"Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows."
Here are a couple of handy add-ons to the Ethereal package. Both are in the public domain.
This is an external application to generate connection graphs from ethereal capture files. It is written for Linux, but will work on Windows under Cygwin. You will also need Graphviz to create the graphs.
The graph shows the flow of information represented by the capture. There are two forms of the graph. This is the undirected graph, there is also a directed graph version that shows the direction of traffic flow. However the two types of graph are generated using different placement algorithms.
This is a directed graph of the same capture. (Available as a sample capture on the Ethereal web site.)
To generate a postscript graph and view it use the command
congraph -d capture-file
to list all available options use the command
Otherwise just play around, it is fairly straight-forward.
Using congraph on Windows
Start the Cygwin bash terminal from the start menu and use the same commands as above.
However, on Windows the Ethereal directory is not usually on the PATH, so tethereal
will not be found. Either add the ethereal directory to the PATH, or modify the relevant line of the
file so that it gives the full path to tethereal. The word
tethereal should be replaced by
"/cygdrive/c/Program Files/Ethereal/tethereal" where that "c" is the drive letter.
Include the quotes, otherwise the space will confuse things. If you want to use the -d option you will
need to do something similar to the
ghostview line at the bottom of the file to match
whatever viewer you have installed.
Ethereal Color Filters
This set of color filters is reasonably complete and sufficiently pastel to be reasonable to work with long-term.
- TCP has a blue background (more intense for broadcasts)
- UDP has a green background (more intense for broadcasts)
- MS base protocols have a sandy background
- SSL has a red (ok, pink :-) background
- Name resolution protocols (ARP,DNS,NBNS) have a green foreground
- HTTP has a blue foreground
- FTP has a purple foreground
- MS related protocols have a brown foreground
- Packets with bad CRCs have a red foreground
Download the colorfilter file here.
My NIC does CRC off-loading, so all outgoing packets have bad CRCs. I disabled the CRCs in Ethereal for the next shot.