Lab 1-2: Ethereal

Ethereal is a software package for network analysis. It tries to capture packets and display the data as detailed as possible. Network administrators can use this software for solving network problems (Network Troubleshoot). We can use this section to see the implementation of that protocol. Can be used to study the network protocols on the inside.The features of this software: It can run on UNIX or Windows environment. Capture packets with very detailed information. Can open and save the captured data. Can import and export such packets to and from many capture programs. Filter packets on many criteria. Find the package on multiple criteria. Packages can be highlighted based on the standard filter 

Ethereal software installation 
We can go to this link to download the software Ethereal: http://translate.googleusercontent.com/translate_c?hl=en&sl=auto&tl=en&u=http://www.ethereal.com/download.html&rurl=translate.google.com&usg=ALkJrhhwO6By6pGuFmLba66voR7f1uVKsg . After downloading we begin nay.Viec software installation software installation is easy, when we started, we go to select Capture. Then select the Start button. But at this event will occur as follows: 

We will see a lack of software to capture the packet back. In this article uses WinPcap. Download the following address http:// winpcap.polito.it /. After loading the software from the Internet began installed on your computer. 
Ethereal uses software to monitor the port's 2950 Switching 
Overview of the theory of port SPAN (Switched Port Analyzer), we can refer to in later chapters. We build the following graph: 

Step 1: Configure the Switch 2950 as follows: 

! 
hostname Switch 
! 
enable password cisco 
! 
interface FastEthernet0 / 1 
no ip address 
! 
interface FastEthernet0 / 2 
no ip address 
! 
interface FastEthernet0 / 3 
no ip address 
! 
interface FastEthernet0 / 4 
no ip address 
full duplex 
speed 100 
! 
interface FastEthernet0 / 5 
no ip address 
! 
interface VLAN1 
no ip address 
no ip route-cache 
shutdown 
! 
ip http server 
! 
monitor session 1 source interface Fa0 / 2 
monitor session 1 destination interface Fa0 / 4 
end 

Interface: The interface indicates that we want to capture packet again. We can only capture on a single interface at a time 
Link-layer header time: In normal circumstances we usually do not touch it but this. We can choose the link-layer header to match the transmission line. 
Buffer size: functioning during a capture buffer. This is the size of the kernel buffer which will hold the packet has been captured and saved it until the hard disk. If you discarded packets, then you think of the rise in this index. 
Capture packets in promiscuous mode: This box indicates that Ethereal can put your interface in promiscuous mode while capture.Neu not specify this function, only task is Ethereal packet capture to or away from your computer. 
Limit each packet to n bytes: If you do not care about all of the data packet, you will use this function (default is 65535). These are measures we can make the CPU less to more active, and minimize the size of the buffer. 
Capture filter: Ethereal uses libpcap filter language for capture filters. Here is the syntax of the command: 
[Not] primitive [and  or [not] primitive. . . ] 
We can consider the following example to the problem more clearly. Suppose we type in 
"Tcp port 23 and host 192.168.2.1." At this time we only see the Ethereal only one task is to capture all telnet traffic from host 192.168.2.1 
Fil: We must point out the path to backup data capture 
Use multiple files instead of using a file, Ethereal automatically transferred to a new file, if the conditions were fully activated. 
Stop capture: stop when the definition to satisfy the selection conditions 
Display Options frame: 
-Update list of packets in real time: This option allows you to point out that Ethereal packet can update the list in real time. Usually we only see the packet after pressing stop our process of Ethereal 
Name Resolution frame: Display more detailed operation of the layer. After we choose these parameters, click "Ok." Such monitoring process has begun. Now we get a workstation ping the laptop to generate the ICMP traffic, we see the ICMP packets increases. Such monitoring has been active port. 

Now we get a workstation on the yahoo site. All traffic from desktops are put on port fa0 / 4 of the Switch 2950. So Ethereal software can monitor this process. Most traffic yahoo belong to the TCP protocol, we find that the cell will gradually increase over TCP. After selecting the stop button, we return to the table of the packet. I click on any line to view the packet information. We can filter out packets with the Filter toolbar and fill it (the command ip.addr = 192.168.1.9> 0. At the bottom are the contents of the packet of information that we capture how include file type, source address, destination, information content in hexadecimal, or string type. Based on the information that we can control what is running in this network. You can find out more news website http://translate.googleusercontent.com/translate_c?hl=en&sl=auto&tl=en&u=http://www.ethereal.com/&rurl=translate.google.com&usg=ALkJrhid_wbFoKsqqLzT0SJ99C0lLUhJbw to download the study guide version. 

Step 2: I turn to start the Ethereal software. At that time, only so much that we choose as follows: