Norm Matloff's Introduction to the Ethereal IP Packet Analyzer

Contents:

About ethereal:

Ethereal is a software package which both collects and analyzes IP packet data.

On the collection side, ethereal can monitor either an Ethernet or a PPP port. If you are on a PC and make a dialup connection to the Internet via an ISP, ethereal will monitor your PPP connection (port ppp0 if you are using Linux), recording each IP frame in a disk file. Ethereal will also display the frames in a nice GUI at the same time.

Ethereal will also read in frame data from a disk file, either one you've created from running ethereal earlier, or someone else's file, either created by ethereal or by several other frame-capture packages. (The ethereal Web page has a number of interesting sample data sets.)

Ethereal also may be run in a non-GUI version as tethereal. This is handy for printing.

Where to obtain it:

Download it from the Ethereal Web page.

How to install it:

Follow the usual "configure; make; make install" sequence, as stated in the INSTALL file.

Documentation:

The documentation is not very good and not very convenient. However, since the operations are not that complex, one can learn by experimentation.

How to use it:

Just type

ethereal

and the GUI window will come up. Click on Capture to start capturing frames; it will prompt you in a popup window for a file name to use. Another popup window will then appear, giving you counts of various sorts; when you are done, click on Stop in this window.

To view the information on captured frames, either those you've just captured or those recorded earlier in a file, you need to understand the three subwindows in the main ethereal window:

The three subwindows and the entire window each may be resized. Also, you may "save" the second/third subwindows for a given frame, in a separate window, by clicking on Display

To run the non-GUI version, say from a file z.cap, type something like

tethereal -r z.cap -x > z.txt