Ethereal does not yet have an explicit "Expert" mode,
Ethereal still support many real "Expert" features which many other
products do not support though :
http://wiki.ethereal.com/TCP_20Analyze_20Sequence_20Numbers
plus
http://wiki.ethereal.com/TCP_20Retransmissions_20ColorFilter
Will keep tracking the TCP sliding windows and mark all TCP segments
that are Retransmissions in RED.
http://wiki.ethereal.com/TcpPduTime
which keeps track of start/stop tcp sequence numbers for many upper
layer protocols and tells you how long it took to transfer a specific
PDU across the network.
http://www.ethereal.com/docs/user-guide/ChStatSRT.html
ServiceResponseTime:
Let ethereal measure the Max/Min and Average response time for various
protocols.
Note that by combining this with filters, you can create thingsa such as :
"Show me the average service response time for when client:X is
accessing the specific file:Y on the nfs server."
As for using Etehreal as an IDS. I think that is a bad idea.
Ethereal is very stateful to allow it to do really advanced things
such as ServiceResponseTimes etc above.
This also means that it will continously allocate memory to maintain
state while capturing.
==> Ethereal is the wrong choice if you want something that will just
run and run and run.
On 6/24/05, Woeltje, Donald <dwoeltje@xxxxxxxxxxx> wrote:
> I have limited exposure to Ethereal (which I'm attempting to correct). I
> have some rudimentary questions.
>
>
>
> 1. Does Ethereal have an "expert mode" analysis capability.......or
> is the user the "expert mode"?
>
>
>
> 2. Is Ethereal a protocol analyzer only? I've been told that can also
> operate as an IDS. But I don't see how that's possible.....unless you
> just have it capture everything and then you spend hours analyzing the
> traffic for potential security events.
>
>
>
> Don Woeltje
>
> Senior Information Security Analyst
>
> CISSP, MCSE, CNE, CCNA, CNX, DCVE, 3Com 3Wizrard
>
> Location 2G-420, Carlson Technology Center
>
> 1405 Xenium, Minneapolis, MN
>
> Work Ph# 1-763-212-2684
>
>
>
>
>
