Wireshark · Ethereal-users: Re: [ethereal-users] how to use ethereal

[Guy Harris <gharris@xxxxxxxxxxxx>]

On Tue, Jun 13, 2000 at 05:35:46PM -0400, Kiran Sirupa wrote:
> i have finally able to install ethereal succesfully. now i want to
> test it. i wrote an echo server and client which communicate on the
> same machine, i want to see the data in the packets through
> ethereal..how can it be done? i treid to open a file, it says it is
> not a valid capture file..
> i want live capture only..

I.e., you want to see what's on the network right now, rather than
seeing a capture that you or somebody else has made with tcpdump or
Ethereal or some other sniffer?

If so, then, first of all, you need to be running with an account with
sufficient privilege to be able to capture packets, which, on UNIX
systems (including Linux distributions), usually means "root".  You
don't need to be logged in to such an account, but you'll at least have
to use "su" or "sudo" or some program such as that to run Ethereal under
such an account's user ID.

Once you're running Ethereal in that fashion, you select the "Capture"
item from the menu bar, and then select "Start" from the menu.  It'll
pop up a dialog box.

The "Interface:" field in the dialog box is the network interface on
which the capture should be done.  If the server and client are running
on the same machine, you'll probably want to capture on a loopback
interface; the interface will probably have a name such as "lo" or "lo0"
or something starting with "lo".  The "Interface:" field is a combo box,
so the triangular widget to the right of the text field can be selected
with the mouse, and should drop down a list of interfaces; select the
first one that begins with "lo".

The "Count:" field can be used to cause Ethereal to stop capturing after
a certain number of packets have been seen; you probably want to leave
it as "0 (Infinite)", meaning it'll keep capturing until you tell it to
stop.

The "Filter:" field lets you specify a filter that limits which packets
will be seen by Ethereal; however, due to a botch in the current version
of the libpcap library on most (if not all) distributions of Linux, that
doesn't work on loopback devices, so just leave it blank.

The "File:" field lets you specify the file to which the capture should
initially be written; if left blank, that being the default, it writes
the capture to a temporary file - but you can later save it to another
file.

The "Capture length" field specifies how many bytes of the packet should
be seen by Ethereal; in some cases, you may only be interested in, for
example, IP and TCP headers, in which case you can reduce the CPU
overhead of the capture by specifying a smaller capture length than the
default of 65535, which means "see all of the packet".

The "Update list of packets in real time" button lets you control
whether the display will be updated as packets arrive, or whether
Ethereal will just display a count of the packets of various types it's
seen.  The real time update is convenient, but can impose a greater CPU
burden - you probably don't want to use it if you're watching a very
busy network, but if you're just looking at light traffic from an echo
client talking to a server on the same machine, it's probably OK.

The "Automatic scrolling in live capture" button controls whether, if
you've specified that the list of packets should be updated in real
time, the list should always be scrolled so that the most recently
received packets are displayed, i.e. always scrolled to the end.  That
lets you see a display of summaries of packets as they arrive, but means
that the display could scroll out from under you as you're watching it
or trying to select a packet in it.

The "Enable name resolution" button controls whether Ethereal will try
to interpret Ethernet addresses, IP address, and so on and display the
host names corresponding to them, or whether it just displays the
address numerically.  The names may be more meaningful, but, especially
if you're capturing traffic to hosts far away, Ethereal may hang for a
while when trying to find the name corresponding to an IP address, if,
for example, a DNS server that's used to find that name is not
responding.

When you've selected the options you want, click the "OK" button;
Ethereal will, if it can, start capturing.  (If it can't, it should pop
up a message box explaining why it can't; if that happens, and you ask
"ethereal-users" about it, please include the full text of the message.)

While the capture is in progress, there will be a window displayed that
shows counts of the total number of packets that have been seen by
Ethereal and counts of the packets of various types seen by Ethereal. 
To stop the capture, click the "Stop" button in that window; the display
should be updated to show the capture.