Capturing, Sanitizing and posting Ethereal dumps.
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Capturing, Sanitizing and posting Ethereal dumps.

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Capturing, Sanitizing and posting Ethereal dumps.

    How to Capture traffic, save the results and post Sanitized files to the public internet for review using Ethereal 0.10.x for Windows

    General

    Ethereal is a powerful protocol analyzer/packet sniffer released under the GNU public license. It is available for versions of *nix and has been ported to Win32.

    It is available in it's different forms from http://www.ethereal.com/download.html .

    Ethereal can be used with very specific filters to capture precise traffic at a very granular level. This tutorial will concentrate on the basic filters, how to save the captured traffic, sanitize the capture so it doesn't reveal your IP address or that of the remote machine so that you can post it to the public internet for others to review and comment on.

    Basic Capture Filters

    Having installed the appropriate packet capture driver for you version of Ethereal and installed it you can begin capturing packets. The fourth item from the left on the menu bar is the capture option. Click it and select Start. This will bring up the capture panel. At the top you will see the available network cards you can capture on. Usually there will be only one so this should be left as it is. If there are more than one simply click OK and open a web browser to your home page. If the capture window shows traffic then this is the correct network card. If you get no traffic captured stop the capture, select the next card on the list and repeat this process till you capture traffic.

    Ethereal has the ability to capture traffic only to and from your machine or, on a hubbed network or a switched network with port spanning you can capture all traffic the network card sees if you click the "Capture packets in Promiscuous Mode" button. For home users this usually won't be necessary since the traffic you are interested in will usually be to and from your own machine.

    Once you know which network card to use you can begin to capture traffic. If you put nothing in the Filter line you will get all the traffic to and from your machine and even though you can apply filters subsequently I prefer to apply my filter up front. The following are examples of filters you can use. Substitute the appropriate IP addresses and Port numbers for the traffic you want to capture yourself.

    1. All traffic to and from my machine only, (only useful in Promiscuous Mode)

    host 192.168.1.1

    2. All traffic to and from a remote host, (either Promiscuous Mode or Normal Mode)

    host 10.0.0.1

    3. All traffic to and from a particular port, (either Promiscuous Mode or Normal Mode)

    port 80

    4. All traffic initiated by the specific host, (Captures both sides of any conversation initiated by the host), (either Promiscuous Mode or Normal Mode)

    src host 10.0.0.1

    5. All traffic initiated to a specific host, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)

    dst host 192.168.1.1

    6. All traffic initiated by the specific host on a given port, (Captures both sides of any conversation initiated by the host), (either Promiscuous Mode or Normal Mode)

    src host 10.0.0.1 && port 80

    7. All traffic initiated to a specific host on a specific port, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)

    dst host 192.168.1.1 && port 80

    8. All traffic initiated to a specific port regardless of IP address, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)

    dst port 80

    As you can see the "&&" allows you to join "phrases" together to make more and more specific filters. Another useful operator is "!", (without the quotes). This operator negates the following "phrase" so !port 80 would mean "Don't report traffic on port 80". So you can build quite complicated filters like the one below:-

    dst host 192.168.1.1 && src port 53 && !src host 192.168.1.2 && !dst port 80

    The above filter would capture all traffic to 192.168.1.1 except traffic from 192.168.1.2. The traffic captured must have come from port 53 but it must not be destined for port 80..... (All rather simple really.... )

    Saving your output in a text managable format.

    Ok, now you have the data you want you need to save it. If you use the standard Save option from the menu you will be presented with all sorts of format options. If you save to them and then go and try to read the output you will find, (unless you are uB3r l33t), that they are meaningless to you. Rather than select Save, select Print instead. On the panel presented select the following options:-

    1. Click Plain Text
    2. Select Output to File and enter a name such as MyEtherealDump.txt, (always save it as a .txt file please).
    3. Click All Packets, (or Selected Packet Only if that's all you want to save).
    4. Click All Dissections Expanded
    5. Make sure Packet Hex Data is not selected or you will have to find and replace IP addresses in Hex too.
    6. Click Print

    Your results should look something like this, (this is a single packet your's may have many)

    =======================

    Frame 26 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Aug 11, 2004 09:35:55.808383000
    Time delta from previous packet: 0.006262000 seconds
    Time since reference or first frame: 1.019001000 seconds
    Frame Number: 26
    Packet Length: 62 bytes
    Capture Length: 62 bytes
    Ethernet II, Src: 00:e0:06:fc:57:32, Dst: 00:e0:1e:42:a1:61
    Destination: 00:e0:1e:42:a1:61 (Cisco_42:a1:61)
    Source: 00:e0:06:fc:57:32 (192.168.3.51)

    Type: IP (0x0800)
    Internet Protocol, Src Addr: 192.168.3.51 (192.168.3.51), Dst Addr: 216.109.117.204 (216.109.117.204)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xbcfc (48380)
    Flags: 0x04
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x2bb6 (correct)
    Source: 192.168.3.51 (192.168.3.51)
    Destination: 216.109.117.204 (216.109.117.204)
    Transmission Control Protocol, Src Port: 11691 (11691), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0
    Source port: 11691 (11691)
    Destination port: http (80)
    Sequence number: 0
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
    0... .... = Congestion Window Reduced (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...0 .... = Acknowledgment: Not set
    .... 0... = Push: Not set
    .... .0.. = Reset: Not set
    .... ..1. = Syn: Set
    .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0x32fe (correct)
    Options: (8 bytes)
    Maximum segment size: 1460 bytes
    NOP
    NOP
    SACK permitted

    =======================

    The packet above is a SYN packet from my workstation to www.yahoo.com. You will notice that in the text there are lots of Source and Destination lines that show both my IP address and yahoo's IP address, (the remote machine). It is not usually a good idea to display either publicly on the internet. What I recommend is that you clearly state when you post your Ethereal dump that "I have replaced the IP address of the target computer with the address xxx.xxx.xxx.xxx and the IP address of the remote computer with the address xxx.xxx.xxx.xxx". I recomment that you use private addresses such as 192.168.xxx.xxx, or 10.xxx.xxx.xxx as the replacements. Use your favorite text editor to do "search and replace all" for both your IP address and the address of the remote machine and save the file again.

    NOTE: Do not worry about the hex addresses in the highlighted portion in the packet dump above. Those are the MAC addresses of the last router and your computer and are only useful to an attacker if they are already on your local network.

    Now you can either cut and paste the dump staraight into your post if it is short or attach the text file to your post if it is long.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    nice one. nice read. thanks.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    Senior Member
    Join Date
    Aug 2004
    Posts
    149
    Great post Tiger-Shark, as usual......

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Nice. Applying filters "upfront" is an excellent way to increase the sensitivity and reliability of captured packets. Meaning there is less crap to sift through and you stand a better chance of not dropping packets you are interested in. Just opening it up wide is not always a good idea unless you don't have a clue what your looking for yet becasue the card and the machine might not capture everything fast enough especially when spanning multiple ports or sniffing the network gateway. It also enables you to sift through the data much quicker especially long captures of a few days worth of data (weekends). In fact at the gatway it's great to deploy 2 packet sniffers one the grabs it all and one that grabs only specific filtered packets destined to specific devices.

    Thanks Tiger.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Your post got me interested in Ethereal so I downloaded it and thought id give it a go.

    However when I start it up a cmd prompt window opens up with this message:
    ----------------------------------------------------------------------------------------------------------------
    (ethereal.exe:1828): Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_re
    size): assertion `height > 0' failed

    (ethereal.exe:1828): Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_re
    size): assertion `height > 0' failed
    -----------------------------------------------------------------------------------------------------------------

    Have you ever seen this before?

    I tried re-installing it but still go the same result.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I think I had something similar before and it was to do with screen resolution IIRC. Ethereal for Win doesn't seem too flexible when it comes to screen sizes, (at least, not the versions I played with). You might want to mess with the res. and color depth and see if it runs.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    No, i took everything down to the lowest it goes but got the same result :-(

    Nevermind, I will check it out in linux instead.

    Thanks anyway!
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    While on the subject: I have found adding ethereal to a baseline install and hidden from normal users comes in VERY handy on occassion. Who says limit packet inspection to a few isolated machines?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #9
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    Originally posted here by Nokia
    Your post got me interested in Ethereal so I downloaded it and thought id give it a go.

    However when I start it up a cmd prompt window opens up with this message:
    ----------------------------------------------------------------------------------------------------------------
    (ethereal.exe:1828): Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_re
    size): assertion `height > 0' failed

    (ethereal.exe:1828): Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_re
    size): assertion `height > 0' failed
    -----------------------------------------------------------------------------------------------------------------

    Have you ever seen this before?

    I tried re-installing it but still go the same result.
    Sorry to say this but RTM. Two minutes on the FAQ and your answer is there.
    Q 5.17: When I run Ethereal, I get an error

    Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize): assertion `height > 0' failed.

    A: This is a bug in Ethereal 0.10.5, which will be fixed in the next release of Ethereal. To work around this bug:

    1. On Windows, this message will appear in a console window; do NOT, under any circumstances, close that window!
    2. Make sure the "Save window size" prefrence is set the "User Interface" prefrences in the preferences window opened by "Preferences" under the "Edit" menu.
    3. Quit Ethereal.
    4. On Windows, a "Press any key to exit" message might appear in the command window; if that message appears in the window, click on that window and press any key (such as Enter).

    The next time Ethereal starts, it should not produce that error message.
    http://www.ethereal.com/faq.html#q5.17
    When death sleeps it dreams of you...

  10. #10
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Well im sorry to say this but I had already read that in the FAQ and it didnt resolve my issue.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •