User`s guide
(C) 2003 Airscanner Corp. http://www.airscanner.com
In this example, we will create a filter for AIM and Quake. Quake is a multiplayer game whose
mastery is an essential prerequisite for any competent security professional. However, if you are
a network administrator, you might desire a way to periodically monitor your network for Quake
packets to make sure no one has set up a rogue Quake server. To do this, perform the following
steps:
1. Click the Filter button.
2. Type Quake in the Filter Name textbox.
3. Click the Add Expression button.
4. Scroll through the list of options and select Quake in the Field Name column
and is present in the Relation column (see Figure 9.5).
5. Click Accept.
6. Click the New button to add the filter to the save list.
7. Click Save to store this filter permanently.
8. Click OK to use the filter.
This should process the data captured and parse out only those packets that include the
Quake protocol. If nothing appears in the screen, or no packets are detected, Quake is not being
used on the network. After you are finished with this filter, click the Reset button and Ethereal
will return all the captured data to the program windows.
3.2.4.4 The Follow TCP Stream Option
Ethereal comes with one outstanding feature that puts it at the top of our recommended list
of sniffer programs. Besides the fact that it is free, Ethereal will also reconstruct TCP streams
from the jumbled collection of data. To illustrate how useful this function is, we are going to
perform a short capture while using AIM. Thus we start Ethereal and set it to listen to the