103 The real power of ethereal s display filters comes when you realize that you dont really need to understand the syntax of display filters to start using them. You can select a field from the center pane and then select Display Match Selected, and ethereal will construct and apply the filter for you. Of course, not every field is useful, but it doesnt take much practice to see what works and what doesnt work. The primary limitation of this approach comes in constructing compound filters. If you want to capture all the traffic to or from a computer, you wont be able to match a single field. But you should be able to discover the syntax for each of the pieces. Once you know that ip.src==205.153.63.30 matches all IP traffic with 205.153.63.30 as its source and that ip.dst==205.153.63.30 matches all IP traffic to 205.153.63.30, it isnt difficult to come up with the filter you need, ip.src==205.153.63.30 or ip.dst==205.153.63.30 . Display filters are really very intuitive, so you should have little trouble learning how to use them. Perhaps more than any other tool described in this book, ethereal is constantly being changed and improved. While this book was being written, new versions were appearing at the rate of about once a month. So you should not be surprised if ethereal looks a little different from what is described here. Fortunately, ethereal is a well-developed program that is very intuitive to use. You should have little trouble going on from here.

5.7 Dark Side of Packet Capture

What you can do, others can do. Pretty much anything you can discover through packet capture can be discovered by anyone else using packet capture in a similar manner. Moreover, some technologies that were once thought to be immune to packet capture, such as switches, are not as safe as once believed.

5.7.1 Switch Security

Switches are often cited as a way to protect traffic from sniffing. And they really do provide some degree of protection from casual sniffing. Unfortunately, there are several ways to defeat the protection that switches provide. First, many switches will operate as hubs, forwarding traffic out on every port, whenever their address tables are full. When first initialized, this is the default behavior until the address table is built. Unfortunately, tools like macof, part of the dsniff suite of tools, will flood switches with MAC addresses overflowing a switchs address table. If your switch is susceptible, all you need to do to circumvent security is run the program. Second, if two machines have the same MAC address, some switches will forward traffic to both machines. So if you want copies of traffic sent to a particular machine on your switch, you can change the MAC address on your interface to match the target devices MAC address. This is easily done on many Unix computers with the ifconfig command. A third approach, sometimes called ARP poisoning, is to send a forged ARP packet to the source device. This can be done with a tool like arpredirect, also part of dsniff. The idea is to substitute the packet capture devices MAC address for the destinations MAC address. Traffic will be sent to a packet capture device, which can then forward the traffic to its destination. Of course, the forged ARP packets can be sent to any number of devices on the switch. 104 The result, with any of these three techniques, is that traffic will be copied to a device that can capture it. Not all switches are susceptible to all of these attacks. Some switches provide various types of port security including static ARP assignments. You can also use tools like arpwatch to watch for suspicious activities on your network. arpwatch is described in Chapter 6 . If sniffing is a concern, you may want to investigate what options you have with your switches. While these techniques could be used to routinely capture traffic as part of normal management, the techniques previously suggested are preferable. Flooding the address table can significantly degrade network performance. Duplicating a MAC address will allow you to watch traffic only to a single host. ARP poisoning is a lot of work when monitoring more than one host and can introduce traffic delays. Consequently, these arent really techniques that youll want to use if you have a choice.

5.7.2 Protecting Yourself