How to use Ethereal to capture a packet trace

  • 10070788
  • NOVL79116
  • 08-May-2002
  • 12-Apr-2005

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Goal

How to use Ethereal to capture a packet trace.

Fact

Ethereal 0.9.13

Fix

Go to http://www.ethereal.com/download.html and download the binary for the OS you're going to run Ethereal from.  Most people will download the "Microsoft:
Windows (Intel, 32-bit)" binary.  When you launch the install program by default all product components are selected.  

For the Windows platform you also need to follow the links to download and install the WinPcap driver so you can capture packets. 

The link to get the WinPcap driver is:  http://winpcap.mirror.ethereal.com/install/default.htm.  Download version WinPcap 3.0. (Do not use beta versions of WinPcap). 

After installing Ethereal and the WinPcap drivers do the following:

1.  Launch ethereal.exe from C:\Program Files\Ethereal

2.  Go to Capture | Start



3. Now the Capture window is displayed.

4.  In the Interface field, select your NIC from the drop down list. Note: If the Interface field is blank then you most likely have not installed the WinPcap drivers. We have also seen the beta version of the WinPcap drivers display only a : in this field. Also you must reboot the workstation after installing WinPcap for the driver to load into memory. There are also issues with multi-processor machines and the WinPcap driver. Pleaser refer to their site for support.

5. If you want to configure capture filters please refer to solution NOVL90720  

6. Other capture options

a. Limit each packet to: (Do not use this option. Novell support will always want to see full frames.)

b. Capture packet in promiscuous mode: (This option allows the adapter to capture all traffic not just traffic destined for this workstation. Make sure it is enabled)

c. Capture file(s): (This allows you to specify a file to be used for the packet capture. By default Ethereal will use temporary files and memory to capture traffic. Specify a file for fault tolerance.)

d. Use ring buffer: (For instances where you need to let Ethereal run and capture data for a long period of time. You can set the number of files for Ethereal to spool data to. When a file fills up it will wrap to the next file. The file name should be  specified if you want to use the ring buffer.)

e. Update list of packets in real time: (Ethereal will become the active window and display packets as they are captured. If you are duplicating a problem on the same machine you will find that Ethereal keeps poping up as the active window each time a packet is captured. Leave disabled if you are duplicating the issue on the same workstation.)

f. Automatic scrolling in live capture: (Ethereal will scroll the window so that the most current packet is displayed.)

g. Stop capture after xxx packet(s) captured: (Novell Technical Support would most likely never use this option. Leave disabled.)

h. Stop capture after xxx kilobyte(s) captured: (Novell Technical Support would most likely never use this option. Leave disabled.)

i. Stop capture after xxx second(s): (Novell Technical Support would most likely never use this option. Leave disabled.)
 
j. Enable MAC name resolution: (Ethereal contains a table to resolve MAC addresses to vendors. Leave enabled.)
 
k. Enable network name resolution: (Ethereal will issue DNS queries to resolve IP host names. Also will attempt to resolve network network names for other protocols. Leave disabled.)
 
l. Enable transport name resolution: (Ethereal will attempt to resolve transport names. Leave disabled.)

7. Now click the OK button to start the capture.

8.  Recreate the problem.    The capture dialog should show the number of packets increasing.  If not, then stop the capture.  Restart the capture and look at the interface drop down box and pick the one that is not WANIP or WANIP.   It will probably be a long alpha-numeric string.  Try that.  If you're still not getting packets, try removing any filters that you might have defined. 

9.  Once you have finished reproducing what we're trying to capture.  Click on Stop.  It might take a few seconds for Ethereal to display the packets captured. If the destination address is always displayed as FFFFFFFF (IPX) or always ends in .255 (IP) then all you have captured is broadcast packets.  This is a useless trace.

If you are running Ethereal on the target machine, then do not enter a filter at all.  If you are tracing another machine (to start the trace while the target is off and capture the bootup process), you will need to mirror the ports on the switch, or plug the workstations into a dumb hub and plug the hub into the switch.   If the hub has intelligence to prevent the workstations from seeing each other's packets, then we will not be able to get a good trace.

The Ethereal website has a good FAQ on this subject. Please refer to http://www.ethereal.com/faq.html#q5.1

10.  Save the packet trace in any supported format. Just click on the File menu option and select Save As.

11. By default Ethereal will save the packet trace in libpcap format. This is a filename without any extension. It can be read by any other user with Ethereal or another libpcap utility. By clicking on the File type: button you can save the trace in many other different formats.



12.  You can email the trace to support@novell.com with your incident number in the subject line. (We do not analyze packet traces without an open incident).  If it is larger than about 5 mg, we prefer that you upload the trace to our ftp server.  Zip the traces and a readme.txt with a description of what you traced, using  <incident number>.zip as a naming convention, i.e. 2345678.zip.  Upload the file to ftp.novell.com/incoming. Once the file has been uploaded please notify your technician that it is there by updating the incident on the web at https://secure-support.novell.com/elecinc/eiLogin.jsp or send an email to support@novell.com

13.  Create a trace_info.txt file with the IP and MAC addresses of the machines that are being traced as well as any additional information listed below. 

NOTES:

What is the problem?  (when did it start? steps to reproduce? any other pertinent information)

What steps were traced? 

Give names of the servers & files being accessed.

If you or another coworker has attempted to analyze the trace then please feel free to provide us with this information.   

Example:  Packets 1-30 are boot.  Packets 31-500 are login.  Packets 501 to 1,000 is my application loading.   Packet 1,001 to 1,500 is me saving my file.    The error occurred at approximately packet 1,480.

Give the MAC addresses of hardware involved?  (Workstation, servers, printers ...)
 
What is the workstation OS and configuration? 
   
What version of the client is running?  

If it works with one version of the client (or a particular server patch), then get a trace of it working, and a trace of it not working. 

Are there any client patches loaded?  

What version of NetWare (and other relevant products i.e. ZEN or NDPS) are running on the server? 

What patches have been applied?

What is the configuration of the network?  Are there routers involved?  If so, what kind of routers? 

A common procedure for taking a trace would be to try to get two traces, one of a workstation that works and one of a workstation failing.    When doing this, it is important that the exact same steps are followed in each trace so they can be accurately compared.   The following steps are useful in this case:

1.  Follow the steps above to set up the trace of a failing workstation. 

2.  Start the trace, then turn on the target workstation.  Once you have completed logging in and the operating system has finished loading, then write down the packet number.  (Shows on the LANalzyer dashboard, or the Ethereal screen).

3.  As you recreate the error, between each step pause and make a note of the packet number once that step has completed.  For instance, load the application -write down packet number, open a file -write down packet number etc. etc.

4.   Once the issue that you are trying to capture has been completed, you can stop the trace, save it and send the trace in to Novell for analysis.  Then repeat the EXACT SAME steps for the workstation that works.  Include a note indicating the steps that were followed and the packet number at the end of each step for each trace.


TID 10011012 has information on getting a trace with LANalyzer.

 

.

Note

Note: Ethereal is a free open source product. Novell does not provide support for this product. The purpose of this solution is to provide Novell employees and it's customers with information regarding the use of this free tool. To download, report issues, or to request for any enhancements, please consult the Ethereal website at http://www.ethereal.com.