Ethereal Packet Sniffing (Syngress) [ILLUSTRATED] (Paperback)

by Syngress (Author) "Why is the network slow?..." (more)
Key Phrases: protocol dissector, saved capture files, using tethereal, Protocol Tree Window, Program Files, Frequently Asked Questions (more...)

Editorial Reviews

Product Description
Only book available on extremely popular, yet completely undocumented Open Source security tool Ethereal. This book provides insider information on how to optimize performance of Ethereal on enterprise networks. Book comes with a CD containing Ethereal, Tethereal, Nessus, Snort, ACID, Barnyard, and more! This book shows how Ethereal compiles and runs (thanks to autoconf) on many flavors of UNIX (including Linux), and Windows. It shows how to capture packets from a number of different types of networking devices and also can read capture files taken earlier using either Ethereal or other programs such as tcpdump, snoop and various other network analyzer programs.

About the Author
Angela Orebaugh (CISSP, GCIA, GCFW, GCIH, GSEC, CCNA) has worked in information technology for 10 years. She is currently an Associate at Booz Allen Hamilton in the Washington, DC metro area. Her focus is on perimeter defense, secure architecture design, vulnerability assessments, penetration testing, and intrusion detection. Angela is expert in many commercial and Open Source intrusion detection and analysis tools including Ethereal, Snort, Nessus, and Nmap. She is a graduate of James Madison University with a masters in computer science, and she is currently pursuing her PhD with a concentration in information security at George Mason University. Her GCFW practical received honors recognition and was used as a case study in the book Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Network Intrusion Detection by Stephen Northcutt (ISBN: 0735712328). Angela is a researcher, writer, and speaker for SANS Institute, where she has helped to develop and revise SANS course material and also serves as the Senior Mentor Coach for the SANS Local Mentor Program.

Gilbert Ramirez was the first contributor to Ethereal after it was announced to the public and is known for his regular updates to the product. He has contributed protocol dissectors as well as core logic to Ethereal. He is a systems engineer at a large company with network-related products, where he works on tools and software build systems. Gilbert is a family man, a want-to-be chef, and a student of tae kwon do. His degree is in linguistics, but his first love is programming computers, which he has been doing since childhood.

Product Details

• Paperback: 550 pages
• Publisher: Syngress; 1 edition (April 7, 2004)
• Language: English
• ISBN-10: 1932266828
• ISBN-13: 978-1932266825
• Product Dimensions: 9 x 7 x 1.3 inches
• Shipping Weight: 1.8 pounds
• Average Customer Review: 4.6 out of 5 stars See all reviews (25 customer reviews)
• Amazon.com Sales Rank: #480,750 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

20 of 21 people found the following review helpful:

4.0 out of 5 stars good for users and developers, July 14, 2004

By	jose_monkey_org "jose_monkey_org" (ann arbor, mi, USA) - See all my reviews

I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs.

A bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.

Now, on to the real strengths of the book. The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).

The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).

Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.

Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.

Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.

Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.

The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think. Also, Syngress has a book update feature that some people may find useful.

15 of 15 people found the following review helpful:

5.0 out of 5 stars The Queen Mary 2 of Jay Beale's Open Source fleet, May 1, 2004

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

"Ethereal Packet Sniffing" is the first book in Jay Beale's new Open Source Security Series with Syngress. It's a great book to lead the way. "Ethereal" is full of helpful tips and clear discussions that benefit newbies and wizards alike.

I've been using Ethereal for around five years, and this book still taught me a few new tricks. The key to the new material is Ethereal's development, from 0.2 in July 1998 to 0.10.3 this year. (The book covers 0.10.0 which is far from being outdated.) The many improvements lend themselves to the sort of explanations found in "Ethereal." For example, my favorite material involved filters. Although chs. 4 and 5 had minor overlap regarding this feature, I learned new ways to manipulate Ethereal's packet search and display capabilities.

Because the entire book focuses on a single suite of tools, it has the space to take in-depth looks at normally ignored components like stream analysis graphs. The book spends time explaining how to write filters with bitwise AND operations, and talks about 'matches' and 'contains' search functions. For programmers, the chapter on "developing Ethereal" gives clues on adding new protocol dissectors. This reminded me of a similar chapter in Syngress' book on Snort.

If you want to really know how to use Ethereal, buy this book. However, it should have been called "Ethereal Packet Sniffer," not "Ethereal Packet Sniffing." The distinction lies in the book's focus; it spends most of its time explaining functions and not analyzing packets. Books on troubleshooting by Bardwell or Haugdahl have more insights to share than ch. 8 in "Ethereal." Nevertheless, I added this book to my recommended reading list for aspiring security engineers. It's worth a close read.

5 of 5 people found the following review helpful:

5.0 out of 5 stars An easy-to-use resource, July 9, 2004

By	Midwest Book Review (Oregon, WI USA) - See all my reviews

The latest contribution of Jay Beale's Open Source Security Series, Ethereal Packet Sniffing is the first reference book to cover the "packet sniffer" security tool that has become widely used among network administrators. Individual chapters of Ethereal Packet Sniffing cover installing and using Ethereal: Network Protocol Analyzer in Unix, Linux, or Windows, filters, associated other programs that come packaged with Ethereal such as Tethereal and Editcap, integrating Ethereal with other sniffers, developing Ethereal and its design tools, and much more. An easy-to-use resource filled with screenshots, sample code, and step-by-step examples and instructions. An accompanying CD contains Ethereal itself, including installation, reference, and packet capture files, complete with a 1 year upgrade buyer protection plan, making Ethereal Packet Sniffing more than just a supplementary guide; it's computer software with a far more exhaustive starter guide than any tiny little owner's manual can offer.