2. Tech
  3. Diagnose Linux network failure with Sniffer

Diagnose Linux network failure with Sniffer

xiaoxiao2021-03-06  60

Sniffer is a double-edged sword in the network security field. On the one hand, it is often hacked as a network attack tool, thereby causing password stolen, sensitive data to be stealing and other security incidents; on the other hand, in assisting network administrators Monitoring network conditions, diagnosing network failures, excluding network hazards, etc. have an irreplaceable role. Snorgers are an indispensable network management tool. This paper takes three common network snifiers TCPDump, Ethereal and Etherape under the Linux platform, describing how to diagnose network failures with Sniffer, ensuring that the network is efficient and safely running. Introduction Sniffer, also known as a package sniffer, is a software or hardware used to intercept computer network communication data. Unlike telephone circuits, computer networks are shared communication channels, which means that each computer may receive information transmitted to other computers, and data information captured in the network is often referred to as a Sniffing. The sniffer is often an effective method of collecting specific data in the network, which is a tool for intercepting the destination for other computer data messages using a computer's network interface. The sniffer works in the bottom of the network environment, which can intercept the data transmitted on the network, thus becoming a huge threat to network security. By sniffing the network, some malicious users can easily steal the secret documents and sensitive data, so the sniffer is often a basic means of hacker as a network attack. Any tool is advantageous. The sniffer can be used as a means of hackers to obtain illegal data, but at the same time it is important to network administrators. By sniffing, administrators can diagnose a large number of invisible fuzzy problems in the network. These problems typically involve abnormal communication between multiple computers, and may involve a variety of communication protocols. With an olive detector, the administrator can easily determine which traffic belongs to a particular network protocol, which is the host of the main traffic, which host is the host, how much is the message Time, interval time of each main unit message, etc. This information judges network issues and optimizes network performance for administrators, providing very valuable information. As a relatively mature technology, the sniffer has an irreplaceable role in assisting monitoring network data transmission, excluding network failure, and is favored by network administrators. You can determine the various problems in the network by analyzing network traffic, such as bottleneck effect or performance decline; can also be used to determine if there is a hacker being attacking the network system. If you suspect that the network is being attacked, the packet intercepted by the sniffer can determine what type of packet is being attacked, and their source, so that the response can be made promptly, or adjust the network, Ensure the efficiency and safety of the network operation. Network administrators often need certain functions provided by means of the sniffer during the detection of network failures and normal communication of network failures and maintenance networks. The general sniffer provides the following features: 1. Automatically filter and convert useful information from the network; 2. Conversion of intercepted packets into the format of the identification; 3. Analysis of communication failures in the network environment; 4. Detect communication bottlenecks in network environment; 5. Testing if there is hacker being attacking network systems to prevent it from invading; 6. Record network communication process. This article describes how to use a sniffer under the Linux platform to intercept the data information transmitted in the network, thereby detecting whether there is a network bottleneck, and a network failure that may exist. There are very many sniffer available under the Linux platform, and their respective functions and strengths are not the same. This paper mainly uses TCPDUMP, ETHEREAL and ETHERAPE three sniffer as an example, telling how to use their own advantages to the performance of Linux networks. And the fault is analyzed and detected. ◆ TCPDUMP TCPDUMP is a network traffic monitoring tool for command line. It is early, the time is earlier, and it is the prototype of many graphical sniffers. ◆ Ethereal Ethereal is a graphical network traffic monitoring tool that is much more TCPDUMP-friendly than command line, which can view the capture process in real time.

◆ Etherape etherape is also a graphical network traffic monitoring tool. Unlike ETHEREAL, Etherape can detect, graphically display network activities, which can display the state of the entire network more intuitively. Sniffer works in a local area network based on the TCP / IP protocol, when the data is transmitted from the top of the application layer, first form an IP packet on the network layer, then reach the data link layer downward, by the data link layer The IP packet is divided into data frames, plus the Ethernet header, and sends it to the physical media. The MAC address of the local host and the target host is contained in the Local Host and the data frame located in the link layer, which is relying on the 48-bit MAC address instead of the IP address, the network interface card driver does not care about IP packets. Destination IP address. It requires only the MAC address in the packet. When the host in the domain network is connected by a hub (HUB), a shared connection is generally used. This shared connection has a significant feature: physically uses broadcast mode when sending data. When a host sends data to another host, the shared HUB will forward all of the received data to each of the ports on the HUB. That is, when the host sends a packet based on the MAC address, although the transmit-end host informed the address of the target host, it is not meant that other hosts within a network cannot monitor data transmitted between the transmitting end and the receiving end. Therefore, in theory, when using a shared connection, each host located in the same network segment can intercept all the data transmitted in the network. Under normal circumstances, all NICs in the same network segment in the local area network have the ability to access all the data transmitted on the physical media, but usually a network card only responds to the following two data frames: ◆ Data frame target MAC address and network card itself The MAC address is consistent; ◆ The target MAC address of the data frame is a broadcast address. Only when the above two types of data frames are received, the NIC will generate a hardware interrupt through the CPU, and then the operating system is responsible for processing the interrupt, and the data contained in the frame will be further processed. That is, although all hosts on the network can "listen" to all data, but do not respond to non-own messages, just simply ignore this data. However, if a host in the network is not willing to ignore the data frame that is not belonging to it, just put the network card to a promiscuous mode, all frames received, each frame, generate a hardware interrupt to remind the operating system processing After each packet of the NIC, you can capture all the data on the network. If the network card of a host is configured as a mixed mode, the host and its related software constitute an. The sniffer works in the bottom of the network environment, which intercepts all data transmitted on the network, processed by the corresponding software. The sniffer can analyze the contents of this data in real time, which can help network administrators analyze the status, performance, or malfunction of the entire network. Because of this, the sniffer is an indispensable power tool for administrators when detecting network failures. Using TCPDUMP filtering packets For network managers, using sniffer can keep the network's actual situation, when network performance has dropped sharply, you can analyze the cause of the sniffer to find the root cause of network blocking. TCPDUMP is the next network traffic monitoring tool in the Linux platform. It can intercept the packet received on the NIC and can assist the network administrator to analyze the contents. The sniffer can intercept the data packet of the specified interface or all interfaces, depending on how the sniffer is configured. By default, the sniffer generally displays all data packets intercepted from the network, but it usually causes the network administrator to be unclear because the data amount is too large. Therefore, the sniffer generally provides a corresponding mechanism to filter the intercepted packet, thereby only displaying a data packet conforming to a specific requirement.

TCPDUMP provides a complete set of rules to filter intercepted packets. Since most graphical sniffese uses similar filtering mechanisms, I know how to use TCPDUMP to capture interests for Linux network administrators. The packet is a basic skill that must be mastered. TCPDUMP installation In some Linux releases, TCPDUMP is usually installed by the standard package, and the "TCPDUMP" command can determine if TCPDUMP has been installed. If TCPDUMP is not installed in the system, you can download the latest TCPDUMP source package "http://www.tcpdump.org". The following is TCPDUMP 3.7.1 as an example, how to install TCPDUMP, where the operating system used here is RED HAT 8.0. First download the latest source package, and decompress it, the command is as follows: # cp tcpdump-3.7.1.tar.gz / usr / local / src /

# CD / usr / local / src /

# tar xzvf tcpdump-3.7.1.tar.gz

Before compiling TCPDUMP, you should first determine that the PCAP library (libpcap) has been installed. This library is required for compiling TCPDUMP. If the library is already installed, you can perform the following command to compile and install TCPDUMP:

# cd tcpdump-3.7.1

# ./configure

# Make

# make install

TCPDump command line option TCPDUMP is a network sniffer of a command line. It uses the command option to filter the network card intercepted packet, if not filtered, too much number of packages will make the network administrator hard to make a clear head. The command format of tcpdump is as follows: tcpdump [-adeflnnopqrstuvxx] [-C quantity] [-C file size] [-f file name] [-i network interface] [-m file name] [-r file name] [-s length ] [-T type] [-w file name] [-e algo: secret] [expression]

Table 1 TCPDUMP Common command line options

-A Transfers the network address and broadcast address into easy identification name -D to output the code of the acceled packet, the format of the person is easy to understand; -DD outputs the code of the intercered packet in the format of the C program; DDD outputs the code of the intercered packet in decimal format; -e outputs head information of the data link layer; -f outputs the Internet address in digital form; -L converts the standard output to row buffer mode; -N does not Convert network addresses to an easy-to-recognize host name, listed in digital form (such as IP addresses), which avoids DNS queries; -T does not output timestamp; -V output more detailed information, such as IP packets TTL and service type information; -VV output detailed message information; -c After capturing the data packet of the specified number; -f reads the filter rule from the specified file, ignore other filtering rules specified in the command line ; -I Specifies the network interface of the listener; -r reads the data packet from the specified file (this file is typically generated by the -w option); - W Directly written directly into the specified file without analyzing the intercepted packet And output; -t intercepted the intercepted packet directly as a message of the specified type, currently supported types of CNFP, RPC, RTP, SNMP, VAT, and WB.

Table 1 shows some commonly used TCPDUMP command line options that use these options to filter out the packets that are truly interested. Command line options using TCPDUMP can easily filter out the required packets. For example, you can enter the "TCPDUMP ARP" command to filter out all communication data except the ARP request and the response. This command only intercepts the request and response information of the ARP. In the output information of TCPDUMP, the request is an entry such as "ARP WHO-HAS", and the response is an entry such as "ARP Reply", as shown in Figure 1. Figure 1 ARP filtering

If you want to do more processing, for example, the 5 ARP packets are intercepted from the specified network interface, and the network address is not converted to the host name, you can use the command "TCPDUMP ARP -I ETH0 -C 5 -N". TCPDUMP Filtered Expression Tcpdump Filter Expressions are a regular expression, and TCPDUMP utilizes its condition as a filter packet. If a packet meets the condition of the expression, the data packet will be captured; if the expression is not specified, all packets between any two mainframes on the network will be intercepted. The function of the filtering expression is to make TCPDump only output data needed by the network administrator, such as an IP packet between a specified network interface and a particular host. TCPDUMP's filter expressions generally have the following types of keywords: ◆ Type Keywords such keywords are used to specify hosts, networks, or ports, including Host, Net, and Port. For example, you can indicate the monitored host with "Host 9.185.0.0.0"; use "NET 9.185.0.0" to indicate the network of listening; use "Port 23" to indicate the port of the listener. If the type is not specified in the expression, the default type is Host. ◆ Direction Keyword This keyword is used to specify the direction of the interception, including DST, SRC, DST OR SRC, DST AND SRC four keywords. For example, the source host address in the intercepted packet can be specified by SRC 9.185.10.57; use "DST NET 9.185.0.0" to specify the target network address in the intercepted packet. If the direction is not indicated in the expression, the default direction is "DST OR SRC", that is, the packets in both directions will be captured. For data link layer protocols (such as SLIP and PPP), INBOUND and OUTBOUND are used to define directions. ◆ Protocol Keyword This keyword is used to specify the protocol to which the packet to intercept, including the keywords such as Ether, FDDI, TR, IP, IP6, ARP, RARP, DECN, TCP, and UDP. Keyword FDDI indicates a specific network protocol on the FDDI (Distributed Optical Data Interface Network). In fact it is an alias of Ether. FDDI and Ether have similar source address and target addresses, so you can analyze and process the FDDI protocol. Several other keywords are just the protocol packets to be intercepted. If the protocol is not indicated in the expression, TCPDUMP will intercept the packets of all protocols. In addition to the above three types of keywords, some of the important keywords in TCPDUMP can also be specified including Gateway, Broadcast, MultiCast, Less, Greater. These keywords are very helpful for broadcasting and multicast in the network. For more information on these keywords, please refer to TCPDUMP's Manbook. In the filter expression of TCPDUMP, all kinds of keywords can also be composed of a combined expression between the Boolean operators to meet the needs of actual use. Boolean operators include non-operators (not or!), With operators (and or &&), or operators (OR or ||), using Boolean operators to combine expressions to constitute a powerful combination, thus It is possible to further refine the filter of TCPDUMP. The following is aware of several examples of using TCPDUMP filtering packets. The filter expressions provided by the sniffer are very important for administrator monitoring network health: 1. If you want to intercept the host "9.185.10.57" all received and issued data Package, you can use the following command: # tcpdump Host 9.185.10.57

2. If you want to intercept the packets passed between host "9.185.58" or "9.185.10.58" or "9.185.10.59", you can use the following command:

# Tcpdump Host 9.185.10.57 and / /

> / (9.185.10.58 OR 9.185.10.59/)

It should be noted that when the Boolean operator constitutes a combined expression, there is sometimes necessary braces to express complex logical relationships. If you want to use parentheses in the command line, you must use the escape character ("/") to escape parentheses, otherwise the command line interpreter will give a tip of the syntax error. 3. If you want to intercept the IP packets between host "9.185.57" and all other hosts between the host "9.186.58", you can use the following command: # tcpdump ip Host 9.185.10.57 and! 9.185.10.58

4. If you want to intercept the "9.185.10.57" received or sent by the "9.185.10.57", you can use the following command:

# TCPDUMP TCP Port 21 Host 9.185.10.57

5. If the suspect is being rejected service (DOS) attack, the network administrator can determine if there is a lot of ping instructions to flow to the server by intercepting all ICMP packets that come to this machine. At this time, you can use the following command:

# TCPDUMP ICMP-N-I ETH0

The output of TCPDUMP is filtered after filtering the packet in the network, and the output of TCPDUMP contains network status information for network administrators. Since TCPDump is just a sense of command line mode, its output is not very intuitive. The following uses a few typical output information as an example, describes how to analyze the output results of TCPDUMP. 1. Data Link Skim Information Use the "TCPDump -e Host Tiger" command to intercept the "Tiger" of the host "Tiger", and contain the header information of the data link layer in the output result. "Tiger" is a host with Linux, and its MAC address is 00: D0: 59: BF: DA: 06; "MAG" is a workstation with SCO UNIX, the MAC address is 08: 90: B0 : 2F: AF: 46, the output of the above command is as follows:

20: 15: 20.735429 Eth0

<08: 90: B0: 2F: AF: 46 00: D0: 59: BF: DA: 06 IP 60: MAG.36579>

Tiger.ftp 0: 0 (0) ACK 25565 WIN 8970 (DF)

In the output information, "20:15:20" is the time to intercept the data packet, "735429" is a number of milliseconds, "eth0 <" means receiving the packet from the network interface ETH0 (if "eth0>", Send a packet from the network interface ETH0). "08: 90: B0: 2F: AF: 46" is the MAC address of the host MAG, indicating that the source host sent by the packet is "MAG", "00: D0: 59: BF: DA: 06" is the host Tiger MAC address indicating that the target host sent by the packet is "Tiger". "IP" indicates that the packet is an IP packet, "60" is the length of the packet, "MAG.36579> Tiger.FTP" indicates that the packet is sent from the host "MAG" 36579 port to the host "Tiger" FTP (21) port. "ACK 25565" indicates that the package of the serial number 25565 is confirmed, and "WIN 8970" indicates that the transmission window is 8760. 2. The output information of the ARP package intercepts the ARP packet using the "TCPDUMP ARP-C 2" command, the resulting output result may be:

20: 42: 22.713502 Eth0

> ARP WHO-HAS MAG TELL TIGER

(00: D0: 59: BF: DA: 06)

20: 42: 22.713907 Eth0

(00: D0: 59: BF: DA: 06)

In the output information, "20:42:22" is the time to intercept the data packet; "713502" and "713907" are milliseconds; "eth0>" indicates that the data package is issued from the host; "eth0 <" indicates from the host Receive this packet. "ARP" indicates that the packet is ARP request, "WHO-HAS MAG TELL TIGER" indicates the host "Tiger" request host "MAG" MAC address, "00: D0: 59: BF: DA: 06" is the host " Tiger "MAC address. "Reply Mag IS-AT" indicates that the host "MAG" responds to "Tiger" ARP request, "08: 90: B0: 2F: AF: 46" is the MAC address of the host "MAG". 3. The general output format of the TCP package intercept TCP package is as follows: SRC> DST: Flags Data-Sequn Ack Window Urgent Options

"SRC> DST:" indicates that the source address to the destination address; FLAGS is the flag information in the TCP package, including the S (SYN) flag, the FIN flag, the P (Push) flag, the R (RST) flag and ". "(No sign); data-sequno is the data serial number in the packet; ACK is the next desired data serial number; Window is the window size of the receiving cache; Urgent indicates whether there is an emergency pointer in the packet; Options is possible The option value. 4. The general output format of the UDP package with TCPDUMP intercepted UDP package is as follows:

Src.Port1> DST.PORT2: UDP LENTH

The information contained in the UDP is simple. The above output results indicate that a UDP packet sent from the "port1" port of the host "Port1" port is sent to the "port2" port of the host "DST". The type of packet is UDP, and its length is "LENTH". Through the above introduction, you can know that tcpdump is an olfactory of a command line. It can display all packets of a network interface as needed to detect networks for network administrators. However, due to the use of command line, the analysis of these packets may be difficult. The expression provided by TCPDUMP is filtered from the intercepted data packet, and useful information can be extracted from the intercepted large amount of packets, thereby monitoring the network to monitor the network. Since all the principles of all network snifiers are substantially similar, the basic knowledge of TCPDUMP can be applied to almost all 器. TCPDUMP is based on command line-based sniffer, and its output results are difficult to analyze, so many network administrators use graphical sniffer to detect network failures and handle security issues that may exist. Two graphic network snifiers will be introduced next time, - EtheReal and EHterape. Compared with TCPDUMP, the analysis process using these two sniffer should be simple. The basic principle of the sniffer is introduced above, and how to intercept the packets on the network with TCPDUMP. However, tcpdump is just a network sniffer in a command line mode, although power is powerful, it is not very convenient to analyze the data package. Fortunately, there are some sniffers with a good GUI interface to be with a good GUI interface. Ethereal and Etherape are the leader. With the foundation of tcpdump, it feels very easy to use these two sniffer. The Ethereal Analysis Protocol Packet Ethereal is a network sniffer of a graphical user interface (GUI), which can complete the same features as tcpdump, but the operation interface is much friendly. EHTEREAL and TCPDUMP are dependent on the PCAP library (LibPCAP), so both are very similar in many ways (such as the same filtering rules and keywords). Ethereal and other graphical network snifiers use the same interface mode, and if you can use Ethereal, then the sniffer of other graphical user interfaces can basically operate. Ethereal installation can be downloaded to the latest EthereAl source package on http://www.ethereal.com website. The following is eThereal 0.9.9 as an example, telling how to install Ethereal, where the operating system used here is Red Hat 8.0. First download the latest source package, and decompress it: # cp eThereal-0.9.9.tar.bz2 / usr / local / src /

# CD / usr / local / src /

# bzip2 -d eThereal-0.9.9.tar.bz2

# TAR XVF ETHEREAL-0.9.9.tar

Like TCPDUMP, it is necessary to install the PCAP library (libppcap) before compiling Ethereal, which is necessary when compiling EthereAl. If the library is already installed, you can perform the following command to compile and install Ethereal:

# cd eThereal-0.9.9

# ./configure

# Make

# make install

Setting the Ethereal filtering rule When you compile and install Ethereal, you can execute the "Ethereal" command to start Ethereal. Before using the ETHEREAL intercepting the packet, the corresponding filtering rule should be set to capture the data packets of interest. Ethereal uses a filtering rule similar to TCPDump and can easily store the filtered rules already set. To configure filter rules for Ethereal, first click "Edit" menu, then select the "Capture Filters ..." menu item, open the Edit Capture Filter List dialog (as shown in Figure 1). Because the filtering rules have not been added yet, the list box on the right side of the dialog is empty. Figure 1 EThereal Filter Configuration Dialog

When adding a filter in Ethereal, you need to specify names and rules for the filter. For example, to create a filter between host 10.1.197.162 and www.sohu.com, enter the filter name "SOHU" in the "Filter Name" edit box, enter the filter rule in the "Filter String" edit box "Host 10.1 .197.162 and www.sohu.com ", then click the" New "button, as shown in Figure 2.

Figure 2 shows an ETHEREAL Add a filter

The filter rules used in Ethereal are almost entirely consistent, because both are based on the PCAP library. Ethereal can maintain a lot of filters at the same time. Network administrators can choose different filters according to actual needs, which is very useful in many cases. For example, a filter may be used to intercept the data packets between two hosts, and the other may be used to intercept the ICMP package to diagnose network failures. When all required filters are created, click the "Save" button to save the created filter, and then click the "Close" button to close the "Edit Capture Filter List" dialog. To apply a filter to a sniffing process, you need to specify a filter before or after intercepting the packet. To specify a filter for a sniffing process, start intercepting the packet, you can click "Capture" menu, select "Start ..." option, open the Capture Options dialog box, click "Filter" in the dialog : "Button, then select the filter to use, as shown in Figure 3.

Figure 3 is ETHEREAL specified filter

Note In the "Capture Options" dialog box, the "Update List of Packets In Real Time" checkbox is selected. This allows each packet to display in real time when it is intercepted, not all intercepting packets after the sniffing process ends. After selecting the required filter, click the "OK" button, the whole sniffing process begins. Ethereal displays the intercepted packets in real time, so it is possible to help network administrators get a timely understanding of the health of the network, so that they can have a relatively accurate grasp of network performance and traffic. The entire window is divided into three parts by Ethereal and other graphical sniffer using the Ethereal and other graphical snifiers. The entire window is divided into three parts: the top is the list of data packets, used to display summary information of each packet of the interception; For the protocol tree, the protocol information belonging to the selected packet is used; the bottom is the packet content represented by hexadecimal form, which is used to display the final form of the packet in the physical layer. The intercepted packets can be easily analyzed using Ethereal, including the source address, destination address, and protocols of the packet. Figure 4 is a case where an HTTP packet is analyzed in ETHEREAL. In the list of data packets at the top of Figure 3, the basic information of the intercepted packet is displayed. As can be seen from the figure, the source address of the currently selected packet is 10.1.197.162, the destination address is 61.135.150.65, and the protocol to which the packet belongs is Hypertext Transfer Protocol (HTTP). More detailed information indicates that the packet contains an HTTP's GET command to download the Starrtlog.js file to the client's web browser. Figure 4 Analyze the contents of packets with ETHEREAL

In the middle of FIG. 4, the protocol tree is protected by the protocol tree, such as the host's MAC address (Internet Protocol), TCP port number, and HTTP The specific content of the protocol (Hypertext TrNasfer Protocol). By expanding the corresponding nodes in the protocol tree, more detailed information carried in the packet can be obtained. Figure 4 is the lower side of the packet displayed by hexadecimal, which is the final form of the intercepted packet transmitted on the physical media. When a line is selected in the protocol tree, it corresponds to its corresponding sixteen The production code will also be selected so that the data packets of various protocols can be easily analyzed. The graphical user interface provided by Ethereal is very friendly. The administrator can easily check the details of each packet, the protocol tree and its corresponding hexadecimal representation is very helpful to analyze each packet's purpose. Using Ethereal and Tcpdump can basically meet all the sniffing options that the network administrator on the Linux system. Use Etherape to see network traffic Etherape is also a graphical network sniffer. Unlike EHTEREAL, Etherape is graphically displays the status of the network at present by verifying the link between the host and the host. Etherape uses a connection between different colors to represent a connection between different hosts, while the coarseness of the connection indicates the size of data traffic between the host. This information is real-time, so it is possible to assist the administrator at any time to understand the changes in the traffic in each part of the network. Etherape installation EtherApe supports multiple networks such as Ethernet, FDDI, and Token Ring, which can read network traffic from the network or file in real time. In addition, it can save network traffic information so as to appear again. On http://www.sourceforge.net/projects/etherape/, you can download it to the latest Etherape source package. The following is eThereal 0.8.2 as an example, telling how to install Etherape (the operating system used is redhat 8.0). First download the latest source package and decompress it, the code is as follows: # cp Etherape-0.8.2.tar.gz / usr / local / src /

# CD / usr / local / src /

# tar xzvf Etherape-0.8.2.tar.gz

Etherape is used by Gnome's graphical user interface library. As with Ethereal and Tcpdump, it also intercepts and filters the packets transmitted on the network using the PCAP library (libppcap). Before compiling ETHERAPE, you should first determine the required libraries have been installed because it is necessary to compile EtherApe. If these libraries are already installed, you can perform the following command to compile and install Etherape:

# CD ETHERAPE-0.8.2

# ./configure

# Make

# make install

To analyze network traffic with ETHERAPE When compiling and installing ETHERAPE, you can execute the "etherape" command to start the EtherAPE. When using the packet transmitted on the network, it is also necessary to specify a filtering rule for it, otherwise Ethreape will capture all packets in the network. Click the "pref." Button on the toolbar, open the "Preferences" dialog, in the "Capture" property page in the dialog, you can find the "Capture Filter" drop-down box for setting the filtering rule. Since all PCAP libraries are employed, the setting of the Etherape filtering rules is the same as TCPDump and Ethereal. After setting the filtering rule, click the "START" button on the toolbar to start sniffing the packet of interest in the network. EHTERAPE shows network traffic, Figure 5 is a network traffic diagram when ETHERAPE is in Ethernet mode. Figure 5 Ethernet traffic chart monitored by ETHERAPE

Etherape provides five listening modes for Token Ring, FDDI, Ethernet, IP, and TCP. When in Ethernet mode, Etherape will intercept Ethernet packets that meet the filtering rules, but sometimes network administrators may only be interested in IP packets, then switching the ETHERAPE to IP mode. Click the "Capture" menu, select the "Mode" menu item, then select the corresponding mode, you can complete the switching between the modes. Figure 6 is a network traffic diagram when EHTERAPE is in an IP mode.

Figure 6 Etherape monitored IP traffic graph

Etherape can display network traffic in a graphic manner. The user see is a very intuitive diagram for indicating the flow rate between the hosts between the network, not a single packet, which is easier to grasp the operation of the entire network as a whole, and relatively in the positioning network failure Also become easier.

转载请注明原文地址:https://www.9cbs.com/read-111840.html

9cbs

New Post(0)