Tethereal Utility

Posted on by Leave a comment

Tethereal is part of the Ethereal (wireshark) distribution.Just like tcpdump, ethereal is based on the libpcap interface. There are two main versions of ethereal. There is the text version called “tethereal” and the GUI based version called “Wireshark”. The text based version is very similar in syntax to the tcpdump command syntax. Once again, this is because they use the same underlying libpcap engine.

Tethereal Examples


  • # tethereal –w /tmp/ethereal.out –ni eth1

Tethereal-1

  • tethereal –r /tmp/ethereal.out

Tethereal-2

Using Filter Expressions


It may be easy to identify specific traffic streams on small or idle networks. It will be much harder to accomplish this on large WAN or saturated networks.The ability to use filter expressions is extremely important in these cases to cut out unwanted “noise” packets from the traffic in question. Fortunately, both the libpcap based utilities and the snoop utility all use the same filter syntax.

There are many ways to filter traffic in all utilities, the most common filters are by port, protocol, and host. The following example tracks only SMTP traffic and host 192.168.1.101:

  • gnutoolbox~]# tethereal –ni eth0 port 25 and host 192.168.1.101

The tethereal utility provides the ability to print the entire Ethernet frame in detail. The following example displays the Ethernet portion of a single packet:

  • tethereal -nVi eth0 -c 1

tethereal-3

In the following example,the tethereal command captures just broadcast traffic and picks up an SMB enabled device broadcasting over Ethernet:

# tethereal –nVi eth0 broadcast

tethereal-broadcast

The tethereal displays the entire header format of the ARP request and reply.

  • # tethereal -V -c 2 -ni eth0 arp

tethereal-arp

Capturing ICMP exchange between two host using tethereal

  • # ping 192.168.1.220
  • # tethereal –nVi eth0 icmp

tethereal-ping

The default output of tethereal is less detailed than the tcpdump output.The differences are listed below:

Packet numbering – the first column of output shows the packet number relative to the order of the capture

  • • Relative time – the time (in seconds) the packet was captured relative to the start of the capture (0.0 seconds)
    • Application summary data – all packets summarized by application type (TLS Application Data , for example)

The default output of tethereal is less detailed than the tcpdump output. The differences are listed below:

  • • Packet numbering – the first column of output shows the packet number relative to the order of the capture
    • Relative time – the time (in seconds) the packet was captured relative to the start of the capture (0.0 seconds)
    • Application summary data – all packets summarized by application type (TLS Application Data , for example)

Useful Links :


Tethereal man page :

Tethereal rpm download :