If you've ever been a network administrator, the call you dread the most might be one you receive in the middle of the night by some panicked employee stating that a portion of your critical network has gone down. What troubleshooting options are available to provide answers to your network problem? Besides having a proactive helpdesk that can "read" the mind of your network, an important part of troubleshooting involves using a network protocol analyzer. If you've done your research, you realize that there are many choices on the market today that may satisfy your needs but make a dent your company's pocket book. Plus, you have to factor in training your helpdesk on how to use this new tool and if it will provide some type of return on investment (ROI). After conducting a thorough research of tools to analyze and troubleshoot a network, we decided to use Ethereal. Many versions such a Sniffer® Portable by Network General and Observer® by Network Instruments provided more options but were only available in "demo" versions and didn't provide full functionality. Since we wanted to use Tcpdump as one of the tools in our network troubleshooting arsenal, it made sense to run Ethereal since it supports this type of filter. So, what is Ethereal?
Ethereal is a network analyzer. It has the ability to read packets from a network, decipher them, and then display the results with a very intuitive GUI. According to the book Ethereal Packet Sniffing, "the most important aspects of Ethereal are as follows: that it is open source, actively maintained, and free". After conducting thorough research, Ethereal also supports TcpDump format capture filters, supports over 700 protocols (new ones are added on a regular basis), and the tool can capture data from Ethernet, Token Ring, 802.11 Wireless, etc. For anyone interested in a command line interface (CLI) interface for Ethereal, you're in luck since there is a CLI available called tethereal. History of Ethereal
Ethereal is a fairly mature networking tool that was developed by Gerald Combs back in 1997, but has only been available to users since 1998. Something unique to this tool is the numerous dissectors that are available. If you're like me, you may ask yourself, what are dissectors? According to Brockmeier, they "are what allow Ethereal to decode individual protocols and present them in readable format". Since the code is open source, you will notice every few months that the list of supported protocols has increased due to individual contributions to Ethereal. As you can see from the Linux open source software, continued support will only improve the features and overall usability of any open source tool.
Using Ethereal in Your Network
According to Brockmeier, network placement is critical for proper analysis and troubleshooting. If you find yourself working at a large corporation, it's inevitable that you will be working in multiple building, across campuses, throughout the country, and perhaps overseas. It's vital when troubleshooting devices, to verify that you are on the correct segment of the network. This will not only save time, but money since you can use your resources more efficiently. It makes sense to have a laptop computer (with some type of network analyzer installed) for troubleshooting network related issues, since not all network related problems occur on the same subnet of your network. Figure 1 depicts a basic network setup where you could use Ethereal to view protocol activity from router to server, etc.
Compliments of Ethereal Packet Sniffing, 2004
What is TcpDump
To troubleshoot the network we also used a tool called TcpDump. TcpDump is a network utility that listens to and records traffic on a network. TcpDump helps in solving problems that can be found in the packet or frame level. By default, it puts the network interface into promiscuous mode to capture every packet going across the wire. The user can specify a...