Ethereal-users: Re: [Ethereal-users] Question on Ethereal capabilities

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 24 Jun 2005 11:20:52 -0700
Woeltje, Donald wrote:


   1. Does Ethereal have an “expert mode” analysis capability…….or is
      the user the “expert mode”?
It does not, as far as I know, have an "expert mode" with capabilities like those of some analyzers. It can recognize some issues in, for example, TCP, but it won't report things such as frequent {NFS,SMB,AFP,NCP} file lookup failures - I think some expert modes can do things such as that.
2. Is Ethereal a protocol analyzer only? I’ve been told that can also operate as an IDS. But I don’t see how that’s possible…..unless you just have it capture everything and then you spend hours analyzing the traffic for potential security events.
Ethereal wasn't designed to act as an IDS; as I understand it, for an IDS, you want something that can process packets quickly (so that it can keep up with the traffic it's monitoring) and can detect all sorts of patterns of packets as they happen. *Some* attacks could perhaps be recognized by a capture filter, but if you want an IDS, get an IDS - Snort and Prelude are free-software IDSes, designed to act as such.