Tutorial – Capturing, Sanitizing and posting Ethereal dumps
ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
- Code: Select all
Tiger Shark has kindly given his permission for his tutorial to be hosted at The Taz.
How to Capture traffic, save the results and post Sanitized files to the public internet for review using Ethereal 0.10.x for Windows
Ethereal is a powerful protocol analyzer/packet sniffer released under the GNU public license. It is available for versions of *nix and has been ported to Win32.
It is available in it’s different forms from
Ethereal can be used with very specific filters to capture precise traffic at a very granular level. This tutorial will concentrate on the basic filters, how to save the captured traffic, sanitize the capture so it doesn’t reveal your IP address or that of the remote machine so that you can post it to the public internet for others to review and comment on.
Basic Capture Filters
Having installed the appropriate packet capture driver for you version of Ethereal and installed it you can begin capturing packets. The fourth item from the left on the menu bar is the capture option. Click it and select Start. This will bring up the capture panel. At the top you will see the available network cards you can capture on. Usually there will be only one so this should be left as it is. If there are more than one simply click OK and open a web browser to your home page. If the capture window shows traffic then this is the correct network card. If you get no traffic captured stop the capture, select the next card on the list and repeat this process till you capture traffic.
Ethereal has the ability to capture traffic only to and from your machine or, on a hubbed network or a switched network with port spanning you can capture all traffic the network card sees if you click the “Capture packets in Promiscuous Mode” button. For home users this usually won’t be necessary since the traffic you are interested in will usually be to and from your own machine.
Once you know which network card to use you can begin to capture traffic. If you put nothing in the Filter line you will get all the traffic to and from your machine and even though you can apply filters subsequently I prefer to apply my filter up front. The following are examples of filters you can use. Substitute the appropriate IP addresses and Port numbers for the traffic you want to capture yourself.
1. All traffic to and from my machine only, (only useful in Promiscuous Mode)
2. All traffic to and from a remote host, (either Promiscuous Mode or Normal Mode)
3. All traffic to and from a particular port, (either Promiscuous Mode or Normal Mode)
4. All traffic initiated by the specific host, (Captures both sides of any conversation initiated by the host), (either Promiscuous Mode or Normal Mode)
src host 10.0.0.1
5. All traffic initiated to a specific host, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)
dst host 192.168.1.1
6. All traffic initiated by the specific host on a given port, (Captures both sides of any conversation initiated by the host), (either Promiscuous Mode or Normal Mode)
src host 10.0.0.1 && port 80
7. All traffic initiated to a specific host on a specific port, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)
dst host 192.168.1.1 && port 80
8. All traffic initiated to a specific port regardless of IP address, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)
dst port 80
As you can see the “&&” allows you to join “phrases” together to make more and more specific filters. Another useful operator is “!”, (without the quotes). This operator negates the following “phrase” so !port 80 would mean “Don’t report traffic on port 80”. So you can build quite complicated filters like the one below:-
dst host 192.168.1.1 && src port 53 && !src host 192.168.1.2 && !dst port 80
The above filter would capture all traffic to 192.168.1.1 except traffic from 192.168.1.2. The traffic captured must have come from port 53 but it must not be destined for port 80….. (All rather simple really…. )
Saving your output in a text managable format.
Ok, now you have the data you want you need to save it. If you use the standard Save option from the menu you will be presented with all sorts of format options. If you save to them and then go and try to read the output you will find, (unless you are uB3r l33t), that they are meaningless to you. Rather than select Save, select Print instead. On the panel presented select the following options:-
1. Click Plain Text
2. Select Output to File and enter a name such as MyEtherealDump.txt, (always save it as a .txt file please).
3. Click All Packets, (or Selected Packet Only if that’s all you want to save).
4. Click All Dissections Expanded
5. Make sure Packet Hex Data is not selected or you will have to find and replace IP addresses in Hex too.
6. Click Print
Your results should look something like this, (this is a single packet your’s may have many)
Frame 26 (62 bytes on wire, 62 bytes captured)
Arrival Time: Aug 11, 2004 09:35:55.808383000
Time delta from previous packet: 0.006262000 seconds
Time since reference or first frame: 1.019001000 seconds
Frame Number: 26
Packet Length: 62 bytes
Capture Length: 62 bytes
Ethernet II, Src: 00:e0:06:fc:57:32, Dst: 00:e0:1e:42:a1:61
Destination: 00:e0:1e:42:a1:61 (Cisco_42:a1:61)
Source: 00:e0:06:fc:57:32 (192.168.3.51)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.3.51 (192.168.3.51), Dst Addr: 126.96.36.199 (188.8.131.52)
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..0. = ECN-Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 48
Identification: 0xbcfc (48380)
0… = Reserved bit: Not set
.1.. = Don’t fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x2bb6 (correct)
Source: 192.168.3.51 (192.168.3.51)
Destination: 184.108.40.206 (220.127.116.11)
Transmission Control Protocol, Src Port: 11691 (11691), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0
Source port: 11691 (11691)
Destination port: http (80)
Sequence number: 0
Header length: 28 bytes
Flags: 0x0002 (SYN)
0… …. = Congestion Window Reduced (CWR): Not set
.0.. …. = ECN-Echo: Not set
..0. …. = Urgent: Not set
…0 …. = Acknowledgment: Not set
…. 0… = Push: Not set
…. .0.. = Reset: Not set
…. ..1. = Syn: Set
…. …0 = Fin: Not set
Window size: 16384
Checksum: 0x32fe (correct)
Options: (8 bytes)
Maximum segment size: 1460 bytes
The packet above is a SYN packet from my workstation to
. You will notice that in the text there are lots of Source and Destination lines that show both my IP address and yahoo’s IP address, (the remote machine). It is not usually a good idea to display either publicly on the internet. What I recommend is that you clearly state when you post your Ethereal dump that “I have replaced the IP address of the target computer with the address xxx.xxx.xxx.xxx and the IP address of the remote computer with the address xxx.xxx.xxx.xxx”. I recomment that you use private addresses such as 192.168.xxx.xxx, or 10.xxx.xxx.xxx as the replacements. Use your favorite text editor to do “search and replace all” for both your IP address and the address of the remote machine and save the file again.
NOTE: Do not worry about the hex addresses in the highlighted portion in the packet dump above. Those are the MAC addresses of the last router and your computer and are only useful to an attacker if they are already on your local network.
Now you can either cut and paste the dump staraight into your post if it is short or attach the text file to your post if it is long.