Chapter 3. Using Ethereal

Saving captured packets

You can save captured packets simply by using the Save As... menu item from the File menu under Ethereal. You can choose to save all packets that were captured or only the packets currently being displayed.

The Save Capture File As dialog box

The Ethereal Save Capture File As dialog box allows you to save the current capture to a file. Figure 3-15 shows an example of this dialog box.

Figure 3-15. The Ethereal Save Capture File As dialog box

With this dialog box, you can perform the following actions:

1.Create directories with the Create Dir button.

2.Delete files with the Delete File button.

3.Rename files with the Rename File button.

4.Select files and directories with the directories and files list boxes and the file system heirarchy drop down box.

5.Save only the packets currently being displayed (as apposed to all the packets captured) by clicking on the "Save only packets currently being displayed" radio button.

66

Chapter 3. Using Ethereal

6.Save only the marked packets (as apposed to all the packets captured) by clicking on the "Save only marked packets" radio button. More on Marking packets can be found in the section called The Ethereal Edit menu.

7.Specify the format of the saved capture file by clicking on the File type drop down box. You can choose from among the following types:

a.libpcap (tcpdump, Ethereal, etc.)

b.modified libpcap (tcpdump)

c.RedHat Linux libpcap (tcpdump)

d.Network Associates Sniffer (DOS based)

e.Sun Snoop

f.Microsoft Network Monitor 1.x

g.Network Associates Sniffer (Windows based) 1.1

Note!: Some capture formats may not be available, depending on the frame types captured.

Note!: You can convert capture files from one format to another by reading in a capture file and writing it out using a different format.

8.Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system.

9.Click on OK to accept your selected file and save to it. If Ethereal has a problem saving the captured packets to the file you specified, it will display an error dialog box. After clicking OK, you can try another file.

10.Click on Cancel to go back to Ethereal and not save the captured packets.

Reading capture files

Ethereal can read in previously saved capture files, and in addition, because it is built with a subroutine library called libwiretap, it can read capture files from a number of other packet capture programs as well. The following is the list of capture formats it understands:

•tcpdump and Ethereal

•snoop (including Shomiti) and atmsnoop

•LanAlyzer

•Sniffer (compressed or uncompressed)

67

Chapter 3. Using Ethereal

•Microsoft Network Monitor

•AIX’s iptrace

•NetXray

•Sniffer Pro

•RADCOM’s WAN/LAN analyzer

•Lucent/Ascend router debug output

•HP-UX’s nettl

•the dump output from Toshiba’s ISDN routers

•i4btrace from the ISDN4BSD project

You only need to get these files onto your system and Ethereal can read them. To read them, simply select the Open menu item from the File menu. Ethereal will then pop up the File Open dialog box, which is discussed in more detail in the section called

The File Open dialog box

The File Open dialog box

The Ethereal File Open dialog box allows you to search for a capture file containing previously captured packets for display in Ethereal. Figure 3-16 shows an example of the Ethereal Open File Dialog box.

68

Chapter 3. Using Ethereal

Figure 3-16. The Ethereal Open File Dialog box

With this dialog box, you can perform the following actions:

1.Create directories with the Create Dir button.

2.Delete files with the Delete File button.

3.Rename files with the Rename File button.

4.Select files and directories with the directories and files list boxes and the file system heirarchy drop down box.

5.Specify a display filter with the Filter button and filter field. Clicking on the Filter button causes Ethereal to pop up the Filters dialog box (while is discussed further in the section called Filtering packets while viewing).

6.Specify that MAC name resolution is to be performed for all MAC addresses in packets by clicking on the "Enable MAC name resolution" check button.

7.Specify that DNS name resolution is to be performed for all ip addresses in packets by clicking on the "Enable network name resolution" check button.

Note: Enabling network name resolution when your DNS server is unavailable may significantly slow ethereal while it waits for all of the DNS requests to time out

69