Larry Dean Farrell

INLS 187

Software Evaluation

 

 

Description:

           

            The program I looked at was Ethereal, an Open Source packet capture program available at http://www.ethereal.com/.  The program also requires the following file before it will work:  WinPcap_3_0.exe, which can also be downloaded from the ethereal site.  It is an extremely rich program that allows a great deal of granularity in capturing network traffic.  The easiest method is to simply go to the capture button, which brings up a new window in which a great many parameters can be set, ranging from which NIC you want to see traffic from to limiting the packet size.  It also includes a number of settings for capture size and how long you want the capture to run for, as the number of packets can quickly add up on a busy interface.  If you click the OK button the default capture will start which will run for an unlimited time, capturing every packet that passes through the interface.  This brings up another window, which lists a number of protocols, the number packets of each protocol type, as well as the percentage of total packets represented by that protocol.  If you click the stop button the capture will stop, bringing up yet another window, which is the real meat of the tool.

            This window lists each packet individually, providing such information as protocol type, the packet’s source and destination, the frame type, as well as a hexadecimal rendering of the packet, as well as what I took to be a translation of the packet, but this feature provided little real information.  Other handy features include being able to specify exactly which packet you want to look at, as well as being able to jump from packet to packet of the same type.  The program also allows you to set filters, for example specifying just IPX traffic, thus allowing you to filter out the noise of multiple packet types.  It also allows you save packet captures for later viewing.  Finally the program has analysis features, such as giving general information on your capture such as average packet size and transfer speed.  It also aggregates and lists all traffic from one address to another address and visa versa, as well as allowing you generate graphs and charts based on various variables. 

           

Analysis:

 

            Ethereal has a great deal of functionality, meaning that its use can be quite complex.  For example, it has two different filter languages, used depending on what type of filter you want to set up.  That said though, the basics of the program are really quite easy to use.  You have to do no more than go to the capture button hit start capture, and then OK when the new window comes up to start a capture.  It thus seems as if it could be a very useful program for diagnosing network problems, such as nailing down exactly where the rogue machine that’s flooding your network with IPX traffic might be.  It can pick up a dizzying array of packet types, which can be a bit of problem, as the program often uses rather arcane abbreviations for the packet type, those these can be looked up, but it can make a quick analysis difficult if there is a lot of unusual or exotic traffic on your network.  Then, as mentioned above the full functionality of Ethereal can be difficult to master.  It would likely take some time and experimentation to fully master the filter languages to set your filters to capture the traffic you desire to see.  Finally, some of the analysis functionality seemed rather opaque.  The I/O graph for example seemed to make little sense.  It apparently projects the packets coming through the wire per second, but the graph seemed poorly labeled, having only one listing on the time (X) axis, though the graph seemed to give a listing for every second of the capture.

           

Recommendations for Use:

 

            Ethereal is a wonderful network tool, but is not for the casual computer user.  The tool would best be utilized by experienced systems administrators or network engineers as the program presupposes a rather sophisticated knowledge of network protocols and packet construction.  Given its Open Source nature, meaning it’s free to download and use, it seems like it could be a useful tool in a production environment in cash poor organizations such as non-profits and governmental organizations.  It is not a tool likely to be useful for the general user, who even if they could diagnose their problem would probably not have the ability to correct it, unless it was a problem with their local home network.  The only use I could see for non-network professionals would be as a packet scanner on someone else’s network, since such information as IP addresses and port numbers are provided in Ethereal’s output as well as the full contents of each individual packet, thus allowing a user to read other people’s traffic, as well as allowing the performance of simple traffic analysis if the user isn’t well versed in deciphering hexadecimal notation.

 

Screen Shots: