Opening the Network Blackbox: Ethereal

Built-In Protocol Analysis

In version 0.10.10, 673 different protocols can be "dissected" using Ethereal (and later Wireshark).

The protocol analysis features can be invaluably useful when diagnosing non-obvious application errors. For example, when a new IMAP client would not connect to its server, the client responded with a worthless "Error: Connection Failed" message. Fortunately, the error message from the IMAP server regarding an exceeded number of simultaneous connections was quickly parsed and displayed using Ethereal/Wireshark.

In the example shown here, Ethereal is being used to piece apart the various elements of an HTTP GET request. Highlighted as part of the request is the If-Modified-Since header, which is a indicator of the last time this client accessed and cached the requested URL.

Follow TCP Stream

The Follow TCP Stream feature of Ethereal is a powerful tool for analyzing plain-text protocols and for identifying plain-text in binary or obscure protocols. It can also be used to demonstrate how easy it is to "recover" a password from plain-text protocols, such as POP and IMAP

The feature can also be used to quickly create a filter to show only related packets. This is ideal for saving "Displayed packets only" to be used as specific evidence when reporting a software bug to a developer or when reporting a security incident to a network provider.

This plug-in does not always work as expected.

Older versions would follow a flow through megs and megs of data without an option to interrupt. Newer versions appear to stop following after an arbitrary number of packets/bytes.

References

• Ethereal User Guide