On Tue, Jan 22, 2002 at 09:18:51AM -0800, Dudley, Ken wrote:
> My name is Ken Dudley. I work for the Boeing Company as a Tier 3 Network
> Designer/Support Engineer. I recently installed Redhat 7.2 and was very
> impressed by your Ethereal product. I would be very interested discussing
> the following:
>
> 1. How Boeing might implement your software.
Ethereal is free software, so there're no financial issues for
deployment - you can install all the copies you want, and not pay
anything.
That also means there's no support organization, there's just the
mailing lists; there's no formal release schedule, nor is there any
roadmap of future features.
(I.e., it's not a "product" in the same sense that Network Associates'
Sniffer, or WildPackets' EtherPeek, etc., or any other commercial
network analyzer program are products.)
Note that it runs on a number of platforms, including most operating
systems that run on IBM-compatible PC's (it runs on 32-bit Windows,
Linux, the BSDs, and Solaris), as well as MacOS X and many of the UNIXes
running on RISC platforms (Solaris, HP-UX, AIX, Digital UNIX, IRIX,
possibly others). Binary packages for some of those platforms are
available:
http://www.ethereal.com/download.html#binaries
although note that the latest version of Ethereal might not be available
for all platforms as binary packages.
Some of the suppliers of binary packages (including OS vendors who
bundle it) might provide support.
On UNIX, Ethereal is an X application, so it can run on machines that
don't have a display card, as long as the machine has a network
connection to your desktop machine, and your desktop machine has an X
server (as most UNIXes do; X servers are also available for Windows).
On Windows, it requires at least 16-bit color, because the GTK+
graphical interface library that Ethereal uses (it's not our library,
and is used in a number of other applications, including those in the
GNOME desktop) requires 16-bit color on Windows. This may prevent it
from being used with, say, VNC, or Microsoft Windows Terminal Server.
On most UNIX platforms, it must be run as root in order to capture
packets.
> 2. How many decodes does Ethereal currently support?
In the current version of Ethereal in the development tree, there about
260 protocols for which we have decoders. A few of them might not be in
the current release.
Some of those aren't network protocols in the strict sense, e.g. we have
a decoder for SCSI command data blocks, which is used by the iSCSI
dissector (and may be used by the NDMP dissector in the future).
> 3. How does Ethereal utilize memory?
When a capture file is read in and displayed, a data structure is
allocated for each link-layer frame in the capture file. It's about 64
bytes long (a small amount more on 64-bit platforms).
Additional data structures may be allocated to keep track of matching
requests and responses in some protocols (SMB, ONC RPC-based protocols
such as NFS, DCE RPC-based protocols), to keep track of connections and
other conversations, and so on. When reassembling higher-level packets
from link-layer frames, additional memory would be allocated to hold the
reassembled data. Reassembly can be turned off, although that may
prevent Ethereal from fully dissecting some packets.
In addition, the GTK+ graphical interface library allocates data
structures for every row in the topmost list-of-packets pane in the
Ethereal window - and also allocates memory to hold copies of the text
in all columns of all rows in that display. That is probably the
largest amount of memory allocated per-packet.
> (Very impressed with Ethereal's
> ability to run more than one capture on the same network interface).
I.e., more than one capture at the same time, with separate copies of
Ethereal running? I'm surprised to hear that there are analyzers that
*can't* do that.