Using Ethereal

 

Technical Paper

 

 

Presented by:

Ben Graham

 

Abstract

This paper shows how to use Ethereal.

 

 

 

Contacts

support@citect.com

 


 

Contents

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

What is Ethereal?

 

  • An open source network protocol analyser
  • Supports 100’s of protocols including many industrial protocols
  • See http://www.ethereal.com/ for more information

When should I use Ethereal?

 

  • Areas where the internal CitectSCADA logging does not give us any clues
  • Driver logging helps you see what is happening in the driver – Ethereal can help you see what is happening on the wire
  • Trying to diagnose connection initialisation problems
  • Trying to evaluate network performance and bottlenecks
  • Problems with networks, firewalls and routing Web based systems

 

 

 

 

 

 

 

 

How do I capture packets?

 

  • This is the first screen you see, select Capture?Interfaces…

 


 

 


 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

 

 

 

  • A capture that has worked will give you a screen full of data something like the following…

 

 

 

 

 

 

 

 

 

  • To save the trace select File?Save As…

 

 


 

Sample Capture Filters

  •  Capture only traffic to or from IP address 172.18.5.4:
    • host 172.18.5.4
  • Capture only DNS (port 53) traffic:
    • port 53
  • Capture non- HTTP and non- SMTP traffic on your server (both are equivalent):
  • Capture except all ARP and DNS traffic:
    • port not 53 and not arp
  • Capture only Ethernet type EAPOL:
    • ether proto 0x888e
  • Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:
    • ip
  • Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:
    • not broadcast and not multicast

 


 

How do I filter and display packets?

 

 

 

 

 

 

 

 

 

  • Display Filter
    • Select which packets to display
    • Complex rules based on protocol information
       
  • Packet Selector
    • Sort by packet order, time, source , dest. etc…
  • Protocol Dissector
    • Tree view of protocol dissection
    • Lower layer protocols are towards the top
  • Packer Buffer
    • Shows the raw buffer data of the element selected in the protocol dissector

 

Sample Display Filters

  •  Show only SMTP (port 25) and ICMP traffic:
    • tcp.port eq 25 or icmp
  • TCP buffer full – Source is instructing Destination to stop sending data
    • tcp.window_size == 0 && tcp.flags.reset != 1
  • Filter on Windows – Filter out noise, while watching Windows Client - DC exchanges
    • smb || nbns || dcerpc || nbss || dns
  • Sasser worm: –What sasser really did–
    • ls_ads.opnum==0×09
  • Match packets containing the (arbitrary) 3-byte sequence 0×81, 0×60, 0×03 at the beginning of the UDP payload, skipping the 8-byte UDP header. Note that the values for the byte sequence implicitly are in hexadecimal only. (Useful for matching homegrown packet protocols.)
    • udp[8:3]==81:60:03

Common Port Number of CitectSCADA

  • CitectSCADA Remote CTAPI – TCP 2073
  • CitectSCADA Remote Cicode Debugger – TCP 2074
  • CitectSCADA Report Server – TCP 2075
  • CitectSCADA Alarm Server – TCP 2076
  • CitectSCADA Trend Server – TCP 2077
  • CitectSCADA I/O Server – TCP 2078
  • CitectSCADA IDC Server – TCP 2079
  • HTTP – TCP 80
  • FTP – TCP 20, 21
  • Modbus/TCP (MODNET) – TCP 502
  • Ethernet/IP (ControlLogix / ABCLX) – TCP 44818
  • DNP 3 (DNPR) – TCP or UDP 20000
  • ISO -on-TCP (some Siemens devices) – TCP 102

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Disclaimer 

 

 

Disclaimer of All Warranties 
SCHNEIDER ELECTRIC (AUSTRALIA) PTY LTD DISCLAIMS ANY AND ALL WARRANTIES WITH RESPECT TO SCHNEIDER ELECTRIC (AUSTRALIA) PTY LTD PRODUCTS AND THE RELATED DOCUMENTATION, WHETHER EXPRESS OR IMPLIED, INCLUDING SPECIFICALLY THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A GENERAL OR PARTICULAR PURPOSE. CITECTSCADA AND THE RELATED DOCUMENTATION ARE PROVIDED "AS IS," AND YOUR COMPANY UNDERSTANDS THAT IT ASSUMES ALL RISKS OF THEIR USE, QUALITY, AND PERFORMANCE.

Disclaimer of Liability 
YOUR COMPANY AGREES AND ACKNOWLEDGES THAT SCHNEIDER ELECTRIC (AUSTRALIA) PTY LTD SHALL HAVE NO LIABILITY WHATSOEVER TO YOUR COMPANY FOR ANY PROBLEMS IN OR CAUSED BY SCHNEIDER ELECTRIC (AUSTRALIA) PTY LTD PRODUCTS OR THE RELATED DOCUMENTATION, WHETHER DIRECT, INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL (INCLUDING LOSS OF PROFITS).

 

Attachments