1 <!-- EUG Chapter Advanced -->
5 <chapter id="ChapterAdvanced">
6 <title>Advanced Features</title>
8 <section id="ChAdvIntroduction"><title>Introduction</title>
10 In this chapter some advanced features of Ethereal will be described.
14 <section id="ChAdvFollowTCPSection"><title>Following TCP streams</title>
16 There will be occasions when you would like to see the data from a TCP
17 session in the order that the application layer sees it. Perhaps
18 you are looking for passwords in a Telnet stream, or you are
19 trying to make sense of a data stream. If so, Ethereal's ability to
20 follow a TCP stream will be useful to you.
23 Simply select a TCP packet in the stream/connection you are interested
24 in and then select the Follow TCP Stream menu item from the Ethereal
25 Tools menu. Ethereal will pop up a separate window with all the data
26 from the TCP stream laid out in order, as shown in
27 <xref linkend="ChAdvFollowStream"/>.
29 <section><title>The "Follow TCP stream" dialog box </title>
30 <figure id="ChAdvFollowStream">
31 <title>The "Follow TCP Stream" dialog box</title>
32 <graphic entityref="EtherealFollowStream" format="PNG"/>
35 You can choose from the following actions:
39 <command>Save As</command> Save the stream data in the currently
45 <command>Print</command> Print the stream data in the currently
51 <command>Direction</command> Choose the stream direction to be
52 displayed ("Entire conversation", "data from A to B only" or "data
58 <command>Filter out this stream</command> Apply a display filter
59 removing the current TCP stream data from the display.
64 <command>Close</command> Close this dialog box.
70 You can then choose to view the data in one of four formats:
74 <command>ASCII</command>. In this view you see the data from
75 each end in ASCII, but alternating according to when each
76 end sent data. Unfortunately, non-printing characters do not
82 <command>EBCDIC</command>. For the big-iron freaks out there.
87 <command>HEX Dump</command>. This allows you to see all the
88 data, but you lose the ability to read it in ASCII.
93 <command>C Arrays</command>. This allows you to import the stream data
94 into your own C program.
102 It is worthwhile noting that Follow TCP Stream installs a filter
103 to select all the packets in the TCP stream you have selected.
109 <section id="ChAdvReassemblySection"><title>Packet Reassembling/Desegmenting</title>
111 XXX - rework this chapter, as it's still a bit confusing.
113 <section><title>What is it?</title>
115 Often network protocols needs to transport large chunks of data, which are
116 complete in itself, e.g. when transferring a file. The underlying
117 protocol might not be able to handle that chunk size (e.g. limitation of
118 the network packet size), or is stream-based like TCP, which doesn't know
122 In that case the network protocol has to handle that chunks itself and
123 (if required) spreading the data over multiple packets. It also needs a
124 mechanism to find back the chunk boundaries on the receiving side.
126 <note><title>Reassembling vs. Desegmenting!</title>
128 Desegmenting is a slightly different mechanism compared to reassembling,
129 but doing the same thing. Both mechanisms combine traffic back together,
130 in this chapter only the term reassembling will be used.
134 <section><title>How Ethereal handles it</title>
136 For some of the network protocols Ethereal knows of, a mechanism is
137 implemented to find, decode and display this chunks of data.
138 Ethereal will try to find the corresponding packets of this chunk,
139 and will show the combined data as additional pages in the
140 "Packet Bytes" pane, see <xref linkend="ChUsePacketBytesPaneSection"/>.
142 <note><title>Note!</title>
144 Reassembling might take place in several protocol layers, so it's possible
145 that multiple tabs in the "Packet Bytes" pane appear.
148 <note><title>Note!</title>
150 You will find the reassembled data in the last packet of the chunk.
158 In a <command>HTTP</command> GET response, the requested data (e.g. a
159 HTML page) is returned. Ethereal will show the hex dump of the data in
160 a new tab "Uncompressed entity body" in the "Packet Bytes" pane.
165 A <command>DCE-RPC</command> (Remote Procedure Call) client send a
166 request to the server and expects a response back from it. Both the
167 request and the response is a complete chunk of data and will be
168 shown as a new tab "Reassembled DCE/RPC" in the "Packet Bytes" pane.
175 <section><title>Reassembling is disabled!</title>
177 Reassembling is usually disabled in the preferences by default, as it
178 slows down packet processing a bit.
181 Enabling reassembling of a protocol typically requires two things:
185 the lower level protocol (e.g., TCP) must support
186 reassembly. Often this reassembly can be enabled or disabled at will
187 via the protocol preferences.
192 the higher level protocol (e.g., HTTP) must use the
193 reassembly mechanism to reassemble fragmented protocol data. This too
194 can often be enabled or disabled via the protocol preferences.
200 As a result, if reassembly of protocol Y on top of protocol X
201 must be enabled, it is wise to take a look at the protocol preferences for
202 both protocols. Check whether protocol X allows subdissectors to
203 reassemble, and check whether protocol Y supports reassembly
207 For example: if you have HTTP on top of TCP, you have to enable the TCP
208 preference "Allow subdissectors to reassemble" and enable the HTTP
209 preference "Reassemble".
214 <section id="ChAdvNameResolutionSection"><title>Name Resolution</title>
216 Name resolution tries to resolve some of the address values to human
217 readable names. This conversion might fail. For example, the name might be
218 unknown. Some of the lookups are done with data from your local
219 machine, while others asking network services such as DNS.
222 XXX - add ipxnets name resolution explanation.
224 <note><title>Note!</title>
226 You might see packets to/from your machine in your capture file, which are
227 caused by name resolution network services (e.g. DNS packets).
230 <note><title>Note!</title>
232 The resolved names are not stored in the capture file or somewhere else,
233 so the resolved names might not be available if you open the capture file
234 later or on another machine.
238 The name resolution feature can be en-/disabled separately for the
239 following protocol layers:
241 <section><title>MAC Layer</title>
242 <para><command>ARP name resolution</command>
243 Convert an ethernet address to the corresponding IP address
244 (e.g. 00:09:5b:01:02:03 -> 192.168.0.1).
246 <para><command>Ethernet manufacturer codes</command>
247 If the ARP name resolution failed, Ethereal tries to convert the first 3
248 bytes of an ethernet address to an abbreviated manufacturer name, which
249 has been assigned by the IETF (e.g. 00:09:5b:01:02:03 -> Netgear_01:02:03).
252 <section><title>Network Layer</title>
253 <para><command>DNS name resolution</command>
254 Convert an IP address to the hostname associated with it
255 (e.g. 65.208.228.223 -> www.ethereal.com).
258 <title>Warning!</title>
260 Enabling network name resolution when your name server is
261 unavailable may significantly slow Ethereal while it waits
262 for all of the name server requests to time out. Use ADNS in that
267 <section><title>Transport Layer</title>
268 <para><command>TCP/UDP port conversion</command>
269 Convert a TCP or UDP port to its well known name (e.g. 80 -> http).
272 <section><title>ADNS</title>
274 As noted, DNS lookups can significantly slow down Ethereal and make it
275 appear frozen, which can be very annoying. To solve this, Ethereal can use
276 the ADNS library, which handles DNS calls asynchronously.
282 <!-- End of EUG Chapter Advanced -->