Chapter 3. Using Ethereal
8.Specify that transport name resolution is to be performed for all transport (TCP/UDP port) addresses in packets by clicking on the "Enable transport name resolution" check button.
9.Type in the name of the capture file you wish to open, as a standard file name in your file system.
10.Click on OK to accept your selected file and open it. If Ethereal recognizes the capture format, it will display the packets read from the capture file in the packet list pane. If it does not recognize the capture format, it will display an error dialog box. After clicking OK, you can try another file.
11.Click on Cancel to go back to Ethereal and not load a capture file.
Filtering packets while viewing
Ethereal has two filtering languages: One used when capturing packets, and one used when displaying packets. In this section we explore that second type of filters: Display filters. The first one has already been dealt with in the section called Filtering while capturing.
Display filters allow you to concentrate on the packets you are interested in. They allow you to select packets by:
•Protocol
•The presence of a field
•The values of fields
•A comparison between fields
To select packets based on protocol type, simply type the protocol you are interested in in the Filter: field on the bottom left hand corner of the Ethereal window and press enter to initiate the filter. Figure 3-17 shown an example of what happens when you type smb in the filter field.
Note!: All filter expressions are entered in lowercase. Also, don’t forget to press enter after entering the filter expression.
70
Chapter 3. Using Ethereal
Figure 3-17. Filtering on the SMB protocol
Note!: The packets selected in Figure 3-17 all show up as BROWSER packets but they are carried in SMB packets.
You can filter on any protocol that Ethereal understands. However, you can also filter on any field that a dissector adds to the tree view, but only if the dissector has added an abbreviation for the field. A list of such fields is available in the Ethereal in the Add Expression... dialog box. You can find more information on the Add Expression...
dialog box in the section called The Add Expression Dialog. You may also find a list of the fields in Appendix A
For example, to narrow the packet list pane down to only those packets to or from 10.0.0.5, use ip.addr==10.0.0.5.
Note!: To remove the filter, click on the Reset button to the right of the filter field.
71
Chapter 3. Using Ethereal
Building filter expressions
Ethereal provides a simple display filter language that you can build quite complex filter expressions with. You can compare values in packets as well as combine expressions into more specific expressions. The following sections provide more information on doing this.
Comparing values
You can build display filters that compare values using a number of different comparison operators. They are shown in Table 3-7.
Table 3-7. Display filter comparison operators
English |
C-like |
Description and example |
eq |
== |
Equal |
|
|
ip.addr==10.0.0.5 |
|
|
|
ne |
!= |
Not equal |
|
|
ip.addr!=10.0.0.5 |
|
|
|
gt |
> |
Greater than |
|
|
frame.pkt_len > 10 |
|
|
|
lt |
< |
Less than |
|
|
frame.pkt_len < 128 |
|
|
|
ge |
>= |
Greater than or equal to |
|
|
frame.pkt_len ge 0x100 |
|
|
|
le |
<= |
Less than or equal to |
|
|
frame.pkt_len <= 0x20 |
|
|
|
In addition, all protocol fields are typed. Table 3-8 provides a list of the types and example of how to express them.
72
Chapter 3. Using Ethereal
Table 3-8. Field Types
Type |
Example |
|
Unsigned integer (8-bit, 16-bit, 24-bit, |
You can express integers in dec- |
|
32-bit) |
imal, octal, or hexadecimal. The |
|
|
following display filters are equiva- |
|
|
lent: |
ip.len le 1500 |
|
ip.len le 02734 |
|
|
ip.len le 0x436 |
|
|
|
|
Signed integer (8-bit, 16-bit, 24-bit, |
|
|
32-bit) |
|
|
Boolean |
A boolean field is present in the |
|
|
protocol decode only if its value is true. |
|
|
For example, tcp.flags.syn is present, |
|
|
and thus true, only if the SYN flag is |
|
|
present in a TCP segment header. |
|
|
Thus the filter expression tcp.flags.syn |
|
|
will select only those packets for which |
|
|
this flag exists, that is, TCP segments |
|
|
where the segment header contains the |
|
|
SYN flag. Similarly, to find source-routed |
|
|
token ring packets, use a filter expression |
|
|
of tr.sr. |
|
|
|
|
Ethernet address (6 bytes) |
|
|
IPv4 address |
|
|
IPv6 address |
|
|
IPX network number |
|
|
String (text) |
|
|
Double-precision floating point number |
|
|
Combining expressions
You can combine filter expressions in Ethereal using the logical operators shown in Table 3-9
Table 3-9. Display Filter Logical Operations
English |
C-like |
Description and example |
73
Chapter 3. Using Ethereal
English |
C-like |
Description and example |
and |
&& |
Logical AND |
ip.addr==10.0.0.5 and tcp.flags.fin
or |
|| |
Logical OR |
ip.addr==10.0.0.5 or ip.addr==192.1.1.1
xor |
^^ |
Logical XOR |
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] ==
not |
! |
Logical NOT |
|
|
not llc |
74
Chapter 3. Using Ethereal
English |
C-like |
Description and example |
|
[...] |
|
Substring Operator |
|
|
|
Ethereal will allow you to |
|
|
|
select subsequences of a |
|
|
|
sequence in rather elab- |
|
|
|
orate ways. After a la- |
|
|
|
bel you can place a pair |
|
|
|
of brackes [] containing a |
|
|
|
comma separated list of |
|
|
|
range specifiers. |
|
|
|
eth.src[0:3] == 00:00:83 |
|
|
|
The example above uses |
|
|
|
the n:m format to specify |
|
|
|
a single range. In this case |
|
|
|
n is the beginning offset |
|
|
|
and m is the length of the |
|
|
|
range being specified. |
|
|
|
eth.src[1-2] == |
00:83 |
|
|
The example above uses |
|
|
|
the n-m format to specify a |
|
|
|
single range. In this case n |
|
|
|
is the beginning offset and |
|
|
|
m is the ending offset. |
|
|
|
eth.src[:4] == 00:00:83:00 |
|
|
|
The example above uses |
|
|
|
the :m format, which takes |
|
|
|
everything from the be- |
|
|
|
ginning of a sequence to |
|
|
|
offset m. It is equivalent to |
|
|
|
0:m |
|
|
|
eth.src[4:] == 20:20 |
|
|
|
The example above uses |
|
|
|
the n: format, which takes |
|
|
|
everything from offset n to |
|
|
|
the end of the sequence. |
|
|
|
eth.src[2] == 83 |
|
|
|
The example above uses |
|
|
|
the n format to specify a |
|
|
|
single range. In this case |
|
|
|
the element in the se- |
|
|
|
quence at offset n is se- |
|
|
|
lected. This is equivalent |
|
|
|
75 |
|
|
|
to n:1. |
|
|
|
eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00: |
|
|
|
|
|