Difference between revisions of "Ethereal"
Line 16: | Line 16: | ||
e.g. After capturing we filtered out all data to machines not on the local network (IP-adress other than 192.168.1.x), using this filter: | e.g. After capturing we filtered out all data to machines not on the local network (IP-adress other than 192.168.1.x), using this filter: | ||
ip.src >= 192.168.1.1 && ip.src <= 192.168.1.255 && ip.dst >= 192.168.1.1 && ip.dst <= 192.168.1.255 | ip.src >= 192.168.1.1 && ip.src <= 192.168.1.255 && ip.dst >= 192.168.1.1 && ip.dst <= 192.168.1.255 | ||
+ | A shorter notation is: | ||
+ | ip.src == 192.168.1.0/24 && ip.dst == 192.168.1.0/24 | ||
Doing this ensures other data like a webpage refreshing, or a mail-client fetching new mail does not contaminate the meassurements. | Doing this ensures other data like a webpage refreshing, or a mail-client fetching new mail does not contaminate the meassurements. | ||
Revision as of 19:52, 30 January 2007
Ethereal is used to analyse the network traffic.
We captured the network data with the following machines:
- 192.168.1.101 - Asterisk #1
- 192.168.1.106 - Asterisk #2
- 192.168.1.3 - Windows machine 1 (also running both VMware's for both Trixboxes)
- 192.168.1.189 - Laptop #1 running only X-lite
Analysis on VoIP-calls
We did also do some Ethereal Analysis on the traffic during several conversations.
Using Ethereal
Ethereal can capture all network data. This captured data must be filtered in order to do some analysis.
e.g. After capturing we filtered out all data to machines not on the local network (IP-adress other than 192.168.1.x), using this filter:
ip.src >= 192.168.1.1 && ip.src <= 192.168.1.255 && ip.dst >= 192.168.1.1 && ip.dst <= 192.168.1.255
A shorter notation is:
ip.src == 192.168.1.0/24 && ip.dst == 192.168.1.0/24
Doing this ensures other data like a webpage refreshing, or a mail-client fetching new mail does not contaminate the meassurements.
When doing further analysis, sometimes the filters should only look at the protocol under investigation, because Windows PC's will also communicate to each other about shared files, etc. Also HTTP- and DHCP-traffic is not uncommon between the VMware- and other local machines.
For more information on Packet Capturing, we have included a simple how-to Ethereal capture filter (source)
Promiscuous mode
When measuring (listening to) all data on the local network, the network adapter has to be set in promiscuous mode. This is only possible with administrator rights (e.g. root in Linux) and not all network devices can operate in such mode. For example most WiFi cards cannot operate in this mode and therefore cannot listen to all traffic it receives.
Another problem when listening to all other traffic is in a switched network. When using switches instead of hubs, you cannot "hear" what other computers are sending to each other. Possible work-arounds are setting the switch in broadcast-mode (not all switches can do this) or forcing the switch to operate like a hub by overloading the MAC-table (forging numerous false MAC-addresses, most system-administrators will not like this). Some (manageble) switches can create one or more Vlans in which sniffing the traffic is possible.