Ethereal Packet Sniffing

I've been using Ethereal for around five years, and this book still taught me a few new tricks. The key to the new material is Ethereal's development, from 0.2 in July 1998 to 0.10.3 this year. (The book covers 0.10.0 which is far from being outdated.) The many improvements lend themselves to the sort of explanations found in "Ethereal." For example, my favorite material involved filters. Although chs. 4 and 5 had minor overlap regarding this feature, I learned new ways to manipulate Ethereal's packet search and display capabilities.

Because the entire book focuses on a single suite of tools, it has the space to take in-depth looks at normally ignored components like stream analysis graphs. The book spends time explaining how to write filters with bitwise AND operations, and talks about 'matches' and 'contains' search functions. For programmers, the chapter on "developing Ethereal" gives clues on adding new protocol dissectors. This reminded me of a similar chapter in Syngress' book on Snort.

If you want to really know how to use Ethereal, buy this book. However, it should have been called "Ethereal Packet Sniffer," not "Ethereal Packet Sniffing." The distinction lies in the book's focus; it spends most of its time explaining functions and not analyzing packets. Books on troubleshooting by Bardwell or Haugdahl have more insights to share than ch. 8 in "Ethereal." Nevertheless, I added this book to my recommended reading list for aspiring security engineers. It's worth a close read.

Rating:
Summary: Excellent Information For An Excellent Program
Review: Ethereal is fairly commonly accepted as one of the best, if not the best packet sniffer available. If its not the best, it certainly is hard to get more bang for the buck because Ethereal is freely available as an open source application.

The opening chapter provides a very good overview of network analysis for those who are new to the whole concept. It answers questions like "What Is Network Analysis and Sniffing?" and "How Does It Work?".

One of the nice things about this book is that it is completely dedicated to this one product. So, rather than hitting the highlights of various applications and glossing over features and functionality this book provides entire chapters devoted to installing and using Ethereal's basic functionality and then goes on to cover advanced concepts in great detail.

Chapter 7 explains how to integrate Ethereal with other products and using Ethereal to analyze data from applications such as Snort, Snoop, Microsoft Network Monitor and more. Because Ethereal is open source anyone with an idea and some extra time is welcome to contribute to the project by developing Ethereal further. Chpater 9 is dedicated to illustrating what you need to know as a developer to help improve Ethereal.

The book comes with a CD which contains Ethereal among other things, but CD's are quickly outdated and you are better off downloading the current Ethereal from the site. Regardless, this book is a must have for anyone running Ethereal and is well worth the money.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Rating:
Summary: Nice new functionality
Review: How anxious (paranoid?) are you about your network? Has a cracker taken over one of your machines and is using it to sniff your traffic? Or maybe to propagate worms, or emit spam, especially the phishing variety, which needs a server that cannot be directly owned by the phisher. For all these reasons, and as a prophylactic measure against them, sysadmins often use network analysis tools that come with their operating systems, like tcpdump under linux and unix and windump under Microsoft.

But these tend to be limited in their analytic capability. A group of people wanted to improve matters. They banded together and called their product Ethereal. It is offered freely as open source, and has been tested on linux, most unixes and various Microsoft OSs. Strictly speaking, it has not been officially released. Which makes this book a little curious, on first glance. The book documents version 0.10.0, and has a CD with all the necessary code. The authors felt that pragmatically this version is stable enough and offers significantly better functionality over the alternatives.

Granted, you may be trepid about installing beta code, on principle. But the authors argue persuasively that the Ethereal functionality, both in a GUI and at the command line, warrants a serious consideration by any sysadmin.

Another reason to install Ethereal has to do with the case where you are already using some proprietary network analyser. If you also run Ethereal, then the two analysers act as cross checks on each other. While Ethereal may have some bugs, so too might that other product. But how might you ever know about the latter, without using Ethereal?

Rating:
Summary: Most comprehensive resource for Ethereal
Review: I found this book to be an easy to read and follow. The book is fully dedicated to the functionailty of Ethereal. (it does not cover how protocols work etc..i mention that because this book will be popular in IDS circles) I was concerned about spending money on a book for a sniffer that i was already using and felt i already had a good handle on but i am glad i did purchase it. If you spend time going through large packet dump files the explantions on how to use the different display filters is worth the price of the book. The only complaint i would have would be the portion about "capture filters". I felt the explantion wasnt as through as i would have liked it to be but BP filters can be very diffcult to explain especially in only a few pages so its understandable.
I did learn some interesting nuggets on using mergecap and using ethereal without the gui.
Overall the best resource for Ethereal and worth buying.

Rating:
Summary: Comprehensive reference for Ethereal
Review: I recently purchased this book to gain a better understanding on how to use some of the more advanced and powerful features of Ethereal on my network. I've used Ethereal for some pretty basic things, but have never had the time or the information to really become expert with it. I've seen Jay Beale, who is the editor for the book, speak many times at Liunux World and always found his presentations to be excellent. So, I had high hopes this book would be the reference I was seeking, and I'm certainly not disapppointed. The book does an excellent job of taking you through various installation and configuration scenarios and then gets into using all of the other programs like Tethereal, Mergecap, etc. The authors also show output from things like Code Red and SQL Slammer to really demonstrate how Ethereal can be used to analyze attacks. This book can be read either by newbies who need some help getting Ethereal up and running all the way up through experts looking for help with advanced information on filters or packet analysis.

Rating:
Summary: GREAT BOOK! I have been waiting on this for a while!
Review: I totally recommend this book, for both beginners and experienced programmers who are intersted in developing dissectors. The captures are up to date as of version 0.10.1. Ethereal releases a new version every 1-2 months, so version 0.10.2 was released right after the book was published. I went to the Ethereal website and downloaded the later version and everything still applies!! The only changes were a few protocols were updated, one new protocol was added, and some of the GUI layout was improved. All of the technical information in the book ROCKS!!!

Rating:
Summary: Really needed this book!
Review: I've been using Ethereal for quite some time and consider it one of the most useful tools that I use. I rely on it very heavily to monitor the peformance on my network, and also to help diagnose and troubleshoot any problems that come up. As much as I like the product, I always found it difficult to maintain, update, learn new features, etc. because there were no books or anything. The web site and things are ok, but aren't theat thorgouh. This book does an incredible job of teaching you do use all of the features, and also how to actually interpret and use the resulting data. The authors really know what they were talking about. The alway gave good answers and explanations on the mail lists, so I was glad to see they were actually writing a book.

Rating:
Summary: good for users and developers
Review: I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs.

A bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.

Now, on to the real strengths of the book. The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).

The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).

Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.

Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.

Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.

Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.

The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think. Also, Syngress has a book update feature that some people may find useful.

Rating:
Summary: Why WOULDN'T your buy this book?
Review: If you run Ethereal, this is the best 50 bucks you can spend. If you're already experienced in the basics, the book is still worth it for the Writing Filters section and the sections on integrating Ethereal with other network monitors. The code red/ sql slammer section is fascinating in the way train wrecks are fascinating; you know it's nasty but you just have to look. I'm not certain the CD is necessary---most of us will download the latest version from the Ethereal site. But that's a nitpick. Like I said, it's hard to come up with a reason to pass on this one if you run Ethereal.

Rating:
Summary: Valuable Adjunct to the On-Line Docs
Review: In Chapter 1 the book tells you to get a copy of Ethereal at www.Ethereal.com. This is correct. But be sure you spell it right, if you go to etheral you get to a rather strange looking sight with links to a lot of places that look like you just might want to be sure your virus protection is up to date.

When you get to the Ethereal web site, you'll be offered a link to their documentation. You'll want to download it of course. Then the obvious question is why spend money for this book if the documentation is available free over the net. The answer is organization, layout, convenience and the fact that just having a different person explain things using a slightly different set of words and sentences sometimes makes things more clear. Look at it this way. If you're working on a network problem and reading both the on-line documentation and this book save you an hour of frustration you've more than paid the cost of the book.

In addition, this book contains a great deal more information of the general or background type. For instance, I found the three pages describing the FBI's Carnivore (now DCS100) network analyzer to be quite interesting. This additional information also includes more help in understanding what the data Ethereal collects really means.

If you're into the packet sniffing business, this is a book that belongs on your bookshelf.