The Ethereal Network Analyzer

The Ethereal network analyzer is an open source free traffic sniffer that works on many operating systems including Windows. It understands quite a variety of file formats, which makes it in my opinion better than Microsoft netmon. What I mean here is that Ethereal worked for me on a file that netmon would not recognize. From the other hand, network monitor has better knowledge of Microsoft protocols, such as their implementation of remote procedure calls. This calls for netmon use for analysis of RPC traffic. The two products in my opinion may be most productively used together, when you can utilize strengths of both. The Ethereal filtering language is amazing. However, I had a few problems finding help on it.

Here is Ethereal sniffer official description that I obtained from http://www.ethereal.com. "Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session."

Normally I capture traffic with network monitor, and then use it together with Ethereal for analysis. Ethereal may be installed in read-only mode. This is what I have done and it turned out to work fine for me on Windows 2000 Professional. To install it I needed to download two ZIP archives: the GTK library for Win32 (gtk-libs-20000805.zip, which is a collection of 5 DLLs), and the non-capture version of the sniffer itself (ethereal-0.8.14.1-non-capture.zip). The versions of course will be different by the time you read it. After unpacking and putting DLLs into the sniffer directory everything is ready to work. The Figure below displays a screenshot.

Frame 18 of the captured LDAP traffic.