Ethereal 1.0 Looms

Thanks to Anthony Spina for pointing out that Ethereal 0.99 was released yesterday. Jumping from 0.10.14 in late December to 0.99 now indicates to me that 1.0 will finally appear any day now.

The release notes mention a new tool -- dumpcap. Dumpcap is a pure packet capture application, unlike Tcpdump or Tethereal. Those two programs are also protocol analyzers, and at least in the case of Tethereal that means larger memory footprints. I tried the Windows version of Dumpcap.

First, let's see the options Dumpcap offers, and start it.



Notice that Dumpcap is a simple capture application, but it also supports the ring buffer support I love in Tethereal. Nice work.

Here is Dumpcap's memory allocation on Windows during the preceeding capture.



Here are Tethereal's options.



I start Tethereal using syntax similar to Dumpcap. Note Tethereal supports disabling name resolution with -n, while Dumpcap offers no name resolution options.

tethereal -n -i 3 -c 10 -w d:\tmp\tethereal1.lpc

Here is Tethereal's memory allocation on Windows during the preceeding capture.



As you can see, Tethereal's memory footprint is five times that of Dumpcap.

I look forward to trying Dumpcap on FreeBSD.

Comments

Anonymous said…
Does this mean that dumpcap does name resolution and you can't disable it, or that it just doesn't do it in the first place? I'd rather it be the second, as to me name resolution is a post-capture processing step anyway.

I've read elsewhere that this version fixes 28 vulnerabilities in Ethereal and it's dissectors, which include code execution.

- Chris
Hi Chris,

It seems Dumpcap does not resolve IPs. There is really no need for it to, since that information isn't needed anywhere.
Anonymous said…
Does dumpcap do privsep? This was the main reason ethereal/tethereal was removed from the OpenBSD ports tree. Running daemons as root is 'old school'.
I doubt it, but I haven't run it on Unix yet.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4