...making Linux just a little more fun!

Network Monitoring with Ethereal By Dean Wilson

Network Monitoring with Ethereal

For example, a few years ago I set up a a wireless link for a project. It was relatively slow (a real data throughput of around 300Kbps) but should have easily handled the traffic. Should have but it seemed saturated much of the time. On paper, everything was supposed to be fine. The link capacity was significantly more than the traffic. That was on paper.

There did seem to be a lot of lights blinking on the switch talking to the master radio but watching blinking lights to measure traffic is about as accurate as using your tongue as a battery tester. Starting up ethereal quickly identified the problem. There were a whole bunch of computers running some other operating system that liked to send broadcast packets over the network for such exciting events as a computer being turned on or the paper being low in a printer.

Once I had the problem identified, it was easy to correct. I just moved the radio traffic to another subnet away from the chatty operating system and performance was fine.

The synopsis in the man page says Interactively browse network traffic. My use above was in real time but Ethereal uses the same file format as tcpdump. So, you can take an old dump file and use Ethereal to analyze it. Besides this (libpcap) format, Ethereal will read many other dump formats including those from capture tools on other operating systems--even the chatty ones.

Like virtually all protocol analyzers, Ethereal shows you a summary line for a packet, a hex dump and the ability to drill down thru the protocol tree. In addition, you can define filters to select and display the data you are interested in. There are quite a few command line options but unless you want to plant Ethereal in a script, it is easier to interactively set it up to do what you want.

A word of warning. If you are monitoring live traffic for a system other than the one Ethereal is running on, make sure you are connecting at a point where you will see the traffic. Ethereal will set your local Ethernet interface into promiscuous mode which means it will see all the traffic. If, however, your system is connected to an Ethernet switch, only the traffic for your system will appear there. You may need to "splice in" to the place you want to monitor using a hub.

Besides the basic monitoring, there are lots of options. In my example at the start of the article, I could have used a filter to filter out the expected traffic. For example, adding tcp.port != 80 in the filter window and clicking the Apply button would have excluded any port 80 (HTTP) traffic from the display.

Colorize Display is also handy. Select Colorize Display from the Display menu and Ethereal will guide you through the setup. The steps are simple:

• You name your new entry and enter an expression. For example, ip.addr == 64.12.24.5 would select any packets whose IP from or to address is equal to 64.12.24.5. You don't have to memorize all these choices as the Add Expression button offers a list of all the choices.
• Select a background color for this new rule.
• Select a foreground color for this new rule.
• Click Apply.
• Click Save if you want Ethereal to remember your rules.

I could continue to point out features but the best approach is for you to just give Ethereal a try. There are many choices and options that this article could quickly become a book. If you are used to doing systems administration you are probably satisfied in knowing about something new in your toolbox. When the need arises, you will make it do what you want.

Robert Wilson is a Systems Administrator in a company where the boss (who has no idea what Bob does) just says "make it work".

Dean Wilson is (this week) a systems administrator and occasional updater to his pages at www.unixdaemon.net