Customizing EtherealIntroduction
Ethereal's default behaviour will usually suit your needs pretty well.
However, as you become more familiar with Ethereal, it can be customized
in various ways to suit your needs even better. In this chapter we explore:
How to start Ethereal with command line parameters
How to colorize the Ethereal display
How to use the various preference settings
Start Ethereal from the command line
You can start Ethereal from the command
line, but it can also be started from most Window managers
as well. In this section we will look at starting it from the command
line.
Ethereal supports a large number of
command line parameters. To see what they are, simply enter the
command ethereal -h and the help information
shown in (or something similar) should be
printed.
Help information available from Ethereal
This is GNU ethereal 0.10.5
Compiled with GTK+ 2.4.3, with GLib 2.4.2, with WinPcap (version unknown),
with libz 1.2.1, with libpcre 4.4, with Net-SNMP 5.1, with ADNS.
Running with WinPcap version 3.0 (packet.dll version 3, 1, 0, 20), based
on libpcap version 0.8 on Windows XP Service Pack 1, build 2600.
ethereal [ -vh ] [ -klLnpQS ] [ -a <capture autostop condition> ] ...
[ -b <number of ringbuffer files>[:<duration>] ]
[ -B <byte view height> ] [ -c <count> ] [ -f <capture filter> ]
[ -i <interface> ] [ -m <medium font> ] [ -N <resolving> ]
[ -o <preference setting> ] ... [ -P <packet list height> ]
[ -r <infile> ] [ -R <read filter> ] [ -s <snaplen> ]
[ -t <time stamp format> ] [ -T <tree view height> ]
[ -w <savefile> ] [ -y <link type> ] [ -z <statistics string> ]
[ <infile> ]
We will examine each of the command line options in turn.
The first thing to notice is that issuing the command
ethereal by itself will bring up
Ethereal.
However, you can include as many of the command line parameters as
you like. Their meanings are as follows ( in alphabetical order ):
XXX - is the alphabetical order a good choice? Maybe better task based?
-a <capture autostop condition>
Specify a criterion that specifies when Ethereal is to stop writing
to a capture file. The criterion is of the form test:value, where test
is one of:
duration
Stop writing to a capture file after value of seconds have elapsed.
filesize
Stop writing to a capture file after it reaches a size of value
kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
-b <number of ringbuffer files>
If a maximum capture file size was specified, cause Ethereal to run
in "ring buffer" mode, with the specified number of files. In "ring
buffer" mode, Ethereal will write to several capture files. Their
name is based on the number of the file and on the creation date and
time.
When the first capture file fills up, Ethereal will switch to writing
to the next file, until it fills up the last file, at which point
it'll discard the data in the first file (unless 0 is specified, in
which case, the number of files is unlimited) and start writing to
that file and so on.
If the optional duration is specified, Ethereal will switch also to
the next file when the specified number of seconds has elapsed even
if the current file is not completely fills up.
-B <byte view height>
This option sets the initial height of the "Packet Bytes" pane.
This pane is usually the bottom pane in the Ethereal display.
-c <count>
This option specifies the maximum number of packets to capture
when capturing live data. It would be used in conjunction
with the -k option.
-f <capture filter>
This option sets the initial capture filter expression to
be used when capturing packets.
-h
The -h option requests Ethereal to print
its version and usage instructions (as shown above) and exit.
-i <interface>
The -i option allows you to specify,
from the command line, which interface packet capture should
occur on if capturing packets.
An example would be: ethereal -i eth0.
To get a listing of all the interfaces you can capture on,
use the command ifconfig -a or
netstat -i. Unfortunately, some versions of
UNIX do not support ifconfig -a, so you
will have to use netstat -i in these cases.
-k
The -k option specifies that Ethereal
should start capturing packets immediately. This option
requires the use of the -i parameter to
specify the interface that packet capture will occur from.
-l
This option turns on automatic scrolling if the packet
list pane is being updated automatically as packets arrive
during a capture ( as specified by the -S
flag).
-L
List the data link types supported by the interface and exit.
-m <medium font>
This option sets the name of the font used for most text
displayed by Ethereal. XXX - add an example!
-n
Disable network object name resolution (such as hostname, TCP and UDP
port names).
-N <resolving>
Turns on name resolving for particular types of addresses
and port numbers; the argument is a string that may contain
the letters m to enable MAC address
resolution, n to enable network address
resolution, and t to enable transport-layer
port number resolution. This overrides -n
if both -N and -n are
present. The letter C enables concurrent (asynchronous) DNS lookups.
-o <preference settings>
Sets a preference value, overriding the default value and
any value read from a preference file. The argument to the
flag is a string of the form prefname:value, where prefname
is the name of the preference (which is the same name that
would appear in the preference file), and value is the value
to which it should be set. Multiple instances of
-o <preference settings> can be
given on a single command line.
An example of setting a single preference would be:
ethereal -o mgcp.display_dissect_tree:TRUE
An example of setting multiple preferences would be:
ethereal -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
Tip!
You can get a list of all available preference strings from the
preferences file, see .
-p
Don't put the interface into promiscuous mode. Note that
the interface might be in promiscuous mode for some other
reason; hence, -p cannot be used to ensure that the only
traffic that is captured is traffic sent to or from the
machine on which Ethereal is running, broadcast traffic, and
multicast traffic to addresses received by that machine.
-P <packet list height>
This option sets the initial height of the "Packet List" pane,
ie, the top pane.
-Q
This option forces Ethereal to exit when capturing is
complete. It can be used with the -c option.
It must be used in conjunction with the
-i and -w options.
-r <infile>
This option provides the name of a capture file for Ethereal
to read and display. This capture file can be in one of the
formats Ethereal understands.
-R <read filter>
This option specifies a display filter to be applied when
reading packets from a capture file. The syntax of this
filter is that of the display filters discussed in
. Packets not
matching the filter are discarded.
-s <snaplen>
This option specifies the snapshot length to use when
capturing packets. Ethereal will only capture
<snaplen> bytes of data for each packet.
-S
This option specifies that Ethereal will display packets as
it captures them. This is done by capturing in one process
and displaying them in a separate process. This is the same
as "Update list of packets in real time" in the Capture Options
dialog box.
-t <time stamp format>
This option sets the format of packet timestamps that are
displayed in the packet list window. The format can be one of:
r relative, which specifies timestamps are
displayed relative to the first packet captured.
a absolute, which specifies that actual times
be displayed for all packets.
ad absolute with date, which specifies that
actual dates and times be displayed for all packets.
d delta, which specifies that timestamps
are relative to the previous packet.
-T <tree view height>
This option sets the initial height of the "Packet Details" pane.
-v
The -v option requests
Ethereal to print out its version information and exit.
-w <savefile>
This option sets the name of the savefile
to be used when saving a capture file.
-y <link type>
If a capture is started from the command line with -k, set the data
link type to use while capturing packets. The values reported by -L
are the values that can be used.
-z <statistics-string>
Get Ethereal to collect various types of statistics and display the
result in a window that updates in semi-real time.
XXX - add more details here!
Packet colorization
A very useful mechanism available in Ethereal is packet colorization.
You can set Ethereal up so that it colorizes packets according to a
filter. This allows you to emphasize the packets you are interested in.
To colorize packets, select the Coloring Rules... menu item from
the View menu, and Ethereal will pop up the "Coloring Rules"
dialog box as shown in .
Once the Coloring Rules dialog box is up, there are a number
of buttons you can use, depending on whether or not you have any
color filters installed already.
Note!
You will need to carefully select the order that rules are listed
(and thus applied) as they are applied in order from top to bottom.
So, more specific rules need to be listed before more general rules.
For example, if you have a color rule for UDP before the one for DNS,
the color rule for DNS will never be applied (as DNS uses UDP, so the
UDP rule will be matching first).
If this is the first time you have used Coloring Rules, click on the New
button which will bring up the Edit color filter dialog box as shown in
.
In the Edit Color dialog box, simply enter a name for the color filter,
and enter a filter string in the Filter text field.
shows the values
arp and arp which means that
the name of the color filter is arp and the filter
will select protocols of type arp. Once you have
entered these values, you can choose a foreground and background
color for packets that match the filter expression. Click on
Foreground color... or
Background color... to achieve this and
Ethereal will pop up the Choose foreground/background color for
protocol dialog box as shown in
.
Select the color you desire for the selected packets and click on OK.
Note!
You must select a color in the colorbar next to the colorwheel to
load values into the RGB values. Alternatively, you can set the
values to select the color you want.
shows an example of several color
filters being used in Ethereal. You may not like the color choices,
however, feel free to choose your own.
Control Protocol dissection
There are some ways, to let the user control how protocols are
dissected.
Each protocol has its own dissector, so dissecting a packet will
typically involve several dissectors. As Ethereal tries to find the
right dissector for each packet (using static "routes" and heuristics
"guessing"), it might choose the wrong dissector in your specific
case. For example, Ethereal won't know if you use a common protocol
on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of
the standard port 80.
There are two ways to control the relations between protocol
dissectors: disable a protocol dissector completely or temporarily
divert the way Ethereal calls the dissectors.
The "Enabled Protocols" dialog
box
The Enabled Protocols dialog box lets you enable or
disable specific protocols, all protocols are enabled by default.
When a protocol is disabled, Ethereal stops processing a packet
whenever that protocol is encountered.
Note!
Disabling a protocol will prevent information about higher-layer
protocols from being displayed. For example,
suppose you disabled the IP protocol and selected
a packet containing Ethernet, IP, TCP, and HTTP
information. The Ethernet information would be
displayed, but the IP, TCP and HTTP information
would not - disabling IP would prevent it and
the other protocols from being displayed.
To disable or enable a protocol, simply click on it using the
mouse or press the space bar when the protocol is highlighted.
Warning!
You have to use the Save button to save your settings. The OK or Apply
buttons will not save your changes, so they will be lost when Ethereal
is closed.
You can choose from the following actions:
Enable All Enable all protocols in the list.
Disable All Disable all protocols in the list.
Invert Toggle the state of all protocols in the
list.
OK Apply the changes and close the dialog box.
Apply Apply the changes and keep the dialog box
open.
Save Save the settings to the disabled_protos, see
for details.
Cancel Cancel the changes and close the dialog box.
User Specified Decodes
The "Decode As" functionality let you temporarily divert specific
protocol dissections. This might be useful for example, if you do some
uncommon things on your network.
The content of this dialog box depends on the selected packet when it
was opened.
Warning!
The user specified decodes can not be saved. If you quit Ethereal,
these settings will be lost.
Decode Decode packets the selected way.
Do not decode Do not decode packets the selected
way.
Link/Network/Transport Specify the way to decode
packets. Which of these pages are available, depends on the content
of the selected packet when this dialog box was opened.
Show Current Open a dialog box showing the
current list of user specified decodes.
OK Apply the currently selected decode and close
the dialog box.
Apply Apply the currently selected decode and keep
the dialog box open.
Cancel Cancel the changes and close the dialog box.
Show User Specified Decodes
This dialog box shows the currently active user specified decodes.
OK Close this dialog box.
Clear Removes all user specified decodes.
Preferences
There are a number of preferences you can set. Simply
select the Preferences... menu item from the Edit menu, and Ethereal
will pop up the Preferences dialog box as shown in
, with the "User Interface" page as
default. On the left side is a tree where you can select the page to be
shown. XXX - add detailed descriptions of all the preferences pages.
Warning!
The OK or Apply button will not save the preference settings,
you'll have to save the settings by clicking the Save button.
The OK button will apply the preferences
settings and close the dialog.
The Apply button will apply the preferences
settings and keep the dialog open.
The Save button will apply the preferences
settings, save the settings on the harddisk and keep the dialog open.
The Cancel button will restore all preferences
settings to the last saved state.
The "User Interface" page
This page allows you to configure various characteristics
of the GUI.
The "User Interface: Layout" page
This page selects the GUI layout of the main window.
The "User Interface: Columns" page
This page allows you to select which columns appear in the
"Packet List" Pane.
Note!
Unlike all other preference changes, you will have to save the
preferences and restart Ethereal in order for column changes to
take effect!
The "User Interface: Font" page
This page allows you to select which font to use.
The "User Interface: Colors" page
This page allows you to select which colors to use.
The "Capture" page
This page allows you to select some defaults for the capture options dialog.
The "Printing" page
This page allows you to select some defaults for the print dialog.
The "Name Resolution" page
This page allows you to select some defaults for the name resolution.
The "Protocols" pages
These pages allows you to select settings for various protocols.