Joined: 04 Mar 2003
|Posted: Sun May 16, 2004 6:58 pm Post subject: Book Review - Ethereal Packet Sniffing
Ethereal Packet Sniffing
Author: Angela Orebaugh
Book Specifications: Soft-cover, 468 pages, with CD-ROM
Category: Packet Sniffing
User Level: Intermediate (some knowledge of TCP/IP needed)
Suggested Publisher Price: $49.95USA/$77.95CAN/Ł28.15
Amazon.co.uk: Ethereal Packet Sniffing UK
Amazon.com: Ethereal Packet Sniffing US
Info from Cover: "Ethereal offers more protocol decoding and reassembly than any free sniffer out there and ranks well among the commercial tools. You’ve all used tools like tcpdump or windump to examine individual packets, but Ethereal makes it easier to make sense of a stream of ongoing network communications. Ethereal not only makes network troubleshooting work far easier, but also aids greatly in network forensics, the art of finding and examining an attack, by giving a better “big picture” view. Ethereal Packet Sniffing will show you how to make the most out of your use of Ethereal."
The terms packet sniffing, network analysis, and network troubleshooting are often seen as rather arcane terminology by many. What all these flowery sounding words mean in reality is the simple collection of packets from a computer network. How is this done? It is done through the use of programs such as Ethereal for one. Ethereal is bar none the King of free packet analyzers, which also happens to give commercial products a run for their money. This free and powerful software program should therefore be learned so that you harness its excellent capabilities.
As with many programs though, and especially the free ones there can sometimes be a learning curve before one becomes proficient. To that end the author of this book attempts to bring the reader up to speed on the many, and varied options within Ethereal. You should be prepared to spend some time learning this tool as it has many features, and especially so if you have little knowledge of TCP/IP. Though all of the TCP/IP fields are broken down for you if you do not know them they will take time to properly assimilate.
Over the course of nine chapters this book covers Ethereal in-depth. Included also at the end is an appendix, which covers the protocols that Ethereal will decode. A rather handy reference actually; especially so if you want to try, and find out if a rather esoteric protocol is going to be able to be decoded by this packet analyzer. Beginning in chapter one is an introduction to network analysis. Specifically discussed here is what exactly is meant by network analysis and packet sniffing. It is a nicely worded definition for those who may be unfamiliar with the sometimes cryptic terminology. Following this is a quick definition of some core concepts one must understand; Ethernet standard, OSI model, and CSMA/CD. We also will see some hardware tips on things like hubs and switches. To round out this chapter is a quick discussion on how to detect packet sniffers, and protect yourself against them.
Within chapter two we will see the actual introduction to Ethereal itself. Then covered is the history of Ethereal, compatibility with other file formats, and supported protocols. The gui and supported programs like Tethereal, Editcap, Mergecap, and Text2pcap are detailed. Also seen is how Ethereal and your network architecture and troubleshooting can work together. Chapter three goes over getting and installing Ethereal on various systems like win32 and linux. Noted also are some dependencies like winpcap and libpcap if you are to use this program.
The meat of the book in my opinion is chapter four and five. This is where you actually learn to use Ethereal, and the all important creation of filters. I have more to say on chapter five later in this review. That being said you will learn how to capture, edit, view, and manipulate packets in these two chapters. When it comes to packet sniffing this is indeed the information that you want to read about. One handy feature indeed with Ethereal is the “tcp stream” feature. You can actually follow a TCP stream by using this feature, which is a very useful option to have. Those difficult to understand filters which are built to winnow down traffic are gone over, and explained here also. Programmers will have an easier time to understand the creation of filters as there is specific syntax to be used.
In chapters six and seven the other programs that come with Ethereal are explained. Programs such as the aforementioned Tethereal, Editcap, Mergecap, and Text2pcap. Each of these have their own use and it is worthwhile understanding how to use them. It should be noted though that there is not only Ethereal out there which can capture packets, and analyze them. Shown will be the other various well known packet capturing programs like Wild Packets EtherPeek. Why the author took this approach I don’t really understand but listed are the major players, and very briefly how to use them.
Of interest in chapter eight are some real world packet captures as the author says. You will see a variety of scanning attempts captured, and some other anomalous activity. Though there is no real packet content here there is a pretty good explanation of what these various scans, and attacks are. The last chapter itself deals with Ethereal’s development, and I would of more interest to programmers then anyone else. It is still nice background information to have though. For a full listing of chapters please click here.
Style and Detail
The book's physical properties are quite nice as evidenced by the nice thick paper, and pliable outer binding. Of note also is the use of a summary, solutions fast track, and FAQ at the end of every chapter. It adds a nice bit of structure to the book. There is an abundance of screenshots used, and where needed diagrams shown as well. Used as well are some nicely laid out tables displaying information relevant to the topic at hand. Lastly the information contained in the screenshots, tables, and diagrams are actually legible versus having print that is way too undersized.
I approached this book with a great affinity for tools such as tcpdump/windump, which operate at the cli (command line interface). Using tools like these will keep you thinking about the actual contents of the packet and what they mean. Ethereal, though, has its uses and strong points such as large file analysis, and quick correlation. Someone also told me that they did not know how one could write a whole book on Ethereal. I agreed with that comment, and still do now. This book is not only on Ethereal but encompasses all that there is to know about it. The one failing of the book in my opinion is that not nearly enough detail was given to the building of capture and display filters. After all why do you use a packet sniffer? To collect packets of course, and to that end this book could of done without some of its peripheral content and given its space over to the creation of the aforementioned filters. Overall though it is a worthy purchase as Ethereal is not only free but in the hands of one who knows it well a very powerful tool.
This book gets a solid 7 out of 10
This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.