1998-09-16 02:39:15 +00:00
|
|
|
General Information
|
|
|
|
|
------- -----------
|
|
|
|
|
|
|
|
|
|
Ethereal is a network traffic analyzer for Unix-ish operating systems.
|
|
|
|
|
It is based on GTK+, a graphical user interface library, and libpcap,
|
|
|
|
|
a packet capture and filtering library.
|
|
|
|
|
|
|
|
|
|
The official home of Ethereal is
|
|
|
|
|
|
|
|
|
|
http://ethereal.zing.org
|
|
|
|
|
|
|
|
|
|
The latest distribution can be found in the subdirectory
|
|
|
|
|
|
|
|
|
|
http://ethereal.zing.org/distribution
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installation
|
|
|
|
|
------------
|
|
|
|
|
|
|
|
|
|
Ethereal is known to compile and run under Linux (2.0.35) and Solaris
|
|
|
|
|
(2.6). It should run on other systems without too much trouble.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installation Checklist (Short):
|
|
|
|
|
|
|
|
|
|
[ ] 1. Unpack the archive.
|
|
|
|
|
|
|
|
|
|
[ ] 2. Run './configure; make; make install; make install-man'.
|
|
|
|
|
If there are any problems, read on:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installation Checklist (Long):
|
|
|
|
|
|
|
|
|
|
[ ] 0. This is alpha software. Beware.
|
|
|
|
|
|
|
|
|
|
[ ] 1. Make sure you have GTK+ installed. Try running 'gtk-config
|
|
|
|
|
--version'. If you need to install/reinstall GTK, you can find
|
|
|
|
|
it at
|
|
|
|
|
|
|
|
|
|
http://www.gtk.org .
|
|
|
|
|
|
|
|
|
|
Ethereal should work with the latest stable (1.0.x) version, but
|
|
|
|
|
I've had reports that it doesn't compile with the development
|
|
|
|
|
(1.1.x) tree.
|
|
|
|
|
|
|
|
|
|
[ ] 2. Make sure you have libpcap installed. The latest version can be
|
|
|
|
|
found at
|
|
|
|
|
|
|
|
|
|
ftp://ftp.ee.lbl.gov .
|
|
|
|
|
|
|
|
|
|
Make sure you install the headers ('make install-incl') when you
|
|
|
|
|
install the library.
|
|
|
|
|
|
|
|
|
|
[ ] 3. Run './configure' in the Ethereal distribution directory.
|
|
|
|
|
Running './configure --help' displays a list of options.
|
|
|
|
|
The file 'INSTALL' contains general instructions for running
|
|
|
|
|
'configure'.
|
|
|
|
|
|
1998-09-25 23:24:07 +00:00
|
|
|
Ethereal installs a support file (manuf) in /usr/local/etc by
|
|
|
|
|
default. You can change this location with the --sysconfdir
|
|
|
|
|
option.
|
|
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
[ ] 4. Run 'make'. Hopefully, you won't run into any problems.
|
|
|
|
|
|
|
|
|
|
[ ] 5. Run './ethereal', and make sure things are working. You must
|
|
|
|
|
have root privileges in order to capture live data.
|
|
|
|
|
|
|
|
|
|
[ ] 6. Run 'make install'. If you wish to install the man page, run
|
|
|
|
|
'make install-man'. You're done.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Usage
|
|
|
|
|
-----
|
|
|
|
|
|
|
|
|
|
In order to capture packets from the network, you need to be running
|
|
|
|
|
as root. Although it might be tempting to make the Ethereal executable
|
|
|
|
|
setuid root, please don't - alpha code is by nature not very robust, and
|
|
|
|
|
liable to contain security holes.
|
|
|
|
|
|
|
|
|
|
The filtering mechanism is far from complete. Until the interface
|
|
|
|
|
solidifies, here's a description of what each component of the filter
|
|
|
|
|
dialog:
|
|
|
|
|
|
|
|
|
|
- 'Filter name' entry: Gives a name to the filter you are about to create
|
|
|
|
|
or modify, e.g. 'Web and DNS traffic'
|
|
|
|
|
|
|
|
|
|
- 'Filter string' entry: The text describing the filtering action to
|
|
|
|
|
take. It must have the same format as tcpdump filter strings (both
|
|
|
|
|
programs use the same underlying library), e.g.
|
|
|
|
|
|
|
|
|
|
'tcp port 80 or tcp port 443 or port 53'
|
|
|
|
|
|
|
|
|
|
- 'New' button: If there is text in the two entry boxes, adds it to the
|
|
|
|
|
list.
|
|
|
|
|
|
|
|
|
|
- 'Change' button: Modifies the currently selected list item to match
|
|
|
|
|
what's in the two entry boxes.
|
|
|
|
|
|
|
|
|
|
- 'Copy' button: Makes a copy of the currently-selected list item.
|
|
|
|
|
|
|
|
|
|
- 'Delete' button: Deletes the currently-selected list item.
|
|
|
|
|
|
|
|
|
|
- 'OK' button: Sets the selected list item as the active filter. If
|
|
|
|
|
nothing is selected, turns filtering off.
|
|
|
|
|
|
|
|
|
|
- 'Save' button: Saves the current filter list in
|
|
|
|
|
$HOME/.ethereal/filters.
|
|
|
|
|
|
|
|
|
|
- 'Cancel' button: Closes the window without making changes.
|
|
|
|
|
|
|
|
|
|
|
1998-11-12 06:01:27 +00:00
|
|
|
Multiple File Types
|
|
|
|
|
-------------------
|
|
|
|
|
|
1998-11-18 20:10:30 +00:00
|
|
|
The wiretap library is a packet-capture library currently under
|
|
|
|
|
development parallel to ethereal. In the future it is hoped that
|
|
|
|
|
wiretap will have more features than libpcap, but wiretap is still in
|
|
|
|
|
its infancy. You can compile ethereal with the wiretap library by using
|
|
|
|
|
'./configure --with-wiretap'. Using wiretap will allow you to read
|
|
|
|
|
pcap, Sniffer, Sun "snoop", and LANalyzer trace files, but it disables
|
|
|
|
|
display filters. You can still capture packets from within ethereal
|
|
|
|
|
using libpcap, and therefore use libpcap-style capture filters, however.
|
1998-11-12 06:01:27 +00:00
|
|
|
|
|
|
|
|
If you can live without display filters and would like to read non-pcap
|
|
|
|
|
capture files, give wiretap a try. If you want to add support for other
|
|
|
|
|
packet-capture file formats, please look at the wiretap source code in the
|
|
|
|
|
wiretap directory.
|
|
|
|
|
|
|
|
|
|
Please report any problems that are wiretap related to
|
|
|
|
|
Gilbert Ramirez <gram@verdict.uthscsa.edu>. He uses token-ring at work, so he
|
|
|
|
|
is especially interested in any non-token-ring trace files you can send him.
|
|
|
|
|
|
|
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
Disclaimer
|
|
|
|
|
----------
|
|
|
|
|
|
|
|
|
|
There is no warranty, expressed or implied, associated with this product.
|
|
|
|
|
Use at your own risk.
|
