Ethereal:A Network Packet Sniffing Tool
Ethereal是免费而且功能强大的网络调试和数据包协议分析软件。Ethereal 基本类似于tcpdump,但 Ethereal 还具有设计完美的 GUI 和众多分类信息及过滤选项。用户通过 Ethereal,同时将网卡设置成混合模式,可以查看到网络中发送的所有通信流量。目前,Ethereal在分析无线局域网时主要要注重的是“捕捉”网卡上传输数据时的设置。
Ethereal 应用于故障修复、分析、软件和协议开发以及教育领域。它具有用户对协议分析软件所期望的所有标准特征,并具有其它同类产品所不具备的有关特征。Ethereal 是一种开发源代码的许可软件,答应用户向其中添加改进方案。Ethereal 适用于当前所有较为流行的计算机系统,包括 Unix、Linux 和 Windows 。
在使用Ethereal捕捉数据包时系统可能会有两种方法来存储捕捉的数据:
“真实”的802.11数据帧:捕捉硬件和驱动提供给了真实的无线局域网传输协议数据,它们是完整的802.11帧头,要注重这中间有大量的“无线电信息”,比如信号强度等等。
“虚假”的以太帧:捕捉硬件和强度将802.11帧头转换成以太网帧头,由此整个数据包看起来象正常的以太网数据帧。但是,此时所有的802.11专有的治理和控制帧由于它们没有在标准以太网中的对应内容而被丢弃了。
所以在使用Ethereal捕捉无线局域网的数据包时,选择正确的无线网卡工作模式就是非常要害的了。
下表是Ethereal支持的无线局域网协议域的内容:
IEEE 802.11 wireless LAN
Protocol field name: wlan
Versions: 0.9.0 to 0.10.12
Field name
Type
Description
Versions
wlan.addr
6-byte Hardware (MAC) Address
Source or Destination address
0.9.0 to 0.10.12
wlan.aid
Unsigned 16-bit integer
Association ID
0.9.0 to 0.10.12
wlan.bssid
6-byte Hardware (MAC) Address
BSS Id
0.9.0 to 0.10.12
wlan.ccmp.extiv
String
CCMP Ext. Initialization Vector
0.10.5 to 0.10.12
wlan.channel
Unsigned 8-bit integer
Channel
0.9.4 to 0.10.12
wlan.da
6-byte Hardware (MAC) Address
Destination address
0.9.0 to 0.10.12
wlan.data_rate
Unsigned 8-bit integer
Data Rate
0.9.4 to 0.10.12
wlan.duration
Unsigned 16-bit integer
Duration
0.9.0 to 0.10.12
wlan.fc
Unsigned 16-bit integer
Frame Control Field
0.9.0 to 0.10.12
wlan.fc.ds
Unsigned 8-bit integer
DS status
0.9.0 to 0.10.12
wlan.fc.frag
Boolean
More Fragments
0.9.0 to 0.10.12
wlan.fc.fromds
Boolean
From DS
0.9.0 to 0.10.12
wlan.fc.moredata
Boolean
More Data
0.9.0 to 0.10.12
wlan.fc.order
Boolean
Order flag
0.9.0 to 0.10.12
wlan.fc.pwrmgt
Boolean
PWR MGT
0.9.0 to 0.10.12
wlan.fc.retry
Boolean
Retry
0.9.0 to 0.10.12
wlan.fc.suBType
Unsigned 8-bit integer
Subtype
0.9.0 to 0.10.12
wlan.fc.tods
Boolean
To DS
0.9.0 to 0.10.12
wlan.fc.type
Unsigned 8-bit integer
Type
0.9.0 to 0.10.12
wlan.fc.type_subtype
Unsigned 16-bit integer
Type/Subtype
0.9.0 to 0.10.12
wlan.fc.version
Unsigned 8-bit integer
Version
0.9.0 to 0.10.12
wlan.fc.wep
Boolean
WEP flag
0.9.0 to 0.10.12
wlan.fcs
Unsigned 32-bit integer
Frame check sequence
0.9.0 to 0.10.12
wlan.flags
Unsigned 8-bit integer
Protocol Flags
0.9.0 to 0.10.12
wlan.frag
Unsigned 16-bit integer
Fragment number
0.9.0 to 0.10.12
wlan.fragment
Frame number
802.11 Fragment
0.9.4 to 0.10.12
wlan.fragment.error
Frame number
Defragmentation error
0.9.4 to 0.10.12
wlan.fragment.multipletails
Boolean
Multiple tail fragments found
0.9.4 to 0.10.12
wlan.fragment.overlap
Boolean
Fragment overlap
0.9.4 to 0.10.12
wlan.fragment.overlap.conflict
Boolean
Conflicting data in fragment overlap
0.9.4 to 0.10.12
wlan.fragment.toolongfragment
Boolean
Fragment too long
0.9.4 to 0.10.12
wlan.fragments
None
802.11 Fragments
0.9.4 to 0.10.12
wlan.qos.ack
Unsigned 16-bit integer
Ack Policy
0.10.5 to 0.10.12
wlan.qos.priority
Unsigned 16-bit integer
Priority
0.10.5 to 0.10.12
wlan.ra
6-byte Hardware (MAC) Address
Receiver address
0.9.0 to 0.10.12
wlan.reassembled_in
Frame number
Reassembled 802.11 in frame
0.9.12 to 0.10.12
wlan.sa
6-byte Hardware (MAC) Address
Source address
0.9.0 to 0.10.12
wlan.seq
Unsigned 16-bit integer
Sequence number
0.9.0 to 0.10.12
wlan.signal_strength
Unsigned 8-bit integer
Signal Strength
0.9.4 to 0.10.12
wlan.ta
6-byte Hardware (MAC) Address
Transmitter address
0.9.0 to 0.10.12
wlan.tkip.extiv
String
TKIP Ext. Initialization Vector
0.10.5 to 0.10.12
wlan.wep.crc
Unsigned 32-bit integer
WEP CRC (not verified)
0.9.0 to 0.9.5
wlan.wep.icv
Unsigned 32-bit integer
WEP ICV
0.9.5 to 0.10.12
wlan.wep.iv
Unsigned 24-bit integer
Initialization Vector
0.9.0 to 0.10.12
wlan.wep.key
Unsigned 8-bit integer
Key
0.9.0 to 0.10.12
wlan.wep.weakiv
Boolean
Weak IV
0.10.9 to 0.10.12
附:Ethereal支持相当多的协议(号称700余种)
3COMXNS, 3GPP2 A11, 802.11 MGT, 802.11 Radiotap, 802.3 Slow protocols, 9P, AAL1, AAL3/4, AARP, ACAP, ACN, ACSE, ACtrace, ADP, AFP, AFS (RX), AH, AIM, AIM Administration, AIM Advertisements, AIM BOS, AIM Buddylist, AIM Chat, AIM ChatNav, AIM Directory, AIM Email, AIM Generic, AIM ICQ, AIM Invitation, AIM Location, AIM Messaging, AIM OFT, AIM Popup, AIM SSI, AIM SST, AIM Signon, AIM Stats, AIM Translate, AIM User Lookup, AJP13, ALC, ALCAP, AMR, ANS, ANSI BSMAP, ANSI DTAP, ANSI IS-637-A Teleservice, ANSI IS-637-A Transport, ANSI IS-683-A (OTA (Mobile)), ANSI IS-801 (Location Services (PLD)), ANSI MAP, AODV, AOE, ARCNET, ARP/RARP, ARTNET, ASAP, ASF, ASN1, ASP, ATM, ATM LANE, ATP, ATSVC, AVS WLANCAP, AX4000, AgentX, Armagetronad, Auto-RP, BACapp, BACnet, BEEP, BER, BFD Control, BGP, BICC, BOFL, BOOTP/DHCP, BOOTPARAMS, BOSSVR, BROWSER, BSSAP, BSSGP, BUDB, BUTC, BVLC, BitTorrent, Boardwalk, CAMEL, CAST, CBAPDev, CCSDS, CDP, CDS_CLERK, CFLOW, CGMP, CHDLC, CIP, CLDAP, CLEARCASE, CLNP, CLTP, CMIP, CMP, CMS, CONV, COPS, COSEVENTCOMM, COSNAMING, COTP, CPFI, CPHA, CRMF, CSM_ENCAPS, CUPS, CoSine, DAAP, DCCP, DCERPC, DCE_DFS, DCOM, DDP, DDTP, DEC_DNA, DEC_STP, DFS, DHCPFO, DHCPv6, DIS, DISTCC, DLSw, DLT User A, DLT User B, DLT User C, DLT User D, DNP 3.0, DNS, DNSSERVER, DOCSIS, DOCSIS BPKM-ATTR, DOCSIS BPKM-REQ, DOCSIS BPKM-RSP, DOCSIS DSA-ACK, DOCSIS DSA-REQ, DOCSIS DSA-RSP, DOCSIS DSC-ACK, DOCSIS DSC-REQ, DOCSIS DSC-RSP, DOCSIS DSD-REQ, DOCSIS DSD-RSP, DOCSIS INT-RNG-REQ, DOCSIS MAC MGMT, DOCSIS MAP, DOCSIS REG-ACK, DOCSIS REG-REQ, DOCSIS REG-RSP, DOCSIS RNG-REQ, DOCSIS RNG-RSP, DOCSIS TLVs, DOCSIS UCC-REQ, DOCSIS UCC-RSP, DOCSIS UCD, DOCSIS VSIF, DOCSIS type29ucd, DRSUAPI, DSI, DSSETUP, DTP, DTSPROVIDER, DTSSTIME_REQ, DUA, DVMRP, Data, Diameter, E.164, EAP, EAPOL, ECHO, EDONKEY, EFS, EIGRP, ENC, ENIP, ENRP, ENTTEC, EPM, EPMv4, ESIS, ESP, ESS, ETHERIC, ETHERIP, EVENTLOG, Ethernet, FC, FC ELS, FC FZS, FC-FCS, FC-SB3, FC-SP, FC-SWILS, FC-dNS, FCIP, FCP, FC_CT, FDDI, FIX, FLDB, FR, FRSAPI, FRSRPC, FTAM, FTP, FTP-DATA, FTSERVER, FW-1, Frame, G.723, GIF image, GIOP, GMRP, GNUTELLA, GPRS NS, GPRS-LLC, GRE, GSM BSSMAP, GSM DTAP, GSM RP, GSM SMS, GSM SMS UD, GSM_MAP, GSS-API, GTP, GVRP, Gryphon, H.261, H.263, H1, H225, H235, H248, HCLNFSD, HPEXT, HPSW, HSRP, HTTP, HyperSCSI, IAP, IAPP, IAX2, IB, ICAP, ICBAAccoCB, ICBAAccoCB2, ICBAAccoMgt, ICBAAccoMgt2, ICBAAccoServ, ICBAAccoServ2, ICBAAccoServSRT, ICBAAccoSync, ICBABrowse, ICBABrowse2, ICBAGErr, ICBAGErrEvent, ICBALDev, ICBALDev2, ICBAPDev, ICBAPDev2, ICBAPDevPC, ICBAPDevPCEvent, ICBAPersist, ICBAPersist2, ICBARTAuto, ICBARTAuto2, ICBAState, ICBAStateEvent, ICBASysProp, ICBATime, ICEP, ICL_RPC, ICMP, ICMPv6, ICP, ICQ, IDP, IDispatch, IEEE 802.11, IEEE802a, IGAP, IGMP, IGRP, ILMI, IMAP, INAP, INITSHUTDOWN, IOXIDResolver, IP, IP/IEEE1394, IPComp, IPDC, IPFC, IPMI, IPP, IPVS, IPX, IPX MSG, IPX RIP, IPX SAP, IPX WAN, IPv6, IRC, IRemUnknown, IRemUnknown2, ISAKMP, ISDN, ISIS, ISL, ISMP, ISUP, ISystemActivator, IUA, IrCOMM, IrLAP, IrLMP, JFIF (JPEG) image, JXTA, JXTA Framing, JXTA Message, JXTA UDP, JXTA Welcome, Jabber, Juniper, K12xx, KADM5, KINK, KLM, KRB4, KRB5, KRB5RPC, Kpasswd, L2TP, LANMAN, LAPB, LAPBETHER, LAPD, LDAP, LDP, LLAP, LLC, LMI, LMP, LOOP, LPD, LSA, LWAPP, LWAPP-CNTL, LWAPP-L3, LWRES, Laplink, Line-based text data, Log, LogotypeCertExtn, Lucent/Ascend, M2PA, M2TP, M2UA, M3UA, MACC, MAPI, MAP_DialoguePDU, MATE, MDS Header, MEGACO, MGCP, MGMT, MIME multipart, MIPv6, MMS, MMSE, MOUNT, MPEG1, MPLS, MPLS Echo, MQ, MQ PCF, MRDISC, MS Proxy, MSDP, MSMMS, MSNIP, MSNMS, MSRP, MTP2, MTP3, MTP3MG, Manolito, Media, Messenger, Mobile IP, Modbus/TCP, mysql, NBDS, NBIPX, NBNS, NBP, NBSS, NCP, NDMP, NDPS, NFS, NFSACL, NFSAUTH, NIS+, NIS+ CB, NLM, NLSP, NMAS, NMPI, NNTP, NORM, NSIP, NSPI, NS_CERT_EXTS, NTLMSSP, NTP, NW_SERIAL, NetBIOS, Netsync, Null, OAM AAL, OCSP, OLSR, OPSI, OSPF, PAGP, PARLAY, PCLI, PCNFSD, PER, PFLOG, PFLOG-OLD, PGM, PGSQL, PIM, PKCS-1, PKIX Certificate, PKIX1EXPLICIT, PKIX1IMPLICIT, PKIXPROXY, PKIXQUALIFIED, PKIXTSP, PKInit, PKTC, PN-DCP, PN-RT, PNIO, PNP, POP, PPP, PPP BACP, PPP BAP, PPP CBCP, PPP CCP, PPP CDPCP, PPP CHAP, PPP Comp, PPP IPCP, PPP IPV6CP, PPP LCP, PPP MP, PPP MPLSCP, PPP OSICP, PPP PAP, PPP PPPMux, PPP PPPMuxCP, PPP VJ, PPP-HDLC, PPPoED, PPPoES, PPTP, PRES, PTP, Portmap, Prism, Q.2931, Q.931, Q.933, QLLC, QUAKE, QUAKE2, QUAKE3, QUAKEWORLD, R-STP, RADIUS, RANAP, RDM, RDT, REMACT, REP_PROC, RIP, RIPng, RLM, RMCP, RMI, RMP, RPC, RPC_BROWSER, RPC_NETLOGON, RPL, RQUOTA, RRAS, RSH, RSTAT, RSVP, RSYNC, RS_ACCT, RS_ATTR, RS_BIND, RS_PGO, RS_PLCY, RS_REPADM, RS_REPLIST, RS_UNIX, RTCP, RTMP, RTP, RTP Event, RTPS, RTSP, RTcfg, RTmac, RUDP, RWALL, RX, Raw, Raw_SIP, Raw_SigComp, Redback, Rlogin, SADMIND, SAMR, SAP, SCCP, SCCPMG, SCSI, SCTP, SDLC, SDP, SEBEK, SECIDMAP, SES, SGI MOUNT, SIGCOMP, SIP, SIPFRAG, SIR, SKINNY, SLARP, SLL, SM, SMB, SMB Mailslot, SMB Pipe, SMB_NETLOGON, SMPP, SMRSE, SMTP, SMUX, SNA, SNA XID, SNAETH, SNDCP, SNMP, SONMP, SPNEGO-KRB5, SPOOLSS, SPP, SPRAY, SPX, SRVLOC, SRVSVC, SSCF-NNI, SSCOP, SSH, SSL, STAT, STAT-CB, STP, STUN, SUA, SVCCTL, Serialization, Slimp3, Socks, SoulSeek, Spnego, Symantec, Synergy, Syslog, T.38, TACACS, TACACS+, TALI, TANGO, TAPI, TCAP, TCP, TDMA, TDS, TEI_MANAGEMENT, TELNET, TFTP, TIME, TKN4Int, TNS, TPCP, TPKT, TR MAC, TRKSVR, TSP, TTP, TUXEDO, TZSP, Teredo, Token-Ring, UBIKDISK, UBIKVOTE, UCP, UDP, UDPENCAP, UMA, V.120, V5UA, VLAN, VNC, VRRP, VTP, Vines ARP, Vines Echo, Vines FRP, Vines ICP, Vines IP, Vines IPC, Vines LLC, Vines RTP, Vines SPP, WAP SIR, WBXML, WCCP, WCP, WHDLC, WHO, WINREG, WKSSVC, WLANCERTEXTN, WSP, WTLS, WTP, X.25, X.29, X11, X509AF, X509CE, X509IF, X509SAT, XDMCP, XML, XOT, XYPLEX, YHOO, YMSG, YPBIND, YPPASSWD, YPSERV, YPXFR, ZEBRA, ZIP, cds_solicit, cprpc_server, dce_update, dicom, giFT, h221nonstd, h245, h450, iFCP, iSCSI, iSNS, isup_thin, llb, message/http, nettl, rdaclif, roverride, rpriv, rs_attr_schema, rs_misc, rs_prop_acct, rs_prop_acl, rs_prop_attr, rs_prop_pgo, rs_prop_plcy, rs_pwd_mgmt, rs_repmgr, rsec_login, sFlow,
