|
website allows you to choose from among several mirrors for
|
|
downloading.
|
|
</para>
|
|
<para>
|
|
A new Ethereal version will typically become available every 4-8 weeks.
|
|
</para>
|
|
<para>
|
|
If you want to be notified about new Ethereal releases, you should
|
|
subscribe to the ethereal-announce mailing list. You will find more
|
|
details in <xref linkend="ChIntroMailingLists"/>.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroPronounce">
|
|
<title>A rose by any other name</title>
|
|
<para>
|
|
William Shakespeare wrote:
|
|
<emphasis>
|
|
"A rose by any other name would smell as sweet."
|
|
</emphasis>
|
|
And so it is with Ethereal, as there appears to be two different
|
|
ways that people pronounce the name.
|
|
</para>
|
|
<para>
|
|
Some people pronounce it ether-real, while others pronounce it
|
|
e-the-real, as in ghostly, insubstantial, etc.
|
|
</para>
|
|
<para>
|
|
You are welcome to call it what you like, as long as you find it
|
|
useful. The FAQ gives the official pronunciation as "e-the-real".
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroHistory">
|
|
<title>A brief history of Ethereal</title>
|
|
<para>
|
|
In late 1997, Gerald Combs needed a tool for tracking down
|
|
networking problems and wanted to learn more about networking, so
|
|
he started writing Ethereal as a way to solve both problems.
|
|
</para>
|
|
<para>
|
|
Ethereal was initially released, after several pauses in development,
|
|
in July 1998 as version 0.2.0. Within days, patches, bug reports,
|
|
and words of encouragement started arriving, so Ethereal was on its
|
|
way to success.
|
|
</para>
|
|
<para>
|
|
Not long after that Gilbert Ramirez saw its potential and contributed
|
|
a low-level dissector to it.
|
|
</para>
|
|
<para>
|
|
In October, 1998, Guy Harris of Network Appliance was looking for
|
|
something better than tcpview, so he started applying patches and
|
|
contributing dissectors to Ethereal.
|
|
</para>
|
|
<para>
|
|
In late 1998, Richard Sharpe, who was giving TCP/IP courses, saw its
|
|
potential on such courses, and started looking at it to see if it
|
|
supported the protocols he needed. While it didn't at that point,
|
|
new protocols could be easily added. So he started contributing
|
|
dissectors and contributing patches.
|
|
</para>
|
|
<para>
|
|
The list of people who have contributed to Ethereal has become very long
|
|
since then, and almost all of them started with a protocol that they
|
|
needed that Ethereal did not already handle. So they copied an existing
|
|
dissector and contributed the code back to the team.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroMaintenance">
|
|
<title>
|
|
Development and maintenance of <application>Ethereal</application>
|
|
</title>
|
|
<para>
|
|
Ethereal was initially developed by Gerald Combs. Ongoing development
|
|
and maintenance of Ethereal is handled by the Ethereal team, a loose
|
|
group of individuals who fix bugs and provide new functionality.
|
|
</para>
|
|
<para>
|
|
There have also been a large number of people who have contributed
|
|
protocol dissectors to Ethereal, and it is expected that this will
|
|
continue. You can find a list of the people who have contributed
|
|
code to Ethereal by checking the about dialog box of Ethereal, or at
|
|
the <ulink url="&EtherealAuthorsPage;">authors</ulink> page on the
|
|
Ethereal web site.
|
|
</para>
|
|
<para>
|
|
Ethereal is an open source software project, and is released under
|
|
the <ulink url="&GPLWebsite;">GNU General Public Licence</ulink> (GPL).
|
|
All source code is freely available under the GPL. You are welcome to
|
|
modify Ethereal to suit your own needs, and it would be appreciated
|
|
if you contribute your improvements back to the Ethereal team.
|
|
</para>
|
|
<para>
|
|
You gain three benefits by contributing your improvements back to the
|
|
community:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Other people who find your contributions useful will appreciate
|
|
them, and you will know that you have helped people in the
|
|
same way that the developers of Ethereal have helped people.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The developers of Ethereal might improve your changes even more,
|
|
as there's always room for improvements. Or they may implement some
|
|
advanced things on top of your code, which can be useful for yourself
|
|
too.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The maintainers and developers of Ethereal will maintain your
|
|
code as well, fixing it when API changes or other changes are
|
|
made, and generally keeping it in tune with what is happening
|
|
with Ethereal. So if Ethereal is updated (which is done often),
|
|
you can get a new Ethereal version from the website and your changes
|
|
will already be included without any effort for you.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<para>
|
|
The Ethereal source code and binary kits for some platforms are all
|
|
available on the download page of the Ethereal website:
|
|
<ulink url="&EtherealDownloadPage;">&EtherealDownloadPage;</ulink>.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroHelp">
|
|
<title>Reporting problems and getting help</title>
|
|
<para>
|
|
If you have problems, or need help with Ethereal, there are several
|
|
places that may be of interest to you (well, beside this guide of
|
|
course).
|
|
</para>
|
|
|
|
<section id="ChIntroHomepage"><title>Website</title>
|
|
<para>
|
|
You will find lot's of useful information on the Ethereal homepage at
|
|
<ulink url="&EtherealWebSite;">&EtherealWebSite;</ulink>.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroWiki"><title>Wiki</title>
|
|
<para>
|
|
The Ethereal Wiki at <ulink
|
|
url="&EtherealWikiPage;">&EtherealWikiPage;</ulink> provides a wide range
|
|
of information related to Ethereal and packet capturing in general.
|
|
You will find a lot of information not part of this user's guide. For
|
|
example, there is an explanation how to capture on a switched network,
|
|
an ongoing effort to build a protocol reference and a lot more.
|
|
</para>
|
|
<para>
|
|
And best of all, if you would like to contribute your knowledge on a
|
|
specific topic (maybe a network protocol you know well), you can edit the
|
|
wiki pages by simply using your webbrowser.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroFAQ"><title>FAQ</title>
|
|
<para>
|
|
The "Frequently Asked Questions" will list often asked questions and
|
|
the corresponding answers.
|
|
<note><title>Read the FAQ!</title>
|
|
<para>
|
|
Before sending any mail to the mailing lists below, be sure to read the
|
|
FAQ, as it will often answer the question(s) you might have. This will save
|
|
yourself and others a lot of time (keep in mind that a lot of people are
|
|
subscribed to the mailing lists).
|
|
</para>
|
|
</note>
|
|
You will find the FAQ inside Ethereal by clicking the menu item
|
|
Help/Contents and selecting the FAQ page in the upcoming dialog.
|
|
</para>
|
|
<para>
|
|
An online version is available at the ethereal website:
|
|
<ulink url="&EtherealFAQPage;">&EtherealFAQPage;</ulink>. You might
|
|
prefer this online version, as it's typically more up to date and the HTML
|
|
format is easier to use.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChIntroMailingLists"><title>Mailing Lists</title>
|
|
<para>
|
|
There are several mailing lists of specific Ethereal topics available:
|
|
<variablelist>
|
|
<varlistentry><term><command>ethereal-announce</command></term>
|
|
<listitem>
|
|
<para>
|
|
This mailing list will inform you about new program
|
|
releases, which usually appear about every 4-8 weeks.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>ethereal-users</command></term>
|
|
<listitem>
|
|
<para>
|
|
This list is for users of Ethereal. People post
|
|
questions about building and using Ethereal, others (hopefully)
|
|
provide answers.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>ethereal-dev</command></term>
|
|
<listitem>
|
|
<para>
|
|
This list is for Ethereal developers. If you want to start
|
|
developing a protocol dissector, join this list.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
You can subscribe to each of these lists from the Ethereal web site:
|
|
<ulink url="&EtherealWebSite;">&EtherealWebSite;</ulink>. Simply
|
|
select the <command>mailing lists</command> link on the left hand
|
|
side of the site. The lists are archived at the Ethereal web site
|
|
as well.
|
|
<tip><title>Tip!</title>
|
|
<para>
|
|
You can search in the list archives to see if someone asked the same
|
|
question some time before and maybe already got an answer. That way you
|
|
don't have to wait until someone answers your question.
|
|
</para>
|
|
</tip>
|
|
</para>
|
|
</section>
|
|
|
|
<section><title>Reporting Problems</title>
|
|
<note><title>Note!</title>
|
|
<para>
|
|
Before reporting any problems, please make sure you have installed the
|
|
latest version of Ethereal.
|
|
</para>
|
|
</note>
|
|
<para>
|
|
When reporting problems with Ethereal, it is helpful if you supply the
|
|
following information:
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
The version number of Ethereal and the dependent libraries linked with
|
|
it, eg GTK+, etc. You can obtain this with the command
|
|
<command>ethereal -v</command>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Information about the platform you run Ethereal on.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A detailed description of your problem.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
If you get an error/warning message, copy the text of that message
|
|
(and also a few lines before and after it, if there are some), so
|
|
others may find the place where things go wrong. Please don't
|
|
give something like: "I get a warning while doing x" as this won't
|
|
give a good idea where to look at.
|
|
</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</para>
|
|
<note><title>Don't send large files!</title>
|
|
<para>
|
|
Do not send large files (>100KB) to the mailing lists, just place a note
|
|
that further data is available on request. Large files will only annoy a
|
|
lot of people on the list who are not interested in your specific problem.
|
|
If required, you will be asked for further data by the persons who really
|
|
can help you.
|
|
</para>
|
|
</note>
|
|
<warning><title>Don't send confidential information!</title>
|
|
<para>
|
|
If you send captured data to the mailing lists, be sure they don't contain
|
|
any sensitive or confidential information like passwords or such.
|
|
</para>
|
|
</warning>
|
|
</section>
|
|
|
|
<section><title>Reporting Crashes on UNIX/Linux platforms</title>
|
|
<para>
|
|
When reporting crashes with Ethereal, it is helpful if you supply the
|
|
traceback information (besides the information mentioned in "Reporting
|
|
Problems").
|
|
</para>
|
|
<para>
|
|
You can obtain this traceback information with the following commands:
|
|
<programlisting>
|
|
<![CDATA[
|
|
$ gdb `whereis ethereal | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt
|
|
backtrace
|
|
^D
|
|
$
|
|
]]>
|
|
</programlisting>
|
|
<note>
|
|
<para>
|
|
Type the characters in the first line verbatim! Those are
|
|
back-tics there!
|
|
</para>
|
|
</note>
|
|
<note>
|
|
<para>
|
|
backtrace is a <command>gdb</command> command. You should
|
|
enter it verbatim after the first line shown above, but it will not be
|
|
echoed. The ^D
|
|
(Control-D, that is, press the Control key and the D key
|
|
together) will cause <command>gdb</command> to exit. This will
|
|
leave you with a file called
|
|
<filename>bt.txt</filename> in the current directory.
|
|
Include the file with your bug report.
|
|
</para>
|
|
</note>
|
|
<note>
|
|
<para>
|
|
If you do not have <command>gdb</command> available, you
|
|
will have to check out your operating system's debugger.
|
|
</para>
|
|
</note>
|
|
</para>
|
|
<para>
|
|
You should mail the traceback to the
|
|
<ulink url="mailto:&EtherealDevMailList;">&EtherealDevMailList;</ulink>
|
|
mailing list.
|
|
</para>
|
|
</section>
|
|
|
|
<section><title>Reporting Crashes on Windows platforms</title>
|
|
<para>
|
|
The Windows distributions don't contain the symbol files (.pdb), because
|
|
they are very large. For this reason it's not possible to create
|
|
a meaningful backtrace file from it. You should report your crash just
|
|
like other problems, using the mechanism described above.
|
|
</para>
|
|
</section>
|
|
</section>
|
|
|
|
</chapter>
|
|
<!-- End of EUG Chapter 1 -->
|