Getting started with Ethereal

Ethereal can be used to capture packets from the network and analyze packets. The following describes how to use ethereal in windows.
Install
1) install Winpcap, http://netgroup-serv.polito.it/winpcap/install/Default.htm 2) install Ethereal, http://www.ethereal.com/
Use
Windows program, easy to use.
After starting ethereal, select capature> Start. When you do not want to capture the package, click STOP and the captured package will be displayed on the panel and analyzed.
Below is:

Ethereal use-capture Option

Nterface: Specifies the interface (NIC) on which the packet is captured. Generally, it is a single Nic, so the default limit each packet can be used: limit the size of each package, which is not limited by default.
Capture packets in promiscuous mode: whether to enable the hybrid mode. If it is enabled, capture all data packets. Generally, you only need to monitor the packets received or sent by the local machine. Therefore, you should disable this option. Filter: filter. Only capture the packages that meet the filtering rules (you can skip them temporarily) file: If you need to write the captured packages to the file, enter the file name here. Use ring Buffer: whether to use circular buffer. It is not used by default, that is, packet capture is always performed. Note that loop buffer is only valid when writing files. If loop buffering is used, you also need to set the number of files and roll back when the file is large.
Select the default option for other items.
Ethereal packet capture filter
The packet capture filter is used to capture packets of interest and capture packets. The packet capture filter uses the libcap filter language. The tcpdump manual has a detailed explanation. The basic structure is [not] primitive [and | or [not] primitive...].
In my opinion, if you want to capture certain data packets, you can use either of the following two methods:
1. When capturing packets, define the packet capture filter first. In this way, only the data packets of the set type are captured;
2. Capture the packets received or sent by the local machine, and then use the explicit filter introduced in the next section, only enable Ethereal to display the types of data packets you want;
Display filter of etheral (key content)
After the packet capture is complete, the filter is displayed to find the package you are interested in. The filter can be based on 1) Protocol 2) whether a domain exists. 3) Domain value 4) compare the domain values to find the packages you are interested in.
For example, if you only want to view the packets using the TCP protocol, enter TCP in the filter in the lower left corner of the ethereal window, and press enter to display only the packets of the TCP protocol. As shown in:

The Value Comparison expression can be constructed using the following operator to display the natural language class C of the filter. For example, eq = IP. ADDR = 10.1.10.20 ne! = IP. ADDR! = 10.1.10.20 GT> frame. pkt_len> 10 lt <frame. pkt_len <10 Ge> = frame. pkt_len> = 10 Le <= frame. pkt_len <= 10
Expression combinations can use the following logical operators to combine expressions in natural language class C, for example, and & logical and, for example, IP. ADDR = 10.1.10.20 & TCP. flag. fin or | logic or, such as IP. ADDR = 10.1.10.20 | IP address. ADDR = 10.1.10.21 XOR ^ exclusive or, such as tr. DST [0: 3] = 0.6.29 XOR tr. SRC [0: 3] = Not! Non-logical, such! LLC
For example:
I want to capture all the HTTP packets received or sent by the host whose IP address is 192.168.2.10. The appropriate filter is:

Use protocol plug-ins in Ethereal
Ethereal can support many protocols, but some protocols need to be installed after the plug-in can be resolved, such as H.323. Taking the H.323 protocol as an example, we first download the H.323 plug-in of ethereal, http://www.voice2sniff.org/decompress the file (h323.dll) to the etherin/0.9.x directory of the ethereal installation directory, for example, my is 0.9.11, then, you need to set it up 1) Start ethereal 2) menu edit-> preference 3) Click "+" in front of protocols, expand protocols 4) Find q931, and click 5) Ensure "desegment .... TCP segments "is selected (that is, the box is pressed down) 6) Click TCP 7) Ensure" allow .... TCP streams "is selected 8) Make sure" check... "is not selected .... TCP checksum "and" use .... sequence Numbers "9) Click tpkt 10) Ensure" desegment .... TCP segments "is selected 11) Click Save, then click Apply, and then click OK. You can reinstall the new Winpcap and ethreal versions, in this way, you do not need to install new plug-ins in the old ethreal version to support the new protocol plug-ins. This is also a lazy way.