BaurHome Software

• Home
• Eavesdrop
  • New Version
  • Release Notes
  • Screenshots
  • Documentation
    • Getting Started
    • Conversations
    • Global Graphs
    • External Captures
  • FAQ
• TiVo Butler
• Tool Kit Browser
• Index Dice
• Downloads

Staring a capture

When staring a packet (or network) capture, the place that the program listens for traffic is called the interface. For most people, all the traffic on their computer will use the same interface, but there are still multiple interfaces that Mac OS X keeps track of. Here are some typical examples:

• en0 - ethernet interface
• en1 - airport interface

Eavesdrop can only use the interfaces that start with "en" at this time.

Promiscuous mode can be used to capture packets from other machines on your local network. On many modern networks this does not work too well. Although hubs replicate traffic to all nodes, switches are more intelligent than that and will prevent traffic from being visible. The end result is that only traffic bound to and headed from your local computer will be visible.

If the interface is setup right, you can just click on "Start Capture", authenticate with an admin password, and then start seeing data. Once a capture is started, open up a network application (a web browser, for instance) to see what gets populated. Data will show up in near-realtime in Eavesdrop's window with some summary information about the conversation between the two computers.

Watching a capture

As the computers talk, new "conversations" may show up to represent a new connection. Web browsers, for example, will often connect to the same site more than once to allow for multiple things to be downloaded at the same time. As things show you, you may notice the flags changing, here is a quick summary of the meanings (using a telephone metaphor):

Flag	Abbr.	Name	Explaination
S	SYN	synchronize	this is "calling" the other side (or answering)
A	ACK	acknowledge	telling the other machine that you received the message(s)
P	PSH	push	more data is being sent over
F	FIN	finish	one side is done and wishes to hang up
R	RST	reset	one side slams the phone down without saying goodbye

Combinations of the above flags will appear, especially ACK with other things. There are a few other flags, but they appear very infrequently.

Different views
There are three main view available: Data, Divided and Unified. The only difference between them is the columns that appear in the capture window, they will not affect what gets captured. The arrows on the flags show which direction the last packet was sent.

At the bottom of the capture window are some overall statistics about the capture.

Changing settings

Some settings can be changed during the capture, others require the capture be restarted. The ones that take effect immediately are:

• Require SYN flag
• Remove after...
• Capture packet data
• Hide after...
• Select inserted items
• Table update...