Ethereal-dev: [ethereal-dev] Sniffing FAQ

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Sun, 18 Jun 2000 00:20:24 -0700
	http://www.robertgraham.com/pubs/sniffing-faq.html

Written by one of the Sniffer developers:

	0.9 Who is Robert Graham?

	       Among other things, between 1994-1998 I worked at Network
	General Corporation on the Sniffer(r) Network Analyzer.  I
	either wrote/rewrote/ported over 300 protocol decodes for the
	Sniffer.  Now I'm working on an intrusion detection system that
	similarly does protocol analysis.  Also, I helped develop the
	"Certified Network Expert" exam, which was put together by a
	consortium of protocol analyzer/network analyzer vendors.  In
	the early 1990s, I help develope the RMON standard(s) and the
	first RMON systems.

It appears to have a fair bit of interesting information; it also says:

	3.1 Where can I get a sniffing program for my computer?

	       Windows

	              Ethereal
	                    Ethereal is a UNIX-based program that also
			    runs on Windows (which means installation is
			    more difficult than you would expect and it
			    looks strange).  However, it is probably the
	                    best freeware solution available for sniffing
			    on Windows. 

	                    It comes in both a read-only (protocol analyzer)
			    version as well as a capture (sniffing) version.
			    The read-only version is great for decoding
			    existing packet captures (such as the traces
			    that BlackICE generates). It avoids the
			    hassle of installing the packet capture driver.

	                    ftp://ethereal.zing.org/pub/ethereal/win32/ 

	                    Installation is a little difficult; you'll have to
			    hunt around on the website in order to figure
			    out how to do it. 

				...

		UNIX

	              UNIX solutions are generally based upon libpcap
		      and/or BPF (Berkeley Packet Filters). 

	              If you have a UNIX computer, then you should be
		      using both tcpdump and Ethereal. 

	              tcpdump
	                    The oldest and most common wiretap program.
			    In its simplest mode, it will dump a
			    single-line decode of the packets to the
			    commandline, one line per packet. It is the
	                    standard for UNIX packet capture. 

	                    The version that seems to have the best on-going
			    maintainance is at http://www.tcpdump.org/. 

	                    The original version from LBL is at
			    ftp://ftp.ee.lbl.gov/ 

	                    A port for Windows has been done at
			    http://netgroup-serv.polito.it/analyzer/ 

	              Ethereal
	                    It currently looks like this is the best GUI-based
			    sniffing program for UNIX. It is actively
			    maintained. It is available at:
			    http://ethereal.zing.org