Ethereal 0.10.14

Ethereal is one of the most popular open-source network protocol analyzers around. It's powerful, works on many platforms (something many of its commercial competitors don't do) and it's free. It takes some time to learn but if you want to really know what's going on within your network, it's time well-spent.

The Ethereal community is constantly adding support for new protocols, updating existing ones, fixing vulnerabilities and increasing support for other capture file formats. The latest version of the tool, Ethereal 0.10.14, has added support for 20 new protocols, and adds and updates its capture file support to include DOS Sniffer, Endace ERF, HP-UX nettl, IBM iSeries traces, and Tektronix K12. Among its other significant improvements: When loading a saved capture file, pressing "Cancel" will cause Ethereal to display the packets read up to that point, handy for analyzing parts of very large files. The maximum files allowed in a ring buffer have been increased to 10,000 from 1,024.

I've done plenty of real-world troubleshooting with past versions of Ethereal, and have caught many a worm with it, especially the kind that floods your network with ARP (Address Resolution Protocol) traffic, slowing it down to a crawl. Ethereal is a great tool for fishing out infected nodes simply because it quickly recognizes all the ARP traffic, and you can easily set a filter to pinpoint the nodes generating it.

For this review, I tested the Windows version of Ethereal 0.10.14. First up was a random check on some of the 20 new protocols supported by the latest version of Ethereal, beginning with the UDP Lite protocol. IT is similar to the UDP protocol, but can deliver partially damaged packets to the destination--useful for audio/video streaming applications. To test the UDP Lite dissector (one of the plug-ins Ethereal uses to recognize different protocols), I took a captured sequence containing UDP Lite packets, and loaded it on version 0.10.14, as well as two previous versions of Ethereal. The new version easily identified the specific protocol, while the previous versions could only identify them as IP protocol packets. I then tried opening capture files with CIGI (Common Image Generator Interface), SMB2, and Stanag 5066 protocols. Version 0.10.14 identified all the protocols without any problems.The only hitch was that Ethereal couldn't identify the BitTorrent protocol, despite having a BitTorrent dissector. It only recognized these captured sequences as bad TCP packets. As a check, I captured packet sequences using EtherPeek NX, a commercial protocol analyzer from WildPackets, and it immediately showed that someone on the network was running BitTorrent.

Ethereal's ability to capture and display a long capture sequence has improved considerably. I remember when Ethereal struggled to display a capture sequence beyond 2,000 packets, taking ages to do so and sometimes even hanging. But in testing I captured about 48,000 packets, and Ethereal loaded them quickly. After saving the capture sequence, loading it again took only seven seconds. That said, Ethereal's packet capture speed still lags EtherPeek NX. We ran both packages side by side on the same machine, and by the time EtherPeek caught 250 packets, Ethereal had managed only 150. This could become an issue if you're capturing packets on a busy network, as some packets might get left out.

A Few Nits To Pick

Ethereal could do with some improvements on the useability front. It's not as intuitive as other offerings. For instance, you have to understand its preset color-coding scheme for captured packets. To do any kind of filtering, you have to know the exact filter syntax, called display or capture filters. But once you've learned the syntax, Ethereal becomes a pleasure to use, letting you enter display filter strings and see their results instantly on a capture sequence. If you want to see only the packets for the ARP protocol, for instance, you just enter "ARP" in the display filter and press . If you know the syntax, you can really extract whatever information you want out of a captured sequence.

Unfortunately, you cannot open multiple capture files simultaneously. If you've captured a few packets, and would now like to open a previously capture file, you'll have to first save your existing packet capture sequence. Ethereal will close this sequence in order to open the new one.

Two other things I liked about Ethereal are its ability to read capture files from a host of other packet capturing programs. Likewise, Ethereal can read from gzipped files directly--a boon if you've used gzip to compress older capture files in order to save space.

In addition to using Ethereal on your wired networks, you can use it for capturing packets on Wi-Fi networks. However, the Windows version of Ethereal has limited functionality in that it can only capture packets to and from the machine running Ethereal, so I tried out the Linux version. Installing Ethereal on Linux is a breeze, and running it in a terminal window is just as easy. Capturing packets from a Wi-Fi interface is similar to capturing packets from the Ethernet interface, but faces a particular limitation. Ethereal will capture packets from only a single Wi-Fi access point at a time. You can't simultaneously connect to multiple access points to capture packets.

Ethereal may not be for the novice user, but its power and continuing improvements will continue to keep this tool popular for newbies and old network hands alike. Version 0.10.14 is a must upgrade for existing users, especially since it will cost you nothing but your time.Anil Chopra is the Associate Editor of PCQuest, the largest circulated IT user magazine in India, and a manager of Cybermedia Labs, its affiliated vendor-independent testing and reviewing facility.