Packet Analyzers

Packet analyzers are software or hardware devices that capture and analyze the data flowing through the network. Packet analyzers are also called sniffers, protocol analyzers, and network analyzers. The term sniffer became popular after the release of the commercial product Sniffer Pro. Many packet analyzers provide capabilities to filter, store, and analyze the captured data. In fact, most network intrusion detection systems (NIDS) are packet analyzers that watch for peculiar traffic patterns that are unique to network attacks. Packet analyzers work at Layers 1 and 2 of the OSI model but can also decode data at higher layers. This feature enables networking professionals to have a cross-sectional view of the data flowing through the network in real time. The ability to slice and view the raw data flowing through the wires is important when troubleshooting. Such views also help networking professionals to learn and understand the functioning of various protocols and applications. The views also provide clear proof that the network and its components are operational.

Network auditing using packet analyzers is a two-step process, as follows:

Step 1.	Preparing the network for using packet analyzers
Step 2.	Using packet analyzers for network auditing

Preparing the Network

Packet analyzers function by capturing and analyzing all the data flowing through the wire. Packet analyzers can capture the data through one of the following techniques:

Using a hardware wiretap Hardware-based wiretaps are expensive and require rewiring of the network segment to accommodate the wiretap.
Using port mirroring Software-based wiretaps are implemented using the port-mirroring functionality. Port mirroring is built into Ethernet switches and, as such, does not require physical rewiring of the network segment. Consequently, this method is less expensive, more flexible, and preferred over the hardware wiretaps.

Cisco Catalyst switches offer the port-mirroring function, which allows all the traffic flowing through a source port to be broadcast to a mirrored port. The process is transparent to the devices that are connected to the source port. However, the mirrored port receives an exact copy of the data flowing through the source port. By connecting the packet analyzer to the mirrored port, all packets flowing through the source port are available for sniffing.

Port mirroring, also called port monitoring, is referred to as Switched Port Analyzer (SPAN) by Cisco. In addition to the ability to mirror a single source port, Cisco SPAN also allows mirroring of groups of ports or even an entire VLAN. For more information on the limitations and additional SPAN features available on a particular model of Catalyst switch, refer to the product documentation section of the Cisco website (cisco.com).

To configure SPAN on a Cisco Catalyst switch, you should specify the source port, the destination port, and the direction of the traffic through the source that you want to mirror to the destination port. Moreover, you need to physically connect the packet analyzer to the destination SPAN port to enable the packet analyzer to receive the traffic.

The following two sections cover the details involved in configuring SPAN ports on both CatOS- and IOS-based Cisco Catalyst switches.

SPAN for CatOS Switches

To configure a SPAN port on CatOS-based switches, perform the privileged-mode-command specified in Table 7-3.

Table 7-3. SPAN Configuration CatOS
Task	Command
Configure the SPAN source and destination ports.	set span {src_mod/src_ports \| src_vlans \| sc0} {dest_mod/dest_port} [rx \| tx \| both] [inpkts {enable \| disable}] [learning {enable \| disable}] [multicast {enable \| disable}] [filter vlans...] [create]
Verify the SPAN configuration.	show span
Disable SPAN.	set span disable [dest_mod/dest_port \| all]

Example 7-10 shows how to configure SPAN so that both transmit traffic and receive traffic from port 1/1 (the SPAN source) are mirrored on port 2/1 (the SPAN destination).

Example 7-10. SPAN Configuration CatOS

 Console> (enable) set span 1/1 2/1 Destination     : Port 2/1 Admin Source    : Port 1/1 Oper Source     : Port 1/1 Direction       : transmit/receive Incoming Packets: disabled Learning        : enabled Multicast       : enabled Filter          : -

SPAN for IOS Switches

To configure a local SPAN session for IOS-based Catalyst switches, use the global-configuration-mode commands listed in Table 7-4.

Table 7-4. SPAN Configuration IOS
Task	Command
Associate the local SPAN source session number with the source.	Router(config)# monitor session local_span_session_number source {{single_interface \| interface_list \| interface_range \| mixed_interface_list \| single_vlan \| vlan_list \| vlan_range \| mixed_vlan_list} [rx \| tx \| both]}}
Associate the local SPAN session number and the destination ports.	Router(config)# monitor session local_span_session_number destination {single_interface \| interface_list \| interface_range \| mixed_interface_list}
Disable the SPAN configuration.	Router(config)# no monitor session {session_number \| all \| local \| range session_range [[,session_range ],...]}
Display the SPAN information.	Router# show monitor [session session_number]

Example 7-11 shows how to configure SPAN session 1 so that both transmit traffic and receive traffic from port 5/1 (the SPAN source) are mirrored on port 5/48 (the SPAN destination).

Example 7-11. SPAN Configuration IOS

 Router(config)# monitor session 1 source interface fastethernet 5/1 Router(config)# monitor session 1 destination interface fastethernet 5/48

Using Packet Analyzers

The open source community enjoys a rich choice of versatile packet analyzers that range from general-purpose network analyzers, such as Tcpdump, to specialized password sniffers, like Dsniff. Table 7-5 provides a list of popular packet analyzers and their functions.

Table 7-5. Popular Packet Analyzers
Name	Features	Included with Live CD
Tcpdump	Command-line based; provides an array of options for customizing filters and displays.	Knoppix, Knoppix-STD, NST, F.I.R.E., Trinux
Ethereal	GUI based; excellent array of filters for protocols; more than 680 protocols supported.	Knoppix, Knoppix-STD, NST, F.I.R.E., Trinux
EtherApe	Graphical network monitoring tool with visual display of network nodes and traffic.	Knoppix-STD, NST, F.I.R.E.
Ntop	Web-based display of current list of hosts and network usage based on protocols including TCP, UDP, ICMP, ARP, FTP, HTTP, DNS, Telnet, SMTP, POP, IMAP, and SNMP; excellent tool for creating web-based network reports complete with pie charts. Although Ntop is beyond the scope of this chapter, Netadmins are encouraged to try this tool.	Knoppix-STD, NST, Trinux

Both Tcpdump and Ethereal are powerful tools capable of sniffing and analyzing network traffic. Both packet analyzers are under active development and enjoy communitywide support. The following sections cover these tools in more detail.

Tcpdump

Tcpdump is a general-purpose network analyzer capable of capturing and displaying network packets. Tcpdump prints the headers of packets on a network interface, provided that the packet matches the filtering criteria. Tcpdump requires root privileges to run in promiscuous mode and to function correctly. In promiscuous mode, the network interface card (NIC) captures every packet flowing through the wire, even if the packet is destined for other addresses. The syntax for running Tcpdump is as follows:

   tcpdump [options] [filter]

Tcpdump is command-line based, making it ideal for remote use. Netadmins can quickly analyze network anomalies by looking at the raw data captured and filtered by Tcpdump. Tcpdump's greatest strength, its powerful command-line interface, also makes it difficult to work with. The online manual (which can be opened by using the man tcpdump command in Linux) is well written, but it can be overwhelming for new users. However, when mastered, Tcpdump is a great asset in a Netadmin's tool kit. Tcpdump options can be classified into the following three categories:

Input options
Display options
Filters

Table 7-6 provides a list of common options for controlling the input behavior of Tcpdump.

Table 7-6. Tcpdump Input Options
Option	Explanation
-c packet-count	Stop after counting specified packets.
-F filename	Specify a text file for filters.
-i interface	Listen on interface. If unspecified, Tcpdump searches for the lowest-numbered working interface.
-r filename	Read packets from the file created by the -w option.
-w filename	Write the raw packets to a file and use the r option to read the file.
-n	Don't resolve IP addresses to host names.

By default, Tcpdump output is displayed on the console. Even in a small network, the output can be large and, thus difficult to read on the screen. Table 7-7 provides a list of options for controlling Tcpdump output.

Table 7-7. Tcpdump Display Options
Option	Explanation
-e	Display the Layer 2 header information on each output line.
-S	Display absolute TCP sequence numbers.
-s packet-length	Specify the length of packet to be captured. The default length of 68 bytes is adequate for IP, ICMP, TCP, and UDP but not for DNS or NFS packets.
-t	Don't display a timestamp on each dump line.
-tttt	Add the date to the timestamp.
-q	Display less information.
-v	Display detailed information; specify vv or vvv for more details.
-x	Display the packet in hexadecimal (HEX) format.
-X	Display the packet in hexadecimal and ASCII formats; useful for analyzing new protocols.

The real strength of Tcpdump lies in its highly flexible filters. These filters can be applied through the command line or using a text file. The text file should include each filter as a separate line. Table 7-8 lists common keywords for Tcpdump filters.

Table 7-8. Tcpdump Filter Keywords
Keyword	Explanation
host hostname-or-ip-address	Only display the packet from or to the specified host.
net address/length or net address mask mask	Only display the packet from or to the specified network.
port port number	Only display the packet if the source or destination port number matches the specified number.
from	Specify the source host, network, or port.
to	Specify the destination host, network, or port.
src	Specify the source host, network, or port.
dst	Specify the destination host, network, or port.
ether	Specify the Ethernet address.
lp	Specify choosing IP packets.
arp	Specify choosing ARP packets.
rarp	Specify choosing RARP packets.
tcp	Specify choosing TCP packets.
udp	Specify choosing UDP packets.
not parameter	Negation; can also be expressed by !.
and parameter	Concatenation; can also be expressed as &&.
or parameter	Alteration; can also be expressed as \|\|.

Understanding Tcpdump Output

Because it is a CLI-based tool, Tcpdump lacks the advantage of easy-to-read GUI-based output. Nonetheless, Tcpdump developers have done a great job simplifying the display output. Example 7-12 shows the Tcpdump output. Without the c option, Tcpdump continues to capture packets until the user presses Ctrl-C. After stopping, Tcpdump displays a summary of the packets captured, filtered, and dropped by the kernel.

Example 7-12. tcpdump Output

 root@ttyp1[knoppix]# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes . . . # output suppressed for clarity 09:40:31.114308 IP 192.168.0.10.www > 192.168.0.101.55411: S                          2675891891:2675891891(0)                                                             ack 1652868034 win 4128 <mss 1460>                                               09:40:31.114362 IP 192.168.0.101.55411 > 192.168.0.10.www: . ack 1 win 5840 09:40:31.114464 IP 192.168.0.101.55411 > 192.168.0.10.www: P 1:426(425) ack 1 win   5840 09:40:31.221797 IP 192.168.0.10.www > 192.168.0.101.55411: . 1:561(560) ack 426 win   3703 55 packets captured                                                                  55 packets received by filter                                                        0 packets dropped by kernel

Consider the first packet captured in Example 7-12. Figure 7-9 provides an explanation of each field. While comparing the first line of the output in Example 7-12 to the subsequent line, notice an interesting property of Tcpdump. During the initial TCP handshake, Tcpdump displays the entire sequence number. After the TCP connection is established, Tcpdump converts the absolute sequence numbers to relative sequence numbers for ease in tracking the TCP conversation.

Figure 7-9. Explanation of Tcpdump Output Fields

Tcpdump Examples

Table 7-9 shows a list of common examples that illustrate the use of Tcpdump.

Table 7-9. Common tcpdump Examples
Example	Explanation
tcpdump host 192.168.0.10	Display all packets with a source or destination IP address of 192.168.0.10.
tcpdump i eth0	Display all packets captured through the eth0 interface.
tcpdump not host 192.168.0.20	Display all traffic except that with a source or destination address of 192.168.0.20.
tcpdump ip host 192.168.0.20 and not 192.168.0.1	Display all IP packets between 192.168.0.20 and any host except 192.168.0.1.
tcpdump not port ssh	Display all traffic except SSH traffic; useful when connected to the remote machine through SSH for monitoring.
tcpdump udp	Display UDP packets only.
tcpdump c 5	Display and capture the first 5 packets only.
tcpdump icmp	Display all ICMP traffic.
tcpdump w datacapture.txt	Capture all the traffic and save it in raw format in the file capture.txt; useful for saving the output for later analysis.
tcpdump r datacapture.txt	Display the traffic from the datacapture.txt file. You can add filters or options to control the output, for example, tcpdump r datacapture.txt not host 192.168.0.10.
tcpdump ether src host 00:50:73:21:d0:67	Display all the traffic with a source MAC address of 00:50:73:21:D0:67.
tcpdump -e net 192.168.22.0 mask 255.255.255.0 a	Display the Layer 2 information for all packets in the 192.168.22.0/24 network.
tcpdump n q c 25 i eth0 port 80	Display the IP addresses instead of host names; do not show details; capture first 25 packets through interface eth0 with source or destination port 80.
tcpdump q i eth0 arp	Display all ARP requests captured through eth0; the -q option produces less details.

Tcpdump can be used for the following tasks:

Scanning network activity caused by Trojan horses, viruses, and worms
Troubleshooting firewall, routing, and switching issues
Analyzing the existing network for capacity-planning purposes

Tip

Cisco PIX Firewall version 6.2 and higher offers a packet capture feature similar to Tcpdump. Although limited in functionality, this feature can be handy when troubleshooting firewall issues.

Ethereal

Ethereal is a commercial-grade network analyzer with built-in support for more than 680 protocols. Ethereal is similar to Tcpdump but provides the following advantages:

Has an intuitive and user-friendly graphical user interface that eliminates the need for users to learn command-line options.
Can read and save capture files from formats supported by other packet analyzers, including Tcpdump, NA-SnifferPro, MS-NetworkMonitor, and Novell LaNalyzer.
Features an easy-to-read output format with split windows that offer drill-down options to slice through packet headers at various layers of the OSI model.
Has a GUI for easily creating filters with the ability to mark and color-code certain packets.
Offers a TCP stream feature that enables re-creating the higher-layer data from raw packets by following the entire TCP conversation. This feature provides the ability to reassemble data in ASCII format from unencrypted sessions such as FTP, SMTP, WWW, and Telnet.
Provides the ability to view captured packets and the traffic I/O graphical reports in real time.
Offers multiple options to analyze the captured traffic and create statistical reports; these reports can be generated on the basis of protocols or hosts.
Also available for Windows OS

Ethereal should be started with root privileges to enable the network interface in promiscuous mode. To start Ethereal with root privileges in Knoppix CD, click K Menu > Internet > Ethereal (as root).

As shown in Figure 7-10, the Ethereal window is split into three panes. The top pane lists all the packets, and the middle pane provides the details of the packet selected in the upper pane. The bottom pane displays the byte-level data contained in the selected packet.

Figure 7-10. Ethereal Window

Note

When starting some applications, including Ethereal, the Knoppix CD might prompt you for a root password. As a security measure, Knoppix does not distribute the preset password for root and instead provides a manual way to reset the password. To set the root password in Knoppix, follow these steps:

Open the root shell by clicking K-menu > KNOPPIX > Root Shell.

In the root shell, set the root password using the following command:

 root@ttyp0[knoppix] passwd

The steps involved in using Ethereal are as follows:

1.	Starting a capture session to collect packets
2.	Viewing the captured packets
3.	Filtering the output
4.	Saving the captured files

Starting a Capture Session to Collect Packets

To start capturing packets, choose Capture > Start from the Ethereal toolbar.

The Capture Options window (see Figure 7-11) provides various options that are self-explanatory. The Capture Filter options can be used to specify the filters before adding data to the buffer. The Stop Capture section provides a means to limit the amount of packets captured by count, size, or time. To begin capturing data, click the OK button in the Capture Options window. The Capture window, which shows a summary of captured packets, is displayed.

Figure 7-11. Ethereal Capture Options Window

Viewing the Captured Packets

Unless an option is selected in the Stop Capture section, Ethereal continues to capture packets while displaying a summary through the Capture window (see Figure 7-12). To view the captured packets, you must stop the capturing process by clicking the Stop button in the Capture window. After stopping the capturing process, Ethereal automatically displays all the captured packets.

Figure 7-12. Ethereal Capture Window

Note

Ethereal can display the packets in real time, as they are captured. To view packets in real time, you must choose the Update list of packets in real time option along with the Automatic scrolling in live capture option. Both of these options can be selected in the Display Options section of the Capture Options window.

Filtering the Output

As shown in Figure 7-13, Ethereal captures a large number of packets. In the upper pane, packet number 265 is highlighted. Ethereal has correctly identified the packet as a CDP packet. The middle pane shows the drilled-down packet details, such as the Device ID string that is contained in the CDP packet. The third pane shows the HEX and ASCII details. The string Router-Dallas is highlighted in both HEX and ASCII formats.

Figure 7-13. Ethereal Packet Details

Ethereal also provides a GUI based filter tool for viewing selective packets. To launch the filter GUI, click on the Expression button on the toolbar. Figure 7-14 shows the Filter GUI. This example illustrates a filter for selecting packets destined for IP address 192.168.0.20.

Figure 7-14. Ethereal Filter Expression

The resulting output is shown in Figure 7-15.

Figure 7-15. Ethereal Filtered Output

Saving the Captured Files

The captured files can be saved for future use in various formats. To save the files, choose File > Save As and choose the desired format from the File type drop-down menu.

Reassembling TCP Packets

TCP-based applications transfer data by breaking it into smaller pieces. The receiving host reassembles the pieces in the correct order to create the original data. Ethereal can watch a TCP conversation and reassemble the data for display in ASCII format. This feature is useful for troubleshooting mail, web, or Telnet applications.

To re-create the TCP conversation, select and right-click one of the TCP packets in the upper pane. Select the Follow TCP Stream option (see Figure 7-16) to view the complete reassembled packet. Figure 7-17 shows the reassembled Telnet session to the host 192.168.0.20.

Figure 7-16. Ethereal Follow TCP Stream

Figure 7-17. Ethereal Reassembled Packet

Note

Nmap, Ethereal, and Tcpdump are also available for the MS-Windows OS; the Windows version is known as Windump. The URL for downloading each of the tools is listed in Table 7-10. The installation procedure is simple, and the usage is similar to the Linux counterpart, thus facilitating Netadmins with these versatile tools without having to leave the familiarity of the Windows environment.

Table 7-10. Network Security Tools
Tool	Function	Supported OS	Home Page
Knoppix	Although it is not a security-specific tool, Knoppix is one of the best Debian-based live CD-ROMs with the largest collection of applications; it has excellent hardware-detection capabilities; it is under active development with frequently updated releases.	Linux	http://www.knoppix.net
Knoppix-STD (Security Tools Distribution)	Customized Knoppix CD-ROM with security and network-management tools.	Linux	http://www.knoppix-std.org/
Network Security Toolkit (NST)	Redhat/Fedora-based live CD-ROM that contains the majority of the "Top 75 Security Tools" surveyed at http://www.insecure.org.	Linux	http://www.networksecuritytoolkit.org/
Trinux	Slackware-based live CD-ROM; small enough to run through a floppy disk; older and limited collection of tools; no GUI.	Linux	http://trinux.sourceforge.net/
F.I.R.E.	Good collection of tools; older and limited hardware detection compared to Knoppix and NST.	Linux	http://fire.dmzs.com
Nmap	Network scanner.	Linux, Windows	http://www.nmap.org
Netcat	Port scanner with the additional capability to read and write data across the network using any TCP/UDP port.	Linux	http://netcat.sourceforge.net/
Nessus	Powerful and popular vulnerability scanner.	Linux	http://www.nessus.org/
SARA	Vulnerability scanner based on the SATAN project.	Linux, Windows	http://www-arc.com/sara/
Tcpdump	CLI-based packet analyzer.	Linux, Windows (Windows version is called Windump)	http://www.tcpdump.org/ http://windump.polito.it/
Ethereal	GUI-based packet analyzer.	Linux, Windows	http://www.ethereal.com/
EtherApe	Graphical network-monitoring tool with a visual display of network nodes and traffic; included with Knoppix-STD, NST, and F.I.R.E. live Linux CD-ROMs.	Linux	http://etherape.sourceforge.net/
Ntop	Web-based tool for displaying current list of hosts and network usage based on protocol; included with Knoppix-STD, NST, and Trinux live Linux CD-ROMs; excellent set of built-in reports for detailed statistical analysis of network traffic.	Linux, Windows	http://www.ntop.org

Preparing the Network

SPAN for CatOS Switches

Table 7-3. SPAN Configuration CatOS

Example 7-10. SPAN Configuration CatOS

SPAN for IOS Switches

Table 7-4. SPAN Configuration IOS

Example 7-11. SPAN Configuration IOS

Using Packet Analyzers

Table 7-5. Popular Packet Analyzers

Tcpdump

Table 7-6. Tcpdump Input Options

Table 7-7. Tcpdump Display Options

Table 7-8. Tcpdump Filter Keywords

Understanding Tcpdump Output

Example 7-12. tcpdump Output

Figure 7-9. Explanation of Tcpdump Output Fields

Tcpdump Examples

Table 7-9. Common tcpdump Examples

Ethereal

Figure 7-10. Ethereal Window

Starting a Capture Session to Collect Packets

Figure 7-11. Ethereal Capture Options Window

Viewing the Captured Packets

Figure 7-12. Ethereal Capture Window

Filtering the Output

Figure 7-13. Ethereal Packet Details

Figure 7-14. Ethereal Filter Expression

Figure 7-15. Ethereal Filtered Output

Saving the Captured Files

Reassembling TCP Packets

Figure 7-16. Ethereal Follow TCP Stream

Figure 7-17. Ethereal Reassembled Packet

Table 7-10. Network Security Tools