LAN analyzers capture and display information from LANs, including Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI). These analyzers are connected to the LAN segment by means of a hub or a switch. Special consideration needs to be given when connecting a protocol analyzer to a switch, because it will only capture information directed to the switch port to which it is connected. For that reason, certain switches have a feature that allows configuring a "monitor" port and an "analyzer" port. In that case, all traffic appearing on the port that is being monitored will also appear on the analyzer port. Some high-end LAN protocol analyzers will also have the capability of communicating with remote probes connected to LAN segments. These probes, in turn, send the captured traffic to a remote protocol analyzer for subsequent analysis. Some protocol analyzer products are: Network Associates Inc.'s Sniffer, NetXray's Sniffer Basic, Shomiti Systems' Surveyor, and the free Ethereal protocol analyzer. Finally, it is common for analyzers to be able to read and display the formats of other analyzer products.

Protocol Analyzer Features

There is a basic set of analyzer features that is found in almost all products. These features are primarily concerned with the protocols that it can decode, filtering options it offers, and what other analyzer formats it supports. Some of these features for the Ethereal analyzer are:

-  Libpcap/tcpdump 
-  Snoop
-  Shomiti
-  LanAlyzer
-  Sniffer (compressed and uncompressed) 
-  MS Network Monitor 
-  AIX iptrace 
-  NetXray 
-  Sniffer Pro 
-  RADCOM 
-  Lucent/Ascend debug output
-  Toshiba ISDN router "snoop" output
-  HPUX nettl 
-  ISDN4BSD "i4btrace" utility
-  Cisco Secure IDS 
-  Pppd log files (pppdump format) 

802.1q Virtual LAN
AOL Instant Messenger
ATM
ATM LAN Emulation
Address Resolution Protocol
Andrew File System (AFS)
Appletalk Address Resolution Protocol
Authentication Header
Blocks eXtensible eXchange Protocol
Bootstrap Protocol
Border Gateway Protocol
Cisco Auto-RP
Cisco Discovery Protocol
Cisco Group Management Protocol
Cisco Hot Standby Router Protocol
Cisco ISL
Cisco Interior Gateway Routing Protocol
Data
Datagram Delivery Protocol
Diameter Protocol
Domain Name Service
Dynamic DNS Tools Protocol
Encapsulating Security Payload
Enhanced Interior Gateway Routing Protocol
Ethernet
FTP Data
Fiber Distributed Data Interface
File Transfer Protocol (FTP)
Frame
Frame Relay
GARP VLAN Registration Protocol
Generic Routing Encapsulation
Hummingbird NFS Daemon
Hypertext Transfer Protocol
IEEE 802.11 wireless LAN
IP Payload Compression
IPX Message
IPX Routing Information Protocol
ISDN Q.921-User Adaptation Layer
Internet Cache Protocol
Internet Control Message Protocol
Internet Control Message Protocol v6
Internet Group Management Protocol
Internet Message Access Protocol
Internet Printing Protocol
Internet Protocol
Internet Protocol Version 6
Internetwork Packet eXchange
Kerberos
Label Distribution Protocol
Layer 2 Tunneling Protocol
Lightweight Directory Access Protocol
Line Printer Daemon Protocol
Link Access Procedure Balanced (LAPB)
Link Access Procedure, Channel D (LAPD)
Logical-Link Control
Microsoft Windows Browser Protocol
Microsoft Windows Lanman Protocol
Microsoft Windows Logon Protocol
MultiProtocol Label Switching Header
NetBIOS
NetBIOS Datagram Service
NetBIOS Name Service
NetBIOS Session Service
NetBIOS over IPX
NetWare Core Protocol
Network File System
Null/Loopback
Open Shortest Path First
PPP IP Control Protocol
PPP Link Control Protocol
PPP Multilink Protocol
PPP-over-Ethernet Discovery
PPP-over-Ethernet Session
Point-to-Point Protocol
Point-to-Point Tunneling Protocol
Post Office Protocol
Protocol Independent Multicast
Quake Network Protocol
RIPng
Radius Protocol
Remote Procedure Call
Resource ReserVation Protocol (RSVP)
Rlogin Protocol
Routing Information Protocol
SMB (Server Message Block Protocol)
SMB MailSlot Protocol
SNMP Multiplex Protocol
Service Advertisement Protocol
Simple Mail Transfer Protoco
Simple Network Management Protocol
Spanning Tree Protoco
Telnet
Token-Ring
Transmission Control Protocol
Trivial File Transfer Protocol
User Datagram Protocol
Virtual Router Redundancy Protocol
Wireless Session Protocol
Wireless Transaction Protocol
Wireless Transport Layer Security
X.25
X.25 over TCP
X11
Yellow Pages Service
Zebra Protocol

As you can see, Ethereal supports the decoding of many protocols, including common ones such as TCP/IP, File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), and NetBIOS, and some perhaps not so well known. While the analyzer is capturing data, a capture filter can be invoked so information that is of no interest can be ignored. Once captured and displayed, additional display filtering can be added to further define the display output. The Ethereal Network Analyzer Screen Diagram illustrates the user interface.

Like most other analyzers, there are three windows that display summary, detail, and hexadecimal data after the information has been captured or has been read from a previously captured file. Various preferences and display options can be set according to requirements. For now, we just want to accept all the standard defaults and capture a file. Notice the "Ready to load or capture" message at the lower right of the screen. We will issue a Ping command to an IP address. Because a Uniform Resource Locator (URL) is not being entered as the target, a DNS lookup does not have to be performed. The two nodes that are involved in the ping operation are on the same LAN segment; therefore, the only other protocol that may come into play is ARP. If the node that issues the Ping command does not have the MAC address of the target node in its ARP cache, an ARP will first be broadcast to determine the target's hardware address. Remember, a Ping command is actually an Internet Control Message Protocol (ICMP) Echo Request and is followed by an ICMP Echo Reply.

To start a capture, we select  Capture in the pull-down menu and choose Start as shown on the Start Capture Screen Diagram.

Another small window pops up where we can enter additional parameters, such as a capture filter. This is shown below. When the OK button is hit, capture begins.

After the user chooses OK, another smaller window pops up showing statistics on some common protocols. The STOP button will stop the capture.

The analyzer will begin to capture traffic. Remember, we did not set any capture filters, so all traffic that the analyzer sees will be captured. The node that is issuing the Ping command is at IP address 10.0.0.5, and the target node's address is 10.0.0.2. The Ping command is shown on the Command Prompt Screen Diagram.

After the trace has been captured, the Stop button will stop the trace, and a small window will pop up indicating the trace is being processed (loading). This loading window may remain on the screen for quite some time (well over a minute) on longer traces, so be patient. When the trace has been processed, the information illustrated on the Captured Ping Trace Screen Diagram is displayed.

The Summary window shows 10 frames were captured consisting of an ARP request and response to determine the MAC address of 10.0.0.2 (JOHNS700) and the request/reply pairs of a Ping command issued from address 10.0.0.5 (JOHNSLAPTOP). Notice in the Detail window it shows three headings: Frame 1, Ethernet II, and Address Resolution Protocol (request). Each one has a plus sign (+) next to it indicating there is additional information to display when the entries are expanded. To expand an entry, click on the + sign. Another way to expand everything is to go up to the Display pull-down menu and select  Expand All. When this is done, all levels (protocols) will be shown. After choosing the  Expand All option, a window will be displayed like the one on the Show All Trees Screen Diagram.

The Detail window may be scrolled to observe all the protocols. Notice there is a vertical scroll bar in all three windows indicating additional information. In addition, windows can be resized by placing the cursor on the dividing bar between the windows and dragging it up or down. If you don't see the bar moving as you drag it, don't be dismayed, just drag it to the desired position and you will see the result when you release.

Display Filters

To display certain information to the exclusion of other information, a display filter can easily be set. You can set a filter from a file that you have already saved or you can enter a filter parameter directly into the Filter window at the bottom of the screen. The information concerning display filter syntax can be found in the Ethereal manual page (man page) which is accessible from the home page of http://www.ethereal.com.

Fields can be compared against values. The comparison operators can be expressed either through C-language type symbols (!=), or short abbreviations (ne):

    = =,  eq   Equal
    != ,  ne   Not equal
    >,    gt   Greater than
    <,    lt   Less Than
    >=,   ge   Greater than or Equal to
    <=,   le   Less than or Equal to

The names of the individual fields in each protocol can be found in the Ethereal main page. There is another (simpler) way of discovering a field name. Suppose we want to display all the captured records that are ICMP messages. If you go to the Detail window and highlight the ICMP field in the IP header you will see a screen that looks like this:

Notice the Protocol field highlighted and the name of the field "ip.proto" in the lower right-hand corner. If we enter this IP field name and its value (0x01) in the filter window at the lower left of the screen, only records with the IP Protocol field containing the hexadecimal value of 0x01, or the ICMP protocol identifier will be displayed. This is illustrated on the ICMP Display Filter Screen Diagram.

Observe that the ARP records (1 and 2) are no longer displayed, but all records (3 through 10) containing the ICMP protocol identifier in the IP header Protocol field are displayed.

[ Previous Section ] [ Unit Contents ] [ Summary ]