Hi there...
Gilbert Ramirez Jr. just gave me a pointer to ethereal after seeing the
announcement for my packet sniffer (gnusniff) on freshmeat. As ethereal
is light years ahead of where I am with my sniffer, I'm jumping ship.
I'd like to make a few suggestions for changes to ethereal..
1) The UI.
I know you probably all love the ethereal main window dearly, but I'd
like to know what people think of changing the main window to something
akin to that of my (now ex) packet sniffer. You can see a couple of
screenshots of my sniffer at
http://www.ozemail.com.au/~peterhawkins/screen1.png and
http://www.ozemail.com.au/~peterhawkins/screen2.png. (Note this HTTP
server incorrectly reports the MIME type of these images as text/plain,
which means you can't download them properly with netscape. Use wget or
similar. Barring that download the actual sniffer itself.).
I like my design of having the tree of interfaces down the side, with a
tab control containing things like interface statistics, control of
sniffing, and the data display (which is basically the ethereal main
window at the moment). What do people think?
Possibly change the options dialog box to be like that of netscape? The
'tree down the side' arrangement is IMHO neater than a tabbed dialog.
This a good idea?
2) Additional functionality...
Add a simple progress bar type network load indicator in the sniffing
statistics area. So at any given moment I can tell my network is at X%
load. This should be easy... measuring load is trivial (bytes received
in a time period by sniffer / time), determining the rated maximum load
for a network might be harder. Maybe a configuration item, maybe
automagically to be determined from the interface data.
Support the display of connections/hosts. I want to see easily the
connections which are happening in the data which has been captured, I
want to know which hosts are involved. I want to know how many packets
each host has received, etc. etc...
Support logging/graphs of various stats over time, eg. load, TCP SYN
packets to a certain host, amount of traffic on a certain port of a
certain host, etc.
For the TCP stream analysis, do everything as essentially a list,
listing packet info, direction and contents, etc. so I could view a POP
connection like this:
--+-
->|(SYN)
--+-
<-|(ACK)
|200 Iname mail server v0.20a ready!
--+-
->|USER chalky
--+-
<-|250 User okay, enter password
--+-
->|PASS abcdefgh
--+-
<-|200 User/pass okay. 28 messages waiting.
--+-
->|RECV 1
--+-
<-|From lists.linux.it
|From: somebody@somewhere
|To: crystal@xxxxxxxxxxxxxx
|Subject: New beta 11.45b
|
|Hello there, I released a new beta today, here is the binary:
|A0 45 29 4F 6B 9D 29 D5 43 52 0F 02 34 12 95 DE
etc..
If I could do that, then there would be no need for a special, eg. POP
protocol, the TCP stream decoder would happily handle it by itself.
3) A few minor suggested changes to DNS...
rather than stating RTYPEs and QTYPEs as "A", "NS", "MD", "MF", "CNAME",
how about making the decoded output a bit more verbose, ie. "Host
address", "Authoritative name server", "Mail destination (obsolete)",
"Mail forwarder (obsolete)", "Canonical name for alias", and so on. This
would undoubtedly make it easier for anyone who didn't read RFC 1053 in
the past half hour to understand the decoded output... :-)
BTW, how does ethereal avoid sniffing it's own DNS packets from reverse
DNS lookups? I'm interested in how this is done.
4) An issue kindof seperate from the actual sniffer proper, but I'd like
context-sensitive help for packet fields. I want to be able to press f1
while the TCP receive window field is selected and to get a nice verbose
description on what the TCP receive window is, what it does, why it
really shouldn't be 0 for a healthy connection, etc. Maybe use the gnome
help browser for this. Maybe use a little popup window. This would allow
Joe average to understand a packet field without having to go digging
through specs and RFCs.
5) BUG: If I don't enter a filename in the 'begin capture' dialog box,
why do I lose my data? (using ethereal 0.5.1.)
I'd be happy to make the (at least the UI) changes to ethereal myself,
I'm just checking that these changes are welcome before I expend the
effort...
:-)
Peter
