Monitoring Tools
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Ethereal and mon are two great tools for monitoring your networks. Ethereal is the source of all the network traces and packet decodes in Part I of Networking Linux: A Practical Guide to TCP/IP (New Riders, 2001, ISBN 0-7357-1031-7). It also provides some of the functions that you'll want to use when baselining your network. mon also provides functionality to help bolster your baselining.
Although neither of these tools is part of the Red Hat Linux distribution, they should both be installed on your Linux system as quickly as possible.
Ethereal
Ethereal is a very functional protocol analyzer.1 It has both a GUI (Ethereal) and a command-line interface (Tethereal). Both provide very easy means of finding and watching network traffic.
Listing 1 shows cherry ARPing for a nonexistent host. Figure 1 shows Ethereal having captured some Ethernet traffic.
){kind=link}
Listing 1Using Tethereal
[root@cherry /root]# tethereal Kernel filter, protocol ALL, raw packet socket Capturing on eth0 00:e0:98:7c:95:21 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.100?Tell 192.168.1.10 00:e0:98:7c:95:21 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.100?
Figure 1 Ethereal screen shot.
Ethereal can give you a great deal of insight into the way things are really working on your network, but only in conjunction with a good understanding of the protocols themselves. In this section we'll look at the following topics:
Getting and installing Ethereal
Using Ethereal to capture packets
Using Ethereal to view packets
Filtering packets during both capture and display to make network diagnostics a bit simpler
Dealing with bugs in Ethereal
Getting and Installing Ethereal
Ethereal is available for a wide range of platforms, including Linux, Windows, and several UNIX platforms. Although Ethereal has a command-line interface, it requires that GTK+ be installed on the system on which it is being built. Ethereal also relies on libpcap. I'll build it from source on Linux in this section. However, when you install it, it is important to ensure that you have Ethereal and the two software packages that it relies on. It should also be mentioned that although there are binary distributions of Ethereal available for many platforms, they are not always the most recent. You might want to take the extra time to build your own.
Downloading Binary Packages
Certainly the easiest way to install Ethereal is with the package-management system of your Linux distribution. The most recent binary packages for Ethereal are available at http://ethereal.zing.org/download.html. In addition to the Ethereal packages themselves, you'll also need to get packages for libpcap and perhaps for ucd-snmp (this will depend on what is installed on your system). After you've located the requisite packages, you're ready to go.
Downloading and Building Source
Building Ethereal is a bit more involved, but not too much. The following build instructions are based on a stock GNOME Workstation install of a Red Hat 6.2 box.
Don't forget that you'll need to install libpcap before you can build Ethereal. You can do this either with RPMs or by building it from source. Building from source isn't too hard, but you'll need to deal with a couple gotchas when building libpcap on Red Hat 6.2. First you'll need to make the /usr/local/include and /usr/local/include/net directories. You also must remember to do a make install-incl as well as the make install. The proper installation of libpcap is shown in Listing 2.
Listing 2 Installing libpcap
[root@phred src] tar xzvf libpcap-0.5.2.tar.gz [root@phred src] cd libpcap-0.5 [root@phred libpcap-0.5] ./configure [root@phred libpcap-0.5] make [root@phred libpcap-0.5] make install [root@phred libpcap-0.5] mkdir -p /usr/local/lib/net [root@phred libpcap-0.5] make install-incl
After libpcap is built, you've got smooth sailing in front of you. Ethereal is a three-step build. Building Ethereal is shown in Listing 3.
Listing 3 Building Ethereal
[root@phred src] tar xzvf ethereal-0.8.14.tar.gz [root@phred src] cd ethereal-0.8.14 [root@phred ethereal-0.8.14] ./configure [root@phred ethereal-0.8.14] make [root@phred ethereal-0.8.14] make install
Using Ethereal to Capture Packets
Because the primary use of a protocol analyzer is to capture packets, that's just what we'll do. I'll start off with a simple example, move to some startup options for Ethereal and Tethereal, and wrap up with a more advanced example.
A Simple Example
Using Ethereal can be quite simple; typing Ethereal at the command line (as someone with permission to set the NIC into promiscuous mode) will start the GUI. When the GUI has started, you can select Capture, Start, which brings up the Capture Preferences window. This should have valid defaults set, but I like to click the Update List of Packets in Real Time and Automatic Scrolling in Live Capture buttons. Now press the Start button and watch your capture run.
While the capture is running, it displays the total number of packets captured in the Ethereal: Capture/Playback window. It also updates the main Ethereal window with each new packet that it grabs. After you've captured what you needed, you can stop the capture by hitting the Stop button in the Ethereal: Capture/Playback window. While the capture is running, you should see something similar to the display shown in Figure 2.
){kind=link}
Figure 2 Ethereal capturing packets.
Starting Ethereal
A number of command-line options exist to help make starting Ethereal more pleasant. Table 1 shows some of the more likely candidates.
Table 1 Command Line Options for Ethereal
|
Option |
Meaning |
|
-i <interface> |
This option sets the interface from which Ethereal will capture. |
|
-k |
This option causes Ethereal to begin capturing packets immediately upon startup. It must be used with the xs-i option. |
|
-S |
This option causes Ethereal to display packets as they are captured. |
|
-c <count> |
This option causes Ethereal to capture only count packets before stopping. It is useful only with the -k option. |
|
-D |
This option causes Ethereal to treat the TOS field of IP as the original TOS, not like Differentiated Services. |
|
-f <capture filter> |
This option enables you to set a libpcap-style capture filter. libpcap filter syntax is covered in the "ngrep" section of my previous article, "Troubleshooting Tools." |
|
-n |
This option disables name resolution; all packets will be displayed with numeric IP addresses, TCP ports, and UDP ports. |
|
-r <infile> |
This option causes Ethereal to read packets from a saved file instead of an interface. Using previous captures is covered in the upcoming section "Viewing Saved Captures." |
|
-R <read filter> |
This option enables you to set a read filter. Read filters are discussed in the upcoming section "Filtering Packets to Be Displayed." |
|
-t <time stamp format> |
This option changes the format of the packet timestamps. The three possible formats are as follows: r—Relative to the first packet (the default) a—Actual date and time of the packet d—Relative to the previous packet |
|
-w <savefile> |
This option sets the name of the file to which the capture will be saved. Working with saved captures is covered in the upcoming section "Viewing Saved Captures." |
A useful startup command for Ethereal might look like this:
[root@cherry /root]# ethereal -i eth0 -c 100 -D -t a -k -S &
This starts Ethereal, begins capturing from eth0 immediately, displays packets as they're captured using the original IPv4 TOS meaning for the TOS field, displays actual times for each packet, and stops capturing after 100 packets have been captured.
Starting Tethereal
Tethereal can be run in instances in which you have no good way to display the GUI for Ethereal or you don't need its extra weight to accomplish the task at hand (for example, you're just doing a file capture). Tethereal can be run like the session shown in Listing 4.
Listing 4 Starting Tethereal
[root@cherry /root]# tethereal Kernel filter, protocol ALL, raw packet socket Capturing on eth0 skull.eventloop.com -> 192.168.1.10 IRC Response 192.168.1.10 -> resolver1.level3.net DNS Standard query PTR
Like Ethereal, however, Tethereal is often better used with the command-line options listed in Table 1. Some of the options either make no sense in the context of the Tethereal interface (for instance, -t because there is no time display in Tethereal2) or are not allowed (for instance, -S). A good example of a more useful Tethereal command might be this:
[root@cherry /root]# tethereal -i eth0 -c 10 -n -w quickcapture
This command captures the next 10 packets received on eth0 in the file quickcapture without doing a name resolution.
Viewing Packets with Ethereal
The main window for Ethereal is divided into three sections, called panes. The top pane is the packet list pane, which shows a summary of each packet captured. The middle pane is the tree view pane, which shows a more detailed view of any packet selected in the packet list pane. The bottom pane is the data view pane, which shows a hex breakout and ASCII representation of any packet selected in the packet list pane. There are also menu options of interest when viewing packets; we'll look at these in more detail in the following sections.
A Simple Session Revisited
The simple Ethereal session described previously results in the final capture shown in Figure 3.
){kind=link}
Figure 3 A simple Ethereal capture.
After the data is captured, you can look at it several ways, with a variety of tools.3 One way to look at the data is to review the Ethereal summary data, as shown in Figure 4.
){kind=link}
Figure 4 Ethereal summary data.
This summary shows the following:
Information about the file (which we'll ignore)
Information about the data (which we'll cover shortly)
Information about the capture (which we'll cover right after the information about the data)
You can bring up the summary window by selecting Tools, Summary. The information about the data provides some good information about the traffic in the capture. It tells us how long it took for the traffic to be sent, how many packets were sent, how much data was sent, how much data per packet (average), and how much data per second (average). This information can be made much more useful when combined with filters (see the upcoming section "Filtering Packets with Ethereal" for more information about writing filters). For example, if you want to determine the load that connecting to an IRC server will put on your network, you can capture a 15-minute IRC session while filtering for just IRC traffic. Then you can see the average amount of data that IRC transferred over those 15 minutes.4 Bear in mind that you probably will want to check this at several points during the day, just to get a more realistic picture of the traffic load.
The capture information provides the context needed to make sense of the capture. It shows what interface the capture is from, what capture filter was used, and what display filter is in use. In the IRC example described in the previous paragraph, the data would be misleading if it also contained HTTP traffic. Looking at the capture information can help ensure that we're looking at just the data we want.
Another way of looking at the packets is to look at only those packets matching certain criteria. To be really effective at this, you'll need to write a display filter, but Ethereal provides a quick mechanism to create a simple filter for you. If you select a field in tree view pane, for example, selecting an Ethernet II Type field containing ARP, then clicking Display, Match Selected creates a display filter matching all packets with an Ethernet II type of ARP. This is shown in Figures 5 and 6.
){kind=link}
){kind=link}
Figure 5 Selecting content to match.
Figure 6 Ethereal matching selected packets.
Because captured traffic is spread over several packets, it can be difficult to see just what traffic is being pushed around the network. Ethereal provides a way to do this, following a TCP stream. In Figure 7, you can see a TCP stream containing an HTTP session. You can follow a TCP session by selecting a TCP packet in the packet list pane and then clicking Tools, Follow TCP Stream.
){kind=link}
Figure 7 A TCP stream.
In this example, the first block of data is an HTTP request sent by the client. The second block of data is an HTTP error message returned by the server.
Saving a Capture File
Having captured a pile of network traffic, you'll probably want to look at it again later. Ethereal enables you to save your capture to a file. This can be done from the command line (the only way to do it with Tethereal), from the Capture Preferences screen, or after you've stopped a capture by selecting File, Save (which is also accessible from the keyboard shortcut Ctrl+S). This brings up the Save Capture File As window.
This window enables you to save your capture in a number of formats; it also enables you to save only the currently displayed packets (using the Save Only Packets Currently Being Displayed button).
Viewing Saved Captures
Sometimes you'll want to look at traffic that's no longer moving on the network (either for diagnostics or to review or learn more about a protocol). For these cases, Ethereal provides a convenient method for saving and viewing captured files. In fact, Ethereal even provides the capability to view captures saved from other applications.
To view a saved capture, select File, Open, which brings up the Open Capture File interface. This window presents a common file selection tool with which you should select the name of the capture file that you want to view. You can also select the file on startup, using ethereal -r capturefile.
Filtering Packets with Ethereal
Even a small network can have a lot of data running over it. Filters help you cut through the chaff to see just the data you are interested in. Two kinds of filters exist for Ethereal, capture filters and display filters. Capture filters are applied as the data is being read from the network. If traffic doesn't match the filter, it isn't read into Ethereal. Display filters are applied against traffic that Ethereal has already captured. Both styles of filters, with some pros and cons, are covered in the next two sections.
Filtering Packets to Be Captured
Capture filters are written in the libpcap syntax, which is covered in more detail in the section "ngrep" in my previous article, "Troubleshooting Tools." A quick overview is provided here as well. Capture filters are nice because they are very fast and because they operate on the raw traffic as it is being captured. This can be a huge benefit on a busy LAN; you'll get only the traffic you're interested in, not the other 8MB of traffic that you'd otherwise have to wade through. Capture filters are not a panacea, though; they may get you only 50% of the way to your goal. That's where display filters come in.
libpcap-style filters use the <not>[type]<direction>[id] (such as host src 192.168.1.10). These filters can be combined with the conjunctions and and or. If you want to see all traffic between 192.168.1.1 and 192.168.1.10, you can use a filter such as host 192.168.1.1 and host 192.168.1.10. To look at traffic going from 192.168.1.1 to host 192.168.1.10 and not the return traffic, you can do host src 192.168.1.1 and host dst 192.168.1.10.
Filtering Packets to Be Displayed
The display filter syntax is much more expressive (and capable) than the capture filters described previously. Although capture filters are entered at the start of the capture (either on the command line or in the Capture Preferences window), display filters are entered after the capture is complete. With a capture buffer loaded, you can define a display filter in the filter section of the status bar at the bottom of the Main window. You can clear your active display filter by clicking the Reset button.
Display filters have an expressive syntax but can be quite basic. A simple filter to look at all the traffic from 192.168.1.1 to 192.168.1.10 would look like ip.src == 192.168.1.1 && ip.dst == 192.168.1.10.
A much cooler example would be to look at all traffic from 192.168.1.20 or 192.168.1.21 that has the TCP SYN bit set; this would be written as (ip.src==192.168.1.21 or 192.168.1.20) and tcp.flags.syn. If you want to extend the previous section to exclude HTTPS traffic, you could write ((ip.src==192.168.1.21 or 192.168.1.20) and tcp.flags.syn) ! tcp.port==443.
Ethereal provides additional filter comparison operators as well. ==, !=, >, <, >=, and <= are all available in this C-style format or with English-style names. Beyond this, you can use a substring operator to match fields within a value. For example, you might want to match on the first three octets of an Ethernet source address; you could do that with eth.src [0:3] == 00:a0:d2.
Reporting Bugs
If you happen to find a bug in Ethereal, please report it. If you're a C hacker and think you know how to fix it, don't hesitate to send in a patch as well. (Your patch might not be used, but it will likely help the developers see where things are going wrong.)
Bug reports can be directed to the ethereal-dev mailing list (you can subscribe through http://ethereal.zing.org/; click the Mailing Lists link on the left side). Your bug report should include the following three things (at a minimum):
The version of Ethereal that you are using and the versions of software that it is linked against. This can be grabbed from ethereal -v, like so:
[pate@cherry sgml]$ ethereal -v ethereal 0.8.7, with GTK+1.2.7, with libpcap 0.4,
A traceback of Ethereal, if it crashed. To get a core file, look for a core file in your current working directory, run file core against it to ensure that it is the Ethereal core file (you also might want to verify the date of the core file, just to be safe), and then run the following commands:
[pate@cherry pate]$ gdb /usr/bin/ethereal core >
This will create a file called backtrace.txt, which you can mail in with your bug report.
A description of what you were doing when Ethereal exhibited the bug. The more detail you can add here, the better.
Creating a good bug report is an art form, but it's something that should be taken seriously. The developers of Ethereal can't help fix problems if they don't know what is broken.