This should process the data captured and parse out only those packets that include
the Quake protocol. If nothing appears in the screen, or no packets are detected, Quake is
not being
used on the network. After you are finished with this filter, click the Reset button and
Ethereal will return all the captured data to the program windows.
3.2.4.4 The Follow TCP Stream Option
Ethereal comes with one outstanding feature that puts it at the top of our
recommended list of sniffer programs. Besides the fact that it is free, Ethereal will also
reconstruct TCP streams from the jumbled collection of data. To illustrate how useful this
function is, we are going to perform a short capture while using AIM. Thus we start
Ethereal and set it to listen to the network. To facilitate this example, we simply sent
messages to our own chat client. After a few sentences, we stop the capture and let
Ethereal load the data into the packet display windows. At this point, we have a great deal
of commingled data. How can we sort through this data to find our chat session?
We could set up a filter; however, this would still leave us with numerous packets
that we would have to piece together. Because of this, we are going to use the TCP
stream-following feature incorporated into Ethereal. This feature alone distinguishes
Ethereal from the many others available; in addition, Ethereal is free. To use this, we
need to find a packet using the AIM protocol and right-click on it. This will bring up a
menu, which contains Follow TCP Stream as the first option. We click on this, and after a
few seconds (or minutes, depending on the computer speed and the amount of data) we
get a window similar to Figure 9.6. Now we have our complete chat session available to
read through. If a hacker or network administrator were using this program while you
were chatting with a friend, she too would be able to see the entire conversation.
