Wireshark · Ethereal-users: Re: [Ethereal-users] simple question

[Guy Harris <guy@xxxxxxxxxx>]

> I'm new to ethereal and so forgive me if I'm asking a question that
> has already been asked before. I have just installed ethereal-0.8.15 and
> am having a little user interface problem.
> 
> What I want to do is very simple. I want to see all the network 
> traffic going between my PC/NT Win 2000 box and my Solaris box when I
> use HTTP to access my webserver on the solaris box. 
> 
> So here are a few questions ...
> 
> 1. In File->Open, I want to capture the information.

"File->Open" isn't for capturing information, it's for reading network
traffic you've *already* captured.  (One could perhaps argue that, in
GUIs, the menu item in question should be called "Read" rather than
"Open" - just as in, say, Microsoft Word, you don't use "File->Open" to
create a new document, you use it to read an existing document, you
don't use "File->Open" to create a new capture in Ethereal, you use it
to read an existing capture; however, at this point, it might well
confuse people more to give it a different name than to give it the
traditional name.)

> Why is it that
> whenever I type in a file name, it complains that it is not in the 
> correct capture file format Ethereal understands ?

Probably because the file whose name you specified isn't in any of the
capture file formats Ethereal understands.

> How do I create
> this file in the first place so that it is in the correct Ethereal
> format ?

Use one of the applications that writes capture file formats in a format
Ethereal can read:

	tcpdump, using the "-w" flag to write a raw capture file rather
	than a textual human-readable dissection of the traffic (that
	description is *not* Ethereal-readable - and doesn't contain all
	the bytes in the packet, and thus can't be made
	Ethereal-readable) - if you want to see HTTP traffic, make sure
	you also use the "-s" flag with a large snapshot length, e.g.
	65535;

	Ethereal itself (see the "Capture->Start" menu, that being what
	you use to make Ethereal capture packets);

	Tethereal, using the "-w" flag to write a raw capture file
	rather than a textual human-readable dissection of the traffic
	(Tethereal defaults to a large snapshot length, so you don't need
	the "-s" flag);

	snoop, using the "-o" flag to write a raw capture file rather
	than a textual human-readable dissectiion of the traffic (snoop
	defaults to a large snapshot length, so you don't need the "-s"
	flag);

	any of the Sniffer programs from Network Associates;

	Microsoft Network Monitor;

	a number of other packet capture programs for Windows and/or
	UNIX.

> 2. In the Edit->Preferences, I click on Add Expression, and choose HTTP
> as my field name. It lets me choose notification, request or
> response as options. I choose 'request' and it places "http.request" in
> the Filter string field of the Ethernet Filters box. Is that really
> what I should be doing ?

(There is no "Add Expression" under "Edit->Preferences".  Presumably you
meant "Edit->Filters".)

That depends on why you're doing it.  What you've done there is
construct a display filter (which is used when you already have a
capture file, and want to show, in the display, only packets that
matchthat filter) that shows only HTTP requests.  If that's not what you
wanted, that's not what you should be doing.

> Where do I specify the ip address of my Solaris box then ?

Under "IP".  Select "IP" from the "Add Expression" dialog box, and
select either "Source" (if you only want packets that come *from* your
Solaris box), "Destination" (if you only want packets going *to* your
Solaris box), or "Source or Destination Address" (if you want packets
going to *or* from your Solaris box).

Then select "==" under "Relation", as you want to check whether the
address to or from which the packet is going is that of your Solaris
box, i.e. whether it's equal to the address of your Solaris box, "=="
being the C programming language's operator for comparing for equality)
and, in the "Value" box, type the IP address or host name of your
Solaris box.

> Maybe I should not be using HTTP  for this purpose ?

No, you should not, because the HTTP protocol doesn't specify the source
or destination address of packets - that's part of IP.

> 3. How should I modify Ethereal Preferences so that I am using the
> correct network connection for this scenerio ?(As you can see I'm
> a novice at networking as well!)

You can't.  If you're *capturing* packets, you specify the network
interface in the "Capture->Start" dialog box, in the "Interface:" field
of that dialog box.

If your machine has only one network interface, it will, *IF* it can
capture on that network device, put that device in the "Interface:"
field for you.  If it has more than one interface, it'll put the first
interface it can use in that field; the drop-down list will show all
interfaces it can use.

Note that if you're running this on Solaris, then, unless somebody has
changed the device files for the raw networking devices to be readable
and writable by users other than the super-user, Ethereal - like snoop,
and tcpdump - probably will not be able to capture on *any* devices
unless you run them as the super-user, which means that, if you run it
as yourself, the "Interface:" field will be blank and the drop-down list
will be empty.

Note also that, if you want to capture only traffic to or from your
Solaris box, you do *NOT* use a display filter here; instead, you use a
capture filter, in the "Filter:" field of the "Capture->Start" dialog
box.

Capture filters have a different syntax from display filters, and the
"Add Expression" button won't let you construct an expression in a
capture filter.  If your Solaris box is named "foo", the capture filter
to capture traffic to or from "foo" is

	host foo