The first book in my Open Source Security Series, I took an editorial role on this book, not authoring content. Angela Orebaugh did a great job on this, along with Greg Morris, Ed Warnickle, and Ethereal's own Gilbert Ramirez.

Read the reviews from Amazon here. Richard Bejtlich gave it a great review, saying "Ethereal Packet Sniffing" is the first book in Jay Beale's new Open Source Security Series with Syngress. It's a great book to lead the way. "Ethereal" is full of helpful tips and clear discussions that benefit newbies and wizards alike. I've been using Ethereal for around five years, and this book still taught me a few new tricks.

The most important question I expected on this book was, of course, "why a whole book for this one small tool?" As I wrote in the Foreword to answer this question, reading this book should teach you about a number of network forensics and IDS tools and techniques. For instance, Chapter 8 takes you through real-world packet captures, demonstrating how you can use Ethereal to dissect and understand attacks. It takes you through a detailed hands-on analysis of the SQL Slammer and Ramen worms, though my favorite was definitely Code Red. Chapter 6 teaches you about less-famous, but very useful tools that come with Ethereal, like mergecap, which merges packet data from multiple sources and multiple formats together, and text2pcap, which recreates packets from the text-based hex dumps we're all used to seeing in our logs or training materials. Finally, chapter 9 brings one of the unique parts of the whole series to this book -- it teaches you how to develop Ethereal!

Ethereal Foreword

by Jay Beale

When Syngress proposed Ethereal as the first book in my Open Source Security series, my first thought was a whole book on Ethereal? Isnt it just a sniffer? At the time, I didnt realize the scope of this program.

However, as we began developing the chapters, I saw exactly why Ethereal warranted an entire book. It has a tremendous number of useful features and included tools that most people never explore because it is so simple to use for day-to-day sniffing. Along these lines, chapter 6 (Other Programs Packaged with Ethereal) brings up less-often highlighted tools like mergecap, which many an IDS analyst or networks forensics expert has used to read in packet data from multiple sources and write that data out in the format of their choice. I recently spoke to an IDS expert who hadnt ever used text2pcap, (another tool covered by chapter6 that he and I both found immediately useful in create pcap packet captures from text-based hex-dumps. Chapter 7 (Integrating Ethereal with other Sniffers) offers an excellent treatment on how to interoperate Ethereal with a multitude of other free and commercial sniffers. Chapter 9s (Developing Ethereal) coverage of how to expand and build on Ethereal will prove useful for anyone who manages to find a protocol for which it doesnt yet have specific decoding functionality. I loved that chapter 5 (Filters) describes an undocumented feature in Ethereal so effectively and completely.

Most of all, though, I found chapter 8 (Real World Packet Captures) the most exciting. It demonstrates how to use Ethereal to dissect and understands attacks, allowing you to follow along by using Ethereal yourself on the packet captures included on the included CD-ROM. While the SQL Slammer and Ramen worm hands-on material was very interesting, I especially enjoyed following the Code Red analysis hands-on.

What comes out of reading these chapters is the realization that Ethereal is no run-of-the-mill freeware network sniffer. Ethereal offers more protocol decoding and reassembly than any free sniffer out there and ranks pretty well among the commercial tools. Weve all used tools like tcpdump or windump to examine individual packets (and always will), but Ethereal makes it easier to make sense of a stream of ongoing network communications. Ethereal not only makes network troubleshooting work far easier, but also aids greatly in network forensics, the art of finding and examining an attack, by giving a better big picture view. Finally, when youre trying to find, isolate and understand anomalous traffic, its expandable-tree view of your network traffic is invaluable. I hope that youll find this book just as invaluable. Ethereal has the ability to be a simple, single-purpose tool that you use without thinking about when you need to look at packets, or it can be the backbone of your security toolkit. This book gives you the information you need to take Ethereal to whatever level of performance you want.