How to find or filter information in Ethereal
(Last modified: 15Sep2003)
This document (10084747) is provided subject to the disclaimer at the end of this document.
goal
How to find or filter information in Ethereal
fact
Ethereal 0.9.13
Ethereal 0.9.15
symptom
Can't filter in Ethereal
How do I search packets in Ethereal?
How do I find specific information in Ethereal?
fix
Ethereal has the capability to search or filter on just about anything in a packet trace. Most people find the filter syntax for Ethereal is complicated at first. But after a little practice they find that the filtering capabilities give the user more control over the actual data.
There are several aspects of finding data within Ethereal. The first thing individuals must learn is how Ethereal handles the data within a packet.
In the picture above we can see the top of the screen contains the summary window. The summary window displays as much useful information as possible to quickly browse through the packet trace. In some cases this is enough information to allow you to quickly determine what is happening in the packet trace. One of the key functional properties of Ethereal is the ability to sort on any of the columns. For example if this was supposed to be a packet trace of a workstation login via NCP we could click on the column header "Protocol" and the trace will be resorted by each protocol type.
Notice how the packets are resorted by the protocol column. These are in alphabetical order. If I were to click on the column header "Protocol" a second time then the sort would be performed in the reverse order. Also notice that the packet numbers are sequential for each protocol section. This is not always the case. Ethereal will sort on each field based on the prior sort. Since the original sort was by packet number then the subsequent sort of protocol keeps the packet numbers in the correct order. But if I were to sort on the column "Info" and then resort by "Protocol" then the packet numbers will not be in the correct order.
Now we see that even though the sort is by protocol the secondary sort is by the Info column. This is sometimes useful but most generally you would want to first sort on the No. column and then sort on the Protocol column so that you can see the request and reply packets together. Sorting gives you the ability to quickly find a specific activity within the packet trace.
There are other ways to find specific information but first lets look at the decode window.
Most every item that Ethereal decodes can be identified with an element name. For example the header Internet Protocol has an element name of IP. Ethereal displays the element name in the lower right hand corner when you click on the label in the decode window.
So when we highlight the Internet Protocol header in the decode window, Ethereal highlights the IP header in the Hex data window (the bottom window) and next to the Apply button it displays the element name for the IP header. This is the starting element for any data contained within the IP header. So what happens if we click on any other header? When we select the NetWare Core Protocol header, we see that the element name changes to ncp.
So you ask, "How is this important?". Well, the answer is quite simple. To find or filter on information within Ethereal you must know what you are looking for. For example if we want to find only a specific type of packet then we must first know what its element name is. Another important note is the data type that is contained within the element.
Data Types
Within Ethereal each element contains some type of data. The data is formated in the following types.
Integers - These are numerical values
Strings - These are character based strings or literal text
Boolean - These are logical values, TRUE or FALSE
Bytes - These are a string of numerical values where every 2 digits is separted by a (colon, or dash, or period)
Mac addresses - This is a 12 digit hex value where every 2 digits is separated by a (colon, or dash, or period)
IP address - This is a decimal 4 octect number seperated by (Period)
IPX address - This is a 12 digit hex value where every 2 digits is separated by a (colon, or dash, or period)
When defining or searching on Integers you can enter in either hex or decimal values. When entering a hex number then proceed the value with 0x. For example (ncp.func==1) or (ncp.func=0x1)
When defining or searching on a String then enclose the string within quotes. For example (ncp.path=="SYS:") or (ncp.path>="SYS")
When defining or searching on a Boolean value just define the element name for true or proceed the element name with a ! (bang, or exclamation point). For example (NCP) or (!NCP)
When defining or searching on a Byte string then you must enter the word "frame" followed by the offest and length within brackets, and then the value with every 2 digits separated by a colon, or dash, or period. For example (frame[36:5] == 20:30:40:50:60) or (frame[36:5] == 20-30-40-50-60) or (frame[36:5] == 20.30.40.50.60)
Typically, you can look at the display in Ethereal to determine the actual data type. If the value is displayed as a text string then most likely you can search or filter on it as a string. If you cannot determine the correct format for a value you can review the Ethereal documentation on their website or the filter wizard will display the correct value type when you try to add the value data. It is important to note that some strings are unicode values and will be difficult to locate with a string search. Non-unicode values are easily found with string searches. For unicode data you might have to search for the data as a byte string and convert the character values to their ASCII equivilant to find.
Non-Unicode values are single byte format. Fore example the word "TEST" in non-unicode is 0x54:0x45:0x53:0x54 in hex or 84:69:83:84 in decimal or TEST in ASCII.
Unicode values are double byte format. For example the word "TEST" in unicode is 0x54:0x00:0x45:0x00:0x53:0x00:0x54:0x00 in hex or 84:00:69:00:83:00:84:00 in decimal.
It would be difficult for Ethereal to perform a string search for the word TEST when the actual data is not the ASCII value of TEST but really "T"0x00"E"0x00"S"0x00"T"0x00.
Note that some dissectors within Ethereal will automatically convert the Unicode values to non-Unicode. Look at the decode window and determine if the text is displayed in normal ASCII text. If this is the case then you most likely can search by the non-Unicode string.
Now let's say we click on a subcomponent of a field within the NCP header.
We can see that the label Function has the element name of ncp.func. Most every label will have an element name. To find or filter on a packet trace you will need to know the element name for the field that makes this packet unique. Now that we understand how Ethereal identifies each component of the packet trace lets look at how to filter the trace down to something manageable. Let's say that we have a packet trace of a router with lots of hosts and we need to filter down to the communications between two specific hosts. There are a couple of ways we can do this.
1. Creating a filter by using the Follow TCP Stream.
If the communications are TCP-based communications we can quickly filter on the session. We do this by highlighting one of the packets and right clicking anywhere on the Ethereal main window and selecting Follow TCP Stream.
The Follow TCP Stream will create a filter for the IP address and the TCP port numbers. The first thing that is displayed is a window to allow you to view the data contained within this stream.
There is a lot of useful information within the Follow TCP Stream window but for this example we are only concerned with the filter. For now we can do one of two different functions. If we do not want to see this conversation in our default view in Ethereal we can click on the Filter out this stream button. Otherwise click on the Close button to return to the main Ethereal window.
In this case I had clicked the Close button. Ethereal returns back to the main screen and only the packets in this conversation are displayed. Contained in the lower left of the main window next to the Filter button is the filter text field. This field displays the current filter that is being applied to the original packet trace. In this case the filter is
(ip.addr eq 137.65.84.25 and ip.addr eq 137.65.87.212) and (tcp.port eq 1043 and tcp.port eq 524)
So what does this mean?
First what is ip.addr?
If we highlight the address field under the IP header we see there is a source and destination address. In the element name they are reflected as either ip.src or ip.dst. The element name of ip.addr indicates both src and dst elements. This is one case where Ethereal allows you to specify both conditions with one element name. If this wasn't possible then you would have to write the filter as (ip.src eq 137.65.84.25) or (ip.dst eq 137.65.84.25). ip.addr means ip.src or ip.dst.
Now what does eq mean?
Well it means equals. You can also use the symbols "==" to mean the same thing. For example I could enter
ip.addr == 137.65.84.25
Ok, now we know what the first part means what about the rest?
Well Ethereal has the ability to string expressions together to perform complex operations. By using logical operators we can string lots of conditions together to filter down to just the packets we want to see.
In our filter string we are saying we want to see all packets that are between (IP hosts 137.65.84.25 and 137.65.87.212) and are communicating on (TCP ports 1043 and 524). No other packets will be displayed.
But what if you want to see all the packets between these two hosts not just the ones on TCP ports 1043 and 524?
Well this is easy, just edit the filter string.
Just highlight the part of the filter that specifies the port and delete it. This was the text "and (tcp.port eq 1043 and tcp.port eq 524)". After you have deleted this text then just click on the Apply button to have Ethereal filter the original file with the new filter. The main window will now reflect the results of the new filter.
If you need to know how many packets are being displayed by the filter click on the menu option Tools and then select Summary.
The summary window tells you how many packets were in the original trace file and how many are in the current filtered view. It also tells you what your Display filter is currently set for.
So now we know how to use the follow TCP stream to quickly create a display filter. But there are several other ways to create a filter quickly.
Note: if you do not want the filter anymore you can click on the Reset button to clear the display filter and Ethereal will redisplay the complete trace file.
2. Create a filter by using the prepare and match selected functions
First highlight the part of the decode window you would like to filter on. Then right click, select the option Match, and then Selected. For our example we want to filter on all NDS packets so we will select match for NCP Function equals 104.
Ethereal will now filter on any packet that meets the filter criteria. Our filter string is now set to ncp.func==0x68.
Now we want to limit the search even further down to only NDS packets that contain the NDS verb 59 (Begin Authentication). So we highlight the subcomponent NDS Verb, right click, select Match, And selected
Ethereal now displays the filter text as (ncp.func == 0x68) && (ncp.ndsverb == 0x3b) and only 2 packets are displayed that match this filter criteria.
Note: If you were to type this in manually you could replace the symbol "==" with the word eq and the symbol && with the word "and". Also you can replace the hex data values with decimal. For example:
(ncp.func eq 104) and (ncp.ndsverb eq 59)
So now what if I cannot find the exact packet type I need to use the match selected? Well, we can use the Prepare Selected. We do this the same way that we did the match selected but with the prepare selected Ethereal does not apply the filter. t just builds the filter text in the filter field in the lower left corner.
In this example you can see that the filter has not been applied since the summary window still displays all of the information. But down in the filter field we see the text of our filter. The main reason for this is we can build a complex filter, edit it manually, and then apply it.
Ok so I didn't really want to filter on ncp functions 23 but I do want to filter on all of the NDS packets. So I just edit the filter text and change the value to 104. Then click on the Apply button to perform the filter.
Now if I wanted to add to the filter I could again use the prepare or the match options to extend my filter to more specific information.
3. Filter button
The filter button in the lower left corner of Ethereal's main window allows you to use saved filters or to save the current filter that you have defined. For our example if we would have wanted to save the filter for ncp function 104 then we could have clicked on the Filter button to save the information. For this new example let's clear out the current filter by pressing the Reset button and then create a new filter from the Filter wizard.
The filter wizard allows you to enter your filter by browsing the defined elements for each protocol contained within Ethereal. It also allows you to save filters so that you can use them again then next time you launch Ethereal. If you want to save a filter then give it a name, click on the new button, and then click on the save button. The filter will not be saved unless you click the new button. You should see the name of your filter appear in the list directly above the filter name field.
You can use the Add Expression button to build your filter string. Note the value is identified as an unsigned, 1 byte value. This means that it is a value between 0 and ff in hex or 0 and 255 in decimal. Character strings will contain a value description of String. Byte strings will be described as bytes. And Boolean values will be identified as Boolean.
So you browse to specific information you want to filter on and then enter the value data. For our example we scrolled down to NCP, then down to the element Function, clicked the == operator, and finally entered 104 for the value. By clicking the Accept button Ethereal will take you back to the Display filter window with the filter string you selected.
Enter the name for your new filter, click on the New button, and then Save to save it to your preference files.
Now if I click the OK button this filter will be applied to the current trace file. By creating saved filters you can quickly apply your most common filters.
The last method of filtering is to type in your filter string directly into the filter field. Then all you have to do is click the apply button. This will take a little practice before you get good at it. The most common thing I do is to type in
eth.addr==xx:xx:xx:xx:xx:xx (To quickly filter on a specific mac address)
eth.addr==00:d0:24:3a:d0:72
or
ip.addr==xxx.xxx.xxx.xxx (To quickly filter on a specific host address)
ip.addr==137.65.215.129
Saving the filtered packets.
Once you have the desired view of the current trace file via a display filter you may choose to save the trace so that you can easily load it again in the future. To save the packets that are currently displayed under your filter just click on the menu option File, then Save as.
Make sure you select the option to Save only packets currently being displayed.
Note: Ethereal will not let you overwrite the current trace file. Make sure you enter a new name to save your filtered view.
The last thing to cover under this topic is how to find information not to filter. Ethereal does not currently contain a way to search the hex data of the source packet. Instead you must utilize finding data based upon one of the decoded elements. For example. I can find any packet with the NCP function of 104 by performing a find for ncp.func==104. This is the same syntax that you use for filtering so it should be clear on how to find data. You initiate a find by selecting the menu option Edit then then selecting Find frame. **UPDATE** As of the release of version 0.9.15 there are many additional options added to the Find Frame window. See Update section at the end of this solution.
The find frame dialog allows you to enter the find criteria manually or you can click on the Filter button to select an existing display filter or browse and create a new one. For our example we could type in ncp.func eq 104 and then click the OK button. We can also tell Ethereal to search up or down in the current trace file.
After clicking OK Ethereal will go back to the main window and highlight the packet that matched your find criteria. You can now press <Ctl-N> to continue the find to the next packet that matches your find criteria. Once Ethereal reaches the end or the beginning of the trace file depending on whether you were searching forward or backwards, it will wrap to either the beginning or the end and start the find again.
Lets quickly try to find a string. We know a filename that we are attempting to open so lets search the trace and locate the packet that attempts to open the file. If we look at the path variable of the NCP protocol we find that there are multiple entries for path. Each contains a unique string. You can search any of these strings to locate your information.
So if we enter ncp.path == "NTUSER.DAT" we can search the complete trace for any NCP packet that contains this text as the NCP path.
We can see from the image below that the Find Frame located a packet with the information we were looking for. By pressing <Ctl-N> Ethereal will find the next packet that meets this criteria.
UPDATE:
Version 0.9.15 adds many more Search/Find capabilites. You can now search for data a number of ways.
1. Display Filter - This is the same as previous versions supported.
2. Hex - This gives you the ability to search for data as it appears in the RAW hex data. For example you could search for the hex value of fffffda5. Enter in the hex data only. You do not need to format the hex values.
3. String - You can search for literal strings within three different sources.
a. Frame data - This is the bottom pane in the main Ethereal window. Also known as the hex dump pane. When searching within the Frame data you can currently search for 3 different string types.
a1. ASCII Unicode & Non-Unicode - This option will match strings in the frame data whether they contain Unicode or Non-Unicode data. For example MyString would match both MyString and M.y.S.t.r.i.n.g
a2. ASCII Non-Unicode - This option will match strings in the frame data that are not Unicode strings. For example MyString would only match MyString. It would not match M.y.S.t.r.i.n.g
a3. ASCII Unicode - This option will match string in the frame data that are Unicode strings only. For example MyString would only match M.y.S.t.r.i.n.g. It would not match MyString.
b. Decoded packet - This is the middle pane in the main Ethereal window. Also known as the decode pane.
c. Packet summary - This is the top pane in the main Ethereal window. Also known as the summary pane.
Case Insentive Search - This option only is available for string searches. With this option selected (default), Ethereal will match strings regardless of upper/lower case characters. For example MyString would match mystring, MYSTRING, etc. By disabling this option then an exact match of the string must occur.
Another new feature included in the 0.9.15 is the ability to filter a packet trace based upon whether the packet contains a specific data patteren. For example, I would like to filter the packet trace to only show packets that contain the word PUBLIC. I can now create a filter -
frame contains "PUBLIC"
Ethereal will filter the trace down to only the packets that contain with word PUBLIC.
Note: Be aware that many times the actual string is Unicode data. The contains functionality does not currently match frames with Unicode data. So, it will not filter packets that contain P.U.B.L.I.C.
note
Note: Ethereal is a free open source product. Novell does not provide support for this product. The purpose of this solution is to provide Novell employees and it's customers with information regarding the use of this free tool. To download, report issues, or to request for any enhancements, please consult the Ethereal website at
document
| Document Title: | How to find or filter information in Ethereal |
| Document ID: | 10084747 |
| Solution ID: | NOVL90756 |
| Creation Date: | 03Jul2003 |
| Modified Date: | 15Sep2003 |
| Novell Product Class: | Netware Client |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.