When it comes to sniffing packets, the tool I usually use is Ethereal, a fantastically powerful piece of software. Tony Howlett's book Open Source Security Tools: A Practical Guide to Security Applications covers Ethereal and many more. You can read a sample chapter, titled "Network Sniffers: Is Open Source Right for You?", online. In it, Howlett gives a great list explaining Ethereal's benefits over using straight tcpdump on the command line. Here's a brief outline of his list. After reading this, go check out the sample chapter & the book!
- Easy to use GUI
- More analytical & statistical options than command line
- Cleaner output format
- Supports over 300 network protocols
- Supports many physical network formats
- Interactively browse & sort captured data
- Save output in a variety of formats
- Display packets with color-coding
- Filter creation GUI makes it easy to create filters
- Follow a TCP stream & view it as a unified whole in ASCII
- Supports many capture programs, libraries, & hardware
- Save sessions in different formats
- Command-line terminal mode
(Check out all of our posts on Ethereal, tcpdump, and security.)
1. I have to disagree with the GUI being easy to use. I still have a hard time figuring out how to use both of the filter mechanisms (one for during the captures, one for after -- they're quite different from each other). And I use it a couple times a week. The Windows port doesn't have a normal Windows GUI either, which is confusing.
That said, recent versions have greatly improved in usability. And the ability to follow a TCP stream (basically it puts all the packets back together for you) is easily worth the hassle alone. All the other points I would completely agree with -- Ethereal is pretty damn good.
Also note that Ethereal had one of the lowest defect rates of any program tested by Coverity recently.
Posted at 10:34AM on Apr 12th 2006 by Craig Buchek