Wednesday, January 5, 2011

Sniffers - Tool: Ethereal

Ethereal is a free network protocol analyzer for UNIX and Windows. It allows the user to examine data from a live network or from a capture file on disk. Interactive browsing of the captured data, viewing summary and detailed information for each packet are part of the basic functionality of the sniffer. Ethereal has several powerful features, including a display filter language and the ability to view the reconstructed stream of a TCP session.

Recent versions of Ethereal have included many enhancements to the interface. Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms). Let us take a closer look. We run Ethereal over the LAN (which is not switched) and take a look at the captured data. We sort by the protocol and notice a POP session.
Ethereal lets us follow the entire conversation as shown in the screenshot below.

We are able to reconstruct the client-server conversation as displayed by two different colors. We are able to make out the email service provider, the user name and password from the reconstruction of the sniffed packets. That is not all. We were also able to pick a chat thread from the thousands of packets that passed by in the two minutes.


