Добавил:
Upload
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз:
Предмет:
Файл:Сети1 и 2 сем 2011 / 1 сем / Ethereal / user-guide.pdf
X
- •Table of Contents
- •Foreword
- •Acknowledgments
- •Chapter 1. Introduction
- •About this manual
- •What is Ethereal?
- •The status of Ethereal
- •Development and maintenance of Ethereal
- •A rose by any other name
- •A brief history of Ethereal
- •Platforms Ethereal runs on
- •Where to get Ethereal
- •Reporting problems and getting help
- •Where to get the latest copy of this document
- •Providing feedback
- •Chapter 2. Building and Installing Ethereal
- •Introduction
- •Obtaining the source and binary distributions
- •Before you build Ethereal
- •Building from Source under UNIX
- •Installing the binaries under UNIX
- •Installing from RPMs under Linux
- •Installing from debs under Debian
- •Building from source under Windows
- •Installing Ethereal under Windows
- •Troubleshooting during the install
- •Chapter 3. Using Ethereal
- •Introduction
- •Starting Ethereal
- •The Ethereal menus
- •The Ethereal File menu
- •The Ethereal Edit menu
- •The Ethereal Capture menu
- •The Ethereal Display menu
- •The Ethereal Tools menu
- •The Ethereal Help menu
- •Capturing packets with Ethereal
- •The Capture Preferences dialog box
- •Filtering while capturing
- •Viewing packets you have captured
- •Display Options
- •Saving captured packets
- •The Save Capture File As dialog box
- •The File Open dialog box
- •Filtering packets while viewing
- •Comparing values
- •Combining expressions
- •Packet colorization
- •Finding frames
- •Following TCP streams
- •The Add Expression Dialog
- •Printing packets
- •Ethereal preferences
- •Files used by Ethereal
- •Chapter 4. Troubleshooting with Ethereal
- •An approach to troubleshooting with Ethereal
- •Capturing in the presence of switches and routers
- •Examples of troubleshooting
- •Chapter 5. Related tools
- •Capturing with tcpdump for viewing with Ethereal
- •Using editcap
- •Converting ASCII hexdumps to network captures with text2pcap
- •What is it?
- •Why do this?
- •TODO
- •Limitations
- •Notes
- •Appendix A. Ethereal Display Filter Fields
- •802.1q Virtual LAN (vlan)
- •802.1x Authentication (eapol)
- •AOL Instant Messenger (aim)
- •ATM LAN Emulation (lane)
- •Address Resolution Protocol (arp)
- •Aggregate Server Access Protocol (asap)
- •Andrew File System (AFS) (afs)
- •Apache JServ Protocol v1.3 (ajp13)
- •AppleTalk Filing Protocol (afp)
- •AppleTalk Session Protocol (asp)
- •AppleTalk Transaction Protocol packet (atp)
- •Appletalk Address Resolution Protocol (aarp)
- •Async data over ISDN (V.120) (v120)
- •Authentication Header (ah)
- •BACnet Virtual Link Control (bvlc)
- •Banyan Vines (vines)
- •Blocks Extensible Exchange Protocol (beep)
- •Boot Parameters (bootparams)
- •Bootstrap Protocol (bootp)
- •Border Gateway Protocol (bgp)
- •Building Automation and Control Network APDU (bacapp)
- •Building Automation and Control Network NPDU (bacnet)
- •Cisco Discovery Protocol (cdp)
- •Cisco Group Management Protocol (cgmp)
- •Cisco HDLC (chdlc)
- •Cisco Hot Standby Router Protocol (hsrp)
- •Cisco ISL (isl)
- •Cisco Interior Gateway Routing Protocol (igrp)
- •Cisco SLARP (slarp)
- •CoSine IPNOS L2 debug output (cosine)
- •Common Open Policy Service (cops)
- •Common Unix Printing System (CUPS) Browsing Protocol (cups)
- •DCE RPC (dcerpc)
- •DCE/RPC Conversation Manager (conv)
- •DCE/RPC Endpoint Mapper (epm)
- •DCE/RPC Remote Management (mgmt)
- •DCOM OXID Resolver (oxid)
- •DCOM Remote Activation (remact)
- •DHCPv6 (dhcpv6)
- •Data (data)
- •Data Link SWitching (dlsw)
- •Data Stream Interface (dsi)
- •Datagram Delivery Protocol (ddp)
- •Diameter Protocol (diameter)
- •Distance Vector Multicast Routing Protocol (dvmrp)
- •Distributed Checksum Clearinghouse Prototocl (dccp)
- •Domain Name Service (dns)
- •Dynamic DNS Tools Protocol (ddtp)
- •Encapsulating Security Payload (esp)
- •Enhanced Interior Gateway Routing Protocol (eigrp)
- •Ethernet (eth)
- •Extensible Authentication Protocol (eap)
- •Fiber Distributed Data Interface (fddi)
- •File Transfer Protocol (FTP) (ftp)
- •Frame (frame)
- •Frame Relay (fr)
- •GARP Multicast Registration Protocol (gmrp)
- •GARP VLAN Registration Protocol (gvrp)
- •GPRS Tunneling Protocol (gtp)
- •GPRS Tunnelling Protocol v0 (gtpv0)
- •GPRS Tunnelling Protocol v1 (gtpv1)
- •Generic Routing Encapsulation (gre)
- •Gnutella Protocol (gnutella)
- •Hummingbird NFS Daemon (hclnfsd)
- •Hypertext Transfer Protocol (http)
- •ICQ Protocol (icq)
- •IEEE 802.11 wireless LAN (wlan)
- •ILMI (ilmi)
- •IP Payload Compression (ipcomp)
- •IPX Message (ipxmsg)
- •IPX Routing Information Protocol (ipxrip)
- •ISDN User Part (isup)
- •ISO 8473 CLNP ConnectionLess Network Protocol (clnp)
- •ISO 8602 CLTP ConnectionLess Transport Protocol (cltp)
- •ISO 9542 ESIS Routeing Information Exchange Protocol (esis)
- •Internet Cache Protocol (icp)
- •Internet Content Adaptation Protocol (icap)
- •Internet Control Message Protocol (icmp)
- •Internet Control Message Protocol v6 (icmpv6)
- •Internet Group Management Protocol (igmp)
- •Internet Message Access Protocol (imap)
- •Internet Printing Protocol (ipp)
- •Internet Protocol (ip)
- •Internet Protocol Version 6 (ipv6)
- •Internet Relay Chat (irc)
- •Internet Security Association and Key Management Protocol (isakmp)
- •Internetwork Packet eXchange (ipx)
- •Java RMI (rmi)
- •Java Serialization (serialization)
- •Kerberos (kerberos)
- •Kernel Lock Manager (klm)
- •Label Distribution Protocol (ldp)
- •Layer 2 Tunneling Protocol (l2tp)
- •Lightweight Directory Access Protocol (ldap)
- •Line Printer Daemon Protocol (lpd)
- •Link Access Procedure Balanced (LAPB) (lapb)
- •Link Access Procedure Balanced Ethernet (LAPBETHER) (lapbether)
- •Link Access Procedure, Channel D (LAPD) (lapd)
- •Link Aggregation Control Protocol (lacp)
- •Link Management Protocol (LMP) (lmp)
- •Local Management Interface (lmi)
- •LocalTalk Link Access Protocol (llap)
- •Lucent/Ascend debug output (ascend)
- •MMS Message Encapsulation (mmse)
- •MS Proxy Protocol (msproxy)
- •MTP 2 Transparent Proxy (m2tp)
- •MTP 2 User Adaptation Layer (m2ua)
- •MTP 3 User Adaptation Layer (m3ua)
- •MTP2 Peer Adaptation Layer (m2pa)
- •Malformed Packet (malformed)
- •Message Transfer Part Level 2 (mtp2)
- •Message Transfer Part Level 3 (mtp3)
- •Microsoft Distributed File System (dfs)
- •Microsoft Exchange MAPI (mapi)
- •Microsoft Local Security Architecture (lsa)
- •Microsoft Registry (winreg)
- •Microsoft Security Account Manager (samr)
- •Microsoft Server Service (srvsvc)
- •Microsoft Spool Subsystem (spoolss)
- •Microsoft Telephony API Service (tapi)
- •Microsoft Windows Browser Protocol (browser)
- •Microsoft Windows Lanman Remote API Protocol (lanman)
- •Microsoft Windows Logon Protocol (netlogon)
- •Microsoft Workstation Service (wkssvc)
- •Mobile IP (mip)
- •Modbus/TCP (mbtcp)
- •Mount Service (mount)
- •MultiProtocol Label Switching Header (mpls)
- •Multicast Router DISCovery protocol (mrdisc)
- •Multicast Source Discovery Protocol (msdp)
- •NFSACL (nfsacl)
- •NFSAUTH (nfsauth)
- •NIS+ (nisplus)
- •NIS+ Callback (nispluscb)
- •NSPI (nspi)
- •NTLM Secure Service Provider (ntlmssp)
- •Name Binding Protocol (nbp)
- •Name Management Protocol over IPX (nmpi)
- •NetBIOS (netbios)
- •NetBIOS Datagram Service (nbdgm)
- •NetBIOS Name Service (nbns)
- •NetBIOS Session Service (nbss)
- •NetBIOS over IPX (nbipx)
- •NetWare Core Protocol (ncp)
- •Network Data Management Protocol (ndmp)
- •Network File System (nfs)
- •Network Lock Manager Protocol (nlm)
- •Network News Transfer Protocol (nntp)
- •Network Status Monitor CallBack Protocol (statnotify)
- •Network Status Monitor Protocol (stat)
- •Network Time Protocol (ntp)
- •Null/Loopback (null)
- •Open Shortest Path First (ospf)
- •PC NFS (pcnfsd)
- •PPP Bandwidth Allocation Control Protocol (bacp)
- •PPP Bandwidth Allocation Protocol (bap)
- •PPP Callback Control Protocol (cbcp)
- •PPP Challenge Handshake Authentication Protocol (chap)
- •PPP Compression Control Protocol (ccp)
- •PPP IP Control Protocol (ipcp)
- •PPP Link Control Protocol (lcp)
- •PPP Multilink Protocol (mp)
- •PPP Multiplexing (pppmux)
- •PPP Password Authentication Protocol (pap)
- •PPP VJ Compression (vj)
- •PPPMux Control Protocol (pppmuxcp)
- •Portmap (portmap)
- •Pragmatic General Multicast (pgm)
- •Prism (prism)
- •Protocol Independent Multicast (pim)
- •Quake II Network Protocol (quake2)
- •Quake III Arena Network Protocol (quake3)
- •Quake Network Protocol (quake)
- •QuakeWorld Network Protocol (quakeworld)
- •RFC 2250 MPEG1 (mpeg1)
- •RIPng (ripng)
- •RSTAT (rstat)
- •RX Protocol (rx)
- •Radio Access Network Application Part (ranap)
- •Radius Protocol (radius)
- •Raw packet data (raw)
- •Real Time Streaming Protocol (rtsp)
- •Remote Procedure Call (rpc)
- •Remote Quota (rquota)
- •Remote Shell (rsh)
- •Remote Wall protocol (rwall)
- •Resource ReserVation Protocol (RSVP) (rsvp)
- •Rlogin Protocol (rlogin)
- •Routing Information Protocol (rip)
- •Routing Table Maintenance Protocol (rtmp)
- •SADMIND (sadmind)
- •SCSI (scsi)
- •SMB (Server Message Block Protocol) (smb)
- •SMB MailSlot Protocol (mailslot)
- •SMB Pipe Protocol (pipe)
- •SNMP Multiplex Protocol (smux)
- •SPRAY (spray)
- •SSCOP (sscop)
- •Secure Socket Layer (ssl)
- •Sequenced Packet eXchange (spx)
- •Service Advertisement Protocol (ipxsap)
- •Service Location Protocol (srvloc)
- •Session Announcement Protocol (sap)
- •Session Description Protocol (sdp)
- •Session Initiation Protocol (sip)
- •Short Frame (short)
- •Short Message Peer to Peer (smpp)
- •Signalling Connection Control Part (sccp)
- •Simple Mail Transfer Protocol (smtp)
- •Simple Network Management Protocol (snmp)
- •Sinec H1 Protocol (h1)
- •Skinny Client Control Protocol (skinny)
- •SliMP3 Communication Protocol (slimp3)
- •Socks Protocol (socks)
- •Spanning Tree Protocol (stp)
- •Stream Control Transmission Protocol (sctp)
- •Syslog message (syslog)
- •Systems Network Architecture (sna)
- •TACACS (tacacs)
- •TACACS+ (tacplus)
- •TPKT (tpkt)
- •Telnet (telnet)
- •Time Protocol (time)
- •Time Synchronization Protocol (tsp)
- •Transmission Control Protocol (tcp)
- •Transparent Network Substrate Protocol (tns)
- •Trivial File Transfer Protocol (tftp)
- •Universal Computer Protocol (ucp)
- •Unreassembled Fragmented Packet (unreassembled)
- •User Datagram Protocol (udp)
- •Virtual Router Redundancy Protocol (vrrp)
- •Virtual Trunking Protocol (vtp)
- •Web Cache Coordination Protocol (wccp)
- •X Display Manager Control Protocol (xdmcp)
- •X.25 over TCP (xot)
- •Xyplex (xyplex)
- •Yahoo Messenger Protocol (yhoo)
- •Yellow Pages Bind (ypbind)
- •Yellow Pages Passwd (yppasswd)
- •Yellow Pages Service (ypserv)
- •Yellow Pages Transfer (ypxfr)
- •Zebra Protocol (zebra)
- •Zone Information Protocol (zip)
- •iSCSI (iscsi)
- •Appendix B. Ethereal Error Messages
- •Appendix C. The GNU Free Document Public Licence
- •Copyright
- •Preamble
- •Verbatim Copying
- •Copying in Quantity
- •Combining Documents
- •Collections of Documents
- •Aggregation with Independent Works
- •Translation
- •Termination
- •Future Revisions of this License
Chapter 4. Troubleshooting with Ethereal
An approach to troubleshooting with Ethereal
Ethereal is a very useful tool for network troubleshooting, since it contains a number of features that allow you to quickly focus on problems in your networkfor several reasons:
•It allows you to focus in on specific packets and protocols, as you can see a large amount of detail associated with various protocols.
•It supports a large number of protocols, and the list of protocols supported is growing as more people contribute dissectors
•By giving you a visual view of traffic in parts of your network, and providing tools to filter and colorize that information, you can get a better feel for your network traffic, and can understand your network better.
The following general approach is suggested:
•Determine that the problem looks like a networking problem. There is no point in capturing packets if the problem is not networking related.
•Figure out where to capture packets. You will have to capture packets from a part of the network where you can actually get network traffic related to the problem. This is especially important in the presence of switches and routers. See the section called Capturing in the presence of switches and routers for more details.
Because Ethereal can read many capture file formats, you can capture using any conventient tool. One useful approach is to use tcpdump to capture on remote systems and then copy the capture file to your system for later analysis. For more details on capturing with tcpdump, see the section called Capturing with tcpdump for viewing with Ethereal in Chapter 5.
•Once you have captured packets that you think relate to the problem, load them into Ethereal and look for your problem. Using Ethereal’s filtering and colorization capabilities, you can quickly narrow down the capture to the area of interest.
•Examine the appropriate fields within the packets where the problem appears to be. These can often help to reveal the problem.
Capturing in the presence of switches and routers
Many vendor’s switches support a feature known as "port spanning" or "port mirroring" in which all of the traffic to and from port A are also sent out port B. An excellent reference on the "port spanning" feature of Cisco switches can be found at Configuring the Catalyst Switched Port Analyzer (SPAN) Feature 1
91
Chapter 4. Troubleshooting with Ethereal
Examples of troubleshooting
Troubleshooting often requires a reasonable knowledge of the protocols in question, however, you can often get a good idea of what might be going wrong simply by looking in the packets being exchanged.
Notes
1. http://www.cisco.com/warp/public/473/41.html
92