Norm Matloff's Introduction to the Ethereal IP Packet Analyzer


About ethereal:

Ethereal is a software package which both collects and analyzes IP packet data.

On the collection side, ethereal can monitor either an Ethernet or a PPP port. If you are on a PC and make a dialup connection to the Internet via an ISP, ethereal will monitor your PPP connection (port ppp0 if you are using Linux), recording each IP frame in a disk file. Ethereal will also display the frames in a nice GUI at the same time.

Ethereal will also read in frame data from a disk file, either one you've created from running ethereal earlier, or someone else's file, either created by ethereal or by several other frame-capture packages. (The ethereal Web page has a number of interesting sample data sets.)

Ethereal also may be run in a non-GUI version as tethereal. This is handy for printing.

Where to obtain it:

Download it from the Ethereal Web page.

How to install it:

Follow the usual "configure; make; make install" sequence, as stated in the INSTALL file.


The documentation is not very good and not very convenient. However, since the operations are not that complex, one can learn by experimentation.

How to use it:

Just type


and the GUI window will come up. Click on Capture to start capturing frames; it will prompt you in a popup window for a file name to use. Another popup window will then appear, giving you counts of various sorts; when you are done, click on Stop in this window.

To view the information on captured frames, either those you've just captured or those recorded earlier in a file, you need to understand the three subwindows in the main ethereal window:

The three subwindows and the entire window each may be resized. Also, you may "save" the second/third subwindows for a given frame, in a separate window, by clicking on Display

To run the non-GUI version, say from a file z.cap, type something like

tethereal -r z.cap -x > z.txt