comparing sniffer tools (tcpdump, ethereal, etherape, ethercap, drifnet)

Hi,

I am relatively new to networking and I was wondering whether anyone
here could compare and contrast TCPDUMP, ETHEREAL, ETHERAPE, ETHERCAP
and DRIFTNET in terms of usage, unique features, etc.

Rather than going through them one by one without really knowing what
their specific capabilites are, I rather get some pointers about them
first (not to mention that some, like etherape, do not seem to have any
documentation at all - at least not that I have found anywhere).

Alternatively - are there websites, articles or books which you could
reccommend to get more info about these apps (not including Windows/Mac
specific books as I only use GNU/Linux on all my machines).

Thanks,

TW

TW wrote:
> Rather than going through them one by one without really knowing what
> their specific capabilites are, I rather get some pointers about them
> first (not to mention that some, like etherape, do not seem to have any
> documentation at all - at least not that I have found anywhere).

I think tcpdump is very useful to have a look at the traffic in
real time, but the king of sniffers, if you want to study the
traffic deeply is ethereal.

For ethereal information the best place to start is their website:
http://www.ethereal.com
and their Wiki, where you have the latest information about ethereal:
http://wiki.ethereal.com/

> TW

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

On 30 Apr 2005 12:30:57 -0700, "TW" <(E-Mail Removed)> wrote:

You run tcpdump from the command line, so you don't need a gui. It's
also easy to run on a remote system that you have ssh'ed into. Very
handy if you're looking for certain packets.

Ethereal needs a gui, and it's easier to get more information from it.
It's good if you want to see what data the packet is carrying.

Tcpdump is quick and easy, ethereal is more comprehensive.

Dan


>Hi,
>
>I am relatively new to networking and I was wondering whether anyone
>here could compare and contrast TCPDUMP, ETHEREAL, ETHERAPE, ETHERCAP
>and DRIFTNET in terms of usage, unique features, etc.
>
>Rather than going through them one by one without really knowing what
>their specific capabilites are, I rather get some pointers about them
>first (not to mention that some, like etherape, do not seem to have any
>documentation at all - at least not that I have found anywhere).
>
>Alternatively - are there websites, articles or books which you could
>reccommend to get more info about these apps (not including Windows/Mac
>specific books as I only use GNU/Linux on all my machines).
>
>Thanks,
>
>TW

> I think tcpdump is very useful to have a look at the traffic in
> real time, but the king of sniffers, if you want to study the
> traffic deeply is ethereal.

Until the present day, I've used tcpdump and iptraf in my boxes.
Is possible to run ethereal in a system without X? I hate install de X
system in a server-machines.

--
¡Share your knowledge!

Linux user id 332494 # http://counter.li.org/
PGP id 0xC5ABA76A # http://pgp.mit.edu/

Kunael wrote:

>> I think tcpdump is very useful to have a look at the traffic in
>> real time, but the king of sniffers, if you want to study the
>> traffic deeply is ethereal.
>
> Until the present day, I've used tcpdump and iptraf in my boxes.
> Is possible to run ethereal in a system without X? I hate install de X
> system in a server-machines.
>

You can always run it remotely. I've done that here with my firewall, where
I don't have X running. Just ssh -X to the box and go from there.

James Knott wrote:

> Kunael wrote:
>
>>> I think tcpdump is very useful to have a look at the traffic in
>>> real time, but the king of sniffers, if you want to study the
>>> traffic deeply is ethereal.
>>
>> Until the present day, I've used tcpdump and iptraf in my boxes.
>> Is possible to run ethereal in a system without X? I hate install de X
>> system in a server-machines.
>>
>
> You can always run it remotely. I've done that here with my firewall,
> where
> I don't have X running. Just ssh -X to the box and go from there.

Forgot to mention. If you're doing this, you don't want to monitor the port
you're coming in on. ;-)

Kunael wrote:
> > I think tcpdump is very useful to have a look at the traffic in
> > real time, but the king of sniffers, if you want to study the
> > traffic deeply is ethereal.
>
> Until the present day, I've used tcpdump and iptraf in my boxes.
> Is possible to run ethereal in a system without X? I hate install de
X
> system in a server-machines.

$ man tethereal

In article <d53d34$slv$(E-Mail Removed)>,
Kunael <(E-Mail Removed)> wrote:
:> I think tcpdump is very useful to have a look at the traffic in
:> real time, but the king of sniffers, if you want to study the
:> traffic deeply is ethereal.
:
:Until the present day, I've used tcpdump and iptraf in my boxes.
:Is possible to run ethereal in a system without X? I hate install de X
:system in a server-machines.

You can run tcpdump to do the capture and save the raw data ("-w"
option), and then use ethereal to display the result. Both ethereal and
tcpdump use libpcap to perform the capture, so there's almost no
difference in capability there. The libpcap file format produced by
tcpdump is also ethereal's native file format.

--
Bob Nichols AT comcast.net I am "rnichols42"

In article <(E-Mail Removed) .com>, TW wrote:

>I am relatively new to networking and I was wondering whether anyone
>here could compare and contrast TCPDUMP, ETHEREAL, ETHERAPE, ETHERCAP
>and DRIFTNET in terms of usage, unique features, etc.

Depends on what you are trying to do. 'tcpdump' is probably the oldest and
most common tool. 'ethereal' and it's text version 'tethereal' have more
bells and whistles. I'm not familiar with etherape, but the version I have
access to (etherape-0.9.0) is rather lacking. 'ethercap' rings a bell,
but I can't remember using it. 'driftnet' is a new one on me, but looking
at it (driftnet-0.1.6) seems to indicate it's for capturing and displaying
JPEG and GIF images and MPEG audio data. You don't mention it, but another
tool is 'sniffit' (./system/security/sniffit-0.3.5.tar.gz at any sunsite
mirror). Another tool is 'ngrep' (not exactly sure where I found that, but
I can see multiple packages on sunsite in several distributions).

>I rather get some pointers about them first (not to mention that some,
>like etherape, do not seem to have any documentation at all - at least
>not that I have found anywhere).

At least in the 0.9.0 version I have, there is limited documentation, but
the tool itself is lacking capability. But then, it all boils down to the
question "what are you trying to do". Viewing the JIF files that pass by
your Ethernet adapter is quite different from trying to isolate what
protocol some system with a MAC address of $FOO is spewing on the wire,
and why $BAZ claims it to be full of parity errors.

>Alternatively - are there websites, articles or books which you could
>reccommend to get more info about these apps

I've never seen a "Packet Sniffers for Newbies" (or similar) book, and
other that the documentation that comes with the tools, the best source
I've seen is W. Richard Stevens classic book "TCP/IP Illustrated Volume
1" (Addison Wesley, ISBN 0-201-63346-9, 1994, 1996, 576 pgs, US$LOTS)
which used tcpdump as a teaching tool.

Network sniffer tools are most often used in troubleshooting, and less
often for network security analysis. As such, their use pre-supposes at
least some knowledge of the network protocols

Old guy

"James Knott" <(E-Mail Removed)> wrote in message
news:3KmdnWNO4NZP1ujfRVn-(E-Mail Removed)...
> Forgot to mention. If you're doing this, you don't want to monitor the
> port
> you're coming in on. ;-)
>

This isn't really a problem - just put "not tcp port 22" in the capture
filter and you won't see any of your SSH traffic.

Also if you don't want to use X just use tethereal - which is basically
tcpdump but with all the filtering and stats capabilities of the GUI
ethereal