Ethereal's default behaviour will usually suit your needs pretty well. However, as you become more familiar with Ethereal, it can be customized in various ways to suit your needs even better. In this chapter we explore: How to start Ethereal with command line parameters How to colorize the packet list How to control protocol dissection How to use the various preference settings

You can start Ethereal from the command line, but it can also be started from most Window managers as well. In this section we will look at starting it from the command line. Ethereal supports a large number of command line parameters. To see what they are, simply enter the command ethereal -h and the help information shown in (or something similar) should be printed. This is GNU ethereal 0.10.11 (C) 1998-2005 Gerald Combs <gerald@ethereal.com> Compiled with GTK+ 2.4.14, with GLib 2.4.7, with WinPcap (version unknown), with libz 1.2.2, with libpcre 4.4, with Net-SNMP 5.1.2, with ADNS. Running with WinPcap version 3.1 beta4 (packet.dll version 3, 1, 0, 24), based o n libpcap version 0.8.3 on Windows XP Service Pack 1, build 2600. ethereal [ -vh ] [ -klLnpQS ] [ -a <capture autostop condition> ] ... [ -b <capture ring buffer option> ] ...] [ -B capture buffer size (Win32 only) ] [ -c <capture packet count> ] [ -f <capture filter> ] [ -g <packet number> ] [ -i <capture interface> ] [ -m <font> ] [ -N <name resolving flags> ] [ -o <preference/recent setting> ] ... [ -r <infile> ] [ -R <read (display) filter> ] [ -s <capture snaplen> ] [ -t <time stamp format> ] [ -w <savefile> ] [ -y <capture link type> ] [ -z <statistics> ] [ <infile> ] We will examine each of the command line options in turn. The first thing to notice is that issuing the command ethereal by itself will bring up Ethereal. However, you can include as many of the command line parameters as you like. Their meanings are as follows ( in alphabetical order ): XXX - is the alphabetical order a good choice? Maybe better task based? -a <capture autostop condition> Specify a criterion that specifies when Ethereal is to stop writing to a capture file. The criterion is of the form test:value, where test is one of: duration:value Stop writing to a capture file after value of seconds have elapsed. filesize:value Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If this option is used together with the -b option, Ethereal will stop writing to the current capture file and switch to the next one if filesize is reached. files:value Stop writing to capture files after value number of files were written. -b <capture ring buffer option> If a maximum capture file size was specified, cause Ethereal to run in "ring buffer" mode, with the specified number of files. In "ring buffer" mode, Ethereal will write to several capture files. Their name is based on the number of the file and on the creation date and time. When the first capture file fills up, Ethereal will switch to writing to the next file, until it fills up the last file, at which point it'll discard the data in the first file (unless 0 is specified, in which case, the number of files is unlimited) and start writing to that file and so on. If the optional duration is specified, Ethereal will switch also to the next file when the specified number of seconds has elapsed even if the current file is not completely fills up. duration:value Switch to the next file after value seconds have elapsed, even if the current file is not completely filled up. filesize:value Switch to the next file after it reaches a size of value kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). files:value Begin again with the first file after value number of files were written (form a ring buffer). -B <capture buffer size (Win32 only)> Win32 only: set capture buffer size (in MB, default is 1MB). This is used by the the capture driver to buffer packet data until that data can be written to disk. If you encounter packet drops while capturing, try to increase this size. -c <capture packet count> This option specifies the maximum number of packets to capture when capturing live data. It would be used in conjunction with the -k option. -f <capture filter> This option sets the initial capture filter expression to be used when capturing packets. -g <packet number> After reading in a capture file using the -r flag, go to the given packet number. -h The -h option requests Ethereal to print its version and usage instructions (as shown above) and exit. -i <capture interface> The -i option allows you to specify, from the command line, which interface packet capture should occur on if capturing packets. An example would be: ethereal -i eth0. To get a listing of all the interfaces you can capture on, use the command ifconfig -a or netstat -i. Unfortunately, some versions of UNIX do not support ifconfig -a, so you will have to use netstat -i in these cases. -k The -k option specifies that Ethereal should start capturing packets immediately. This option requires the use of the -i parameter to specify the interface that packet capture will occur from. -l This option turns on automatic scrolling if the packet list pane is being updated automatically as packets arrive during a capture ( as specified by the -S flag). -L List the data link types supported by the interface and exit. -m <font> This option sets the name of the font used for most text displayed by Ethereal. XXX - add an example! -n Disable network object name resolution (such as hostname, TCP and UDP port names). -N <name resolving flags> Turns on name resolving for particular types of addresses and port numbers; the argument is a string that may contain the letters m to enable MAC address resolution, n to enable network address resolution, and t to enable transport-layer port number resolution. This overrides -n if both -N and -n are present. The letter C enables concurrent (asynchronous) DNS lookups. -o <preference/recent settings> Sets a preference or recent value, overriding the default value and any value read from a preference/recent file. The argument to the flag is a string of the form prefname:value, where prefname is the name of the preference (which is the same name that would appear in the preference/recent file), and value is the value to which it should be set. Multiple instances of -o <preference settings> can be given on a single command line. An example of setting a single preference would be: ethereal -o mgcp.display_dissect_tree:TRUE An example of setting multiple preferences would be: ethereal -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627 You can get a list of all available preference strings from the preferences file, see . -p Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is traffic sent to or from the machine on which Ethereal is running, broadcast traffic, and multicast traffic to addresses received by that machine. -Q This option forces Ethereal to exit when capturing is complete. It can be used with the -c option. It must be used in conjunction with the -i and -w options. -r <infile> This option provides the name of a capture file for Ethereal to read and display. This capture file can be in one of the formats Ethereal understands. -R <read (display) filter> This option specifies a display filter to be applied when reading packets from a capture file. The syntax of this filter is that of the display filters discussed in . Packets not matching the filter are discarded. -s <capture snaplen> This option specifies the snapshot length to use when capturing packets. Ethereal will only capture <snaplen> bytes of data for each packet. -S This option specifies that Ethereal will display packets as it captures them. This is done by capturing in one process and displaying them in a separate process. This is the same as "Update list of packets in real time" in the Capture Options dialog box. -t <time stamp format> This option sets the format of packet timestamps that are displayed in the packet list window. The format can be one of: r relative, which specifies timestamps are displayed relative to the first packet captured. a absolute, which specifies that actual times be displayed for all packets. ad absolute with date, which specifies that actual dates and times be displayed for all packets. d delta, which specifies that timestamps are relative to the previous packet. -v The -v option requests Ethereal to print out its version information and exit. -w <savefile> This option sets the name of the savefile to be used when saving a capture file. -y <capture link type> If a capture is started from the command line with -k, set the data link type to use while capturing packets. The values reported by -L are the values that can be used. -z <statistics-string> Get Ethereal to collect various types of statistics and display the result in a window that updates in semi-real time. XXX - add more details here!

A very useful mechanism available in Ethereal is packet colorization. You can set-up Ethereal so that it will colorize packets according to a filter. This allows you to emphasize the packets you are usually interested in. You will find a lot of Coloring Rule examples at the Ethereal Wiki Coloring Rules page at &EtherealWikiColoringRulesPage;. To colorize packets, select the Coloring Rules... menu item from the View menu, Ethereal will pop up the "Coloring Rules" dialog box as shown in .

Once the Coloring Rules dialog box is up, there are a number of buttons you can use, depending on whether or not you have any color filters installed already. You will need to carefully select the order the coloring rules are listed (and thus applied) as they are applied in order from top to bottom. So, more specific rules need to be listed before more general rules. For example, if you have a color rule for UDP before the one for DNS, the color rule for DNS will never be applied (as DNS uses UDP, so the UDP rule will be matching first). If this is the first time you have used Coloring Rules, click on the New button which will bring up the Edit color filter dialog box as shown in .

In the Edit Color dialog box, simply enter a name for the color filter, and enter a filter string in the Filter text field. shows the values arp and arp which means that the name of the color filter is arp and the filter will select protocols of type arp. Once you have entered these values, you can choose a foreground and background color for packets that match the filter expression. Click on Foreground color... or Background color... to achieve this and Ethereal will pop up the Choose foreground/background color for protocol dialog box as shown in .

Select the color you desire for the selected packets and click on OK. You must select a color in the colorbar next to the colorwheel to load values into the RGB values. Alternatively, you can set the values to select the color you want. shows an example of several color filters being used in Ethereal. You may not like the color choices, however, feel free to choose your own.

The user can control how protocols are dissected. Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Ethereal tries to find the right dissector for each packet (using static "routes" and heuristics "guessing"), it might choose the wrong dissector in your specific case. For example, Ethereal won't know if you use a common protocol on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of the standard port 80. There are two ways to control the relations between protocol dissectors: disable a protocol dissector completely or temporarily divert the way Ethereal calls the dissectors.

The Enabled Protocols dialog box lets you enable or disable specific protocols, all protocols are enabled by default. When a protocol is disabled, Ethereal stops processing a packet whenever that protocol is encountered. Disabling a protocol will prevent information about higher-layer protocols from being displayed. For example, suppose you disabled the IP protocol and selected a packet containing Ethernet, IP, TCP, and HTTP information. The Ethernet information would be displayed, but the IP, TCP and HTTP information would not - disabling IP would prevent it and the other protocols from being displayed.

To disable or enable a protocol, simply click on it using the mouse or press the space bar when the protocol is highlighted. You have to use the Save button to save your settings. The OK or Apply buttons will not save your changes permanently, so they will be lost when Ethereal is closed. You can choose from the following actions: Enable All Enable all protocols in the list. Disable All Disable all protocols in the list. Invert Toggle the state of all protocols in the list. OK Apply the changes and close the dialog box. Apply Apply the changes and keep the dialog box open. Save Save the settings to the disabled_protos, see for details. Cancel Cancel the changes and close the dialog box.

The "Decode As" functionality let you temporarily divert specific protocol dissections. This might be useful for example, if you do some uncommon experiments on your network.

The content of this dialog box depends on the selected packet when it was opened. The user specified decodes can not be saved. If you quit Ethereal, these settings will be lost. Decode Decode packets the selected way. Do not decode Do not decode packets the selected way. Link/Network/Transport Specify the network layer at which "Decode As" should take place. Which of these pages are available, depends on the content of the selected packet when this dialog box was opened. Show Current Open a dialog box showing the current list of user specified decodes. OK Apply the currently selected decode and close the dialog box. Apply Apply the currently selected decode and keep the dialog box open. Cancel Cancel the changes and close the dialog box.

This dialog box shows the currently active user specified decodes.

OK Close this dialog box. Clear Removes all user specified decodes.

There are a number of preferences you can set. Simply select the Preferences... menu item from the Edit menu, and Ethereal will pop up the Preferences dialog box as shown in , with the "User Interface" page as default. On the left side is a tree where you can select the page to be shown. Preference settings are added frequently. For a recent explanation of the preference pages and their settings have a look at the Ethereal Wiki Preferences page at &EtherealWikiPreferencesPage;. The OK or Apply button will not save the preference settings, you'll have to save the settings by clicking the Save button. The OK button will apply the preferences settings and close the dialog. The Apply button will apply the preferences settings and keep the dialog open. The Save button will apply the preferences settings, save the settings on the harddisk and keep the dialog open. The Cancel button will restore all preferences settings to the last saved state.