Lab: Using a Protocol Analyzer (Ethereal)

Purpose: The purpose of this lab is to become familiar with a protocol analyzer such as Ethereal.
Ethereal is available for various operating systems including Windows, Linux and Macintosh. Ethereal
can be downloaded free, at http://www.ethereal.com
Software: Ethereal Version 0.10.14
Outcome 1
o Become familiar with the Ethereal protocol analyzer.
Outcome 2: Save an expanded Ethernet frame to a text file and print out the file. This Ethernet frame
should include:
IP packet
TCP header
HTTP Application header and Data
Step 1: Starting the Ethereal Capture

First time choose::

o Capture Options

Subsequent times choose::

o Capture Start

If you have more than one Ethernet NIC card installed, be sure to choose the proper interface and click
the OK button. Remove (disble) MAC and network Name Resolution options.

At this point Ethereal begins capturing packets including unicasts directed for the MAC address of your
Ethernet NIC, broadcasts for all devices, multicasts, and unknown unicasts (unicasts flooded by the
switch when the Destination MAC address is not in its MAC Address Table).

If you want to capture specific types of packets such as HTTP, FTP or ICMP, perform those operations
now.
Examples:
Ping (ICMP Echo and Echo Reply)
C:\> ping 192.168.10.33 (Windows)
or
# ping 192.168.10.33
(Linux/Unix)
Web traffic

Using a web browser, go to a web site of your choosing,

Step 2: Stopping the Ethereal Capture

Click the Stop button to end the capture.

Step 3: Looking at an Ethernet Frame

The amount of information captured can be overwhelming. We will see later how to filter the traffic so we
see only the information we want. The amount of frames captured can also be limited by capturing
frames in a lab with only a few computers instead of a production network.

Select a specific Ethernet frame. Find a frame with the encapsulated application protocol HTTP.

Inside the Ethernet frame is the data, which is usually another protocol with data. This encapsulation
process most likely started with an application header (HTTP, etc.) with the original data. Below is an
example.

To view this information for each protocol, both the Ethernet frame and the encapsulated upper layer
protocols, click on the + sign next to that protocol. For example, to see the fields within the Ethernet
frame click the + sign next to Ethernet II (the type of Ethernet frame). The + sign will turn into a -
sign and display the particular information.

To see other layers, click the appropriate + sign next to the protocol.

To view the data, look at the information in both Hexadecimal and ASCII.

Various statistics and

graphs can be displayed
from the Statistics menu.

Step 4: TCP
To show the actual (absolute) TCP Sequence Numbers and Acknowledgment Numbers, which will be
used in later TCP labs, perform the following steps to make sure the box with Relative sequence
numbers and window scaling is not selected. If it does have a check mark, unselect it.

Step 5: Save output to a text file

Outcome: Save an expanded Ethernet frame to a text file and print out the file. This Ethernet frame
should include:
Ethernet frame
IP packet
TCP header
HTTP Application header and Data
To save the Ethernet frames to a text file, choose File, Export, as Plain Text file. Be sure to use the file
extension .txt.

o Name the file with the .txt extension.

o If you want to save just the frames displayed, choose the Displayed option.
Other options include Packet details with the All expanded option which includes all the fields in each
protocol.

Sample Output
No.

Time
Source
5 1.632903
192.168.1.102
/~rgraziani/courses/cis81.html HTTP/1.1

Destination
207.62.187.7

Protocol Info
HTTP
GET

Frame 5 (454 bytes on wire, 454 bytes captured)

Arrival Time: Feb 5, 2006 18:57:30.697606000
Time delta from previous packet: 0.000131000 seconds
Time since reference or first frame: 1.632903000 seconds
Frame Number: 5
Packet Length: 454 bytes
Capture Length: 454 bytes
Protocols in frame: eth:ip:tcp:http
Ethernet II, Src: 00:0a:e4:d4:4c:f3 (00:0a:e4:d4:4c:f3), Dst: 00:0f:66:09:4e:0f
(00:0f:66:09:4e:0f)
Destination: 00:0f:66:09:4e:0f (00:0f:66:09:4e:0f)
Source: 00:0a:e4:d4:4c:f3 (00:0a:e4:d4:4c:f3)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.102 (192.168.1.102), Dst: 207.62.187.7 (207.62.187.7)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 440
Identification: 0x33f4 (13300)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x78f7 [correct]
Good: True
Bad : False
Source: 192.168.1.102 (192.168.1.102)
Destination: 207.62.187.7 (207.62.187.7)
Transmission Control Protocol, Src Port: 1168 (1168), Dst Port: http (80), Seq: 3422616114, Ack:
1837457533, Len: 400
Source port: 1168 (1168)
Destination port: http (80)
Sequence number: 3422616114
Next sequence number: 3422616514
Acknowledgement number: 1837457533
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0x71c3 [correct]
Hypertext Transfer Protocol
GET /~rgraziani/courses/cis81.html HTTP/1.1\r\n
Request Method: GET
Request URI: /~rgraziani/courses/cis81.html
Request Version: HTTP/1.1
Accept: */*\r\n
Referer: http://www.cabrillo.edu/~rgraziani/\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate\r\n