Ethereal Integration

 < Day Day Up > 



The rest of this chapter outlines the procedures that you use to import and export files between Ethereal and various compatible products. We have included a variety of examples from open source programs, a few operating systems utilities, and two commercial packages. Specifically, this section covers Tethereal, TCPDump, WinDump, Snort, Snoop, Microsoft Network Monitor, EtherPeek, NAI’s Netasyst, and HP-UX’s nettl.

Tethereal

Tethereal (also discussed in chapters 5 and 6) is the command line version of Ethereal. It can be used to capture live packets from the wire or to read saved capture files. Tethereal and Ethereal both use the same capture library, libpcap, as well as most of the same code, and so exchanging files between the two is the simplest method of integration.

Tethereal will display packets on the screen in summary line form by default. These are the same lines that are displayed in the Ethereal summary pane. However, it does not print the frame number field when capturing and displaying in real time. The –V option can be used to print detailed information about the packets instead of just a summary. Tethereal can also read saved data capture files, and print the information in either summary (default) or detailed form (–V). This method will display the frame numbers with the saved packets. Finally, the –x command will cause Tethereal to print a hexadecimal and ASCII dump of the packet data with either the summary line or detailed protocol tree. Tethereal has a very strong filter language, called a display filter, and can also use the TCPDump capture filter syntax as well. These can be used to narrow down the type of traffic that you are looking to capture.

When using Tethereal to write a capture to a file, the file will be written in libpcap format by default. It will write all of the packets and all of the detail about the packets to the output file, thus the –V and the –x options aren’t necessary. Since Tethereal and Ethereal are compatible with many other sniffers, you can write the output in several different formats. The –F option can be used to specify a format to write the file to.

The following information is the usage output for the Tethereal application. Notice the various formats that the capture can be saved as with the –F option:

[root@localhost ethereal-0.10.0a]# tethereal -h This is GNU tethereal 0.10.0a Compiled with GLib 2.2.1, with libpcap 0.7.2, with libz 1.1.4, with libpcre 4.5,with Net-SNMP 5.0.9, with ADNS. Running with libpcap (version unknown) on Linux 2.4.20-6 tethereal [ -vh ] [ -DlLnpqSVx ] [ -a <capture autostop condition> ] ...         [ -b <number of ring buffer files>[:<duration>] ] [ -c <count> ]         [ -d <layer_type>==<selector>,<decode_as_protocol> ] ...         [ -f <capture filter> ] [ -F <output file type> ] [ -i <interface> ]         [ -N <resolving> ] [ -o <preference setting> ] ... [ -r <infile> ]         [ -R <read filter> ] [ -s <snaplen> ] [ -t <time stamp format> ]         [ -T pdml|ps|text ] [ -w <savefile> ] [ -y <link type> ]         [ -z <statistics string> ] Valid file type arguments to the "-F" flag:         libpcap - libpcap (tcpdump, Ethereal, etc.)         rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)         suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)         modlibpcap - modified libpcap (tcpdump)         nokialibpcap - Nokia libpcap (tcpdump)         lanalyzer - Novell LANalyzer         ngsniffer - Network Associates Sniffer (DOS-based)         snoop - Sun snoop         netmon1 - Microsoft Network Monitor 1.x         netmon2 - Microsoft Network Monitor 2.x         ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1         ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x         visual - Visual Networks traffic capture         5views - Accellent 5Views capture         niobserverv9 - Network Instruments Observer version 9         default is libpcap

Tethereal is covered in more detail in Chapter 6; however, the following command line options are used in our examples:

  • –a test:value This option is used when capturing to a file, to specify to Tethereal when to stop writing to the file. The criterion is in the form of test:value, where test is either duration or filesize. Duration will stop writing to a file when the value of seconds have elapsed, and filesize will stop writing to a file after a size of value kilobytes have been reached.

  • –F type This option is used to set the format of the output of the capture file.

  • i interface This option will specify the interface that you want to use to capture data. The –D option can be used to find out what your network interfaces are.

  • q This option allows you to turn off the packet count when capturing network packets to a file. The count will still be displayed at the end of the capture.

  • –r file This option will read and process a saved capture file.

  • R filter This option causes a read filter to be applied before displaying or writing the packets to a file.

  • S This option will still decode and display the packets even when writing to a file.

  • –w file This option will write the packet to the file name specified following the option.

Capturing and Saving Data With Tethereal

The following examples show you how to capture and save traffic with Tethereal using various options and filter. The output can then be opened and analyzed with Ethereal.

This example captures packets on interface 1 and logs all HyperText Transfer Protocol (HTTP) packets to a file called capture_http. Notice the counter counts 46 packets before exiting with Ctrl + C.

[root@localhost root]# tethereal –i 1 -w capture_http -R http Capturing on eth0 46

This example captures packets and logs all packets except those going to Internet Protocol (IP) destination address 192.168.129.201 to a file called capture_filter.

[root@localhost root]# tethereal -w capture_filter -R "ip.dst ne 192.168.129.201" Capturing on eth0 14 

The next example captures all packets for a duration of 60 seconds and logs the output to a file called capture_duration. It also uses the –q option to keep the packet count from displaying on the screen while the capture is taking place, however, the total count is displayed once the capture is complete.

[root@localhost root]# tethereal -q -w capture_duration -a duration:60 Capturing on eth0 17 packets captured

Finally, we wanted to show an example of how Tethereal can capture packets and output them to a file of a different format. We used the –F option to output the capture to Snoop format. The Snoop capture utility will be described in detail later in this chapter. We also used the –S option to display the packets on the screen while the capture is also being written to a file.

[root@localhost root]# tethereal -S -w capture_snoop -F snoop Capturing on eth0   0.000000  192.168.1.1 -> 192.168.1.2  ICMP Echo (ping) request   0.000246  192.168.1.2 -> 192.168.1.1  ICMP Echo (ping) reply   0.994147  192.168.1.1 -> 192.168.1.2  ICMP Echo (ping) request   1.003309  192.168.1.2 -> 192.168.1.1  ICMP Echo (ping) reply   2.004822  192.168.1.1 -> 192.168.1.2  ICMP Echo (ping) request   2.005064  192.168.1.2 -> 192.168.1.1  ICMP Echo (ping) reply   3.003506  192.168.1.1 -> 192.168.1.2  ICMP Echo (ping) request   3.003758  192.168.1.2 -> 192.168.1.1  ICMP Echo (ping) reply   4.993195  192.168.1.2 -> Intel_8b:e6:e2 ARP Who has 192.168.1.1?  Tell 192.168.1.2   4.993688  192.168.1.1 -> 192.168.1.2  ARP 192.168.1.1 is at 00:03:47:8b:e6:e2

Now that we have the output saved to capture files, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read the Snoop format file that we saved! Figure 7.4 shows the Ethereal output of the tethereal capture_snoop file.

click to expand
Figure 7.4: Ethereal Display of Tethereal Capture

Reading Ethereal Files With Tethereal

Tethereal can read and process all of the same types of files that Ethereal reads. This means you can capture files with Ethereal or another supported network analyzers, and then read them with Tethereal. Let’s provide an example of saving captured data with Ethereal and reading it with Tethereal. Once you have captured your data with Ethereal, access the File | Save As menu item. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to libpcap (tcpdump, Ethereal, etc.). Type in a file name under Selection and click OK. If preferred, you could choose any of the file types listed, as Tethereal will automatically read and process them all!

The following example uses Tethereal to read a file that we saved with Ethereal, called ethereal_capture. The file will be processed and the output will be displayed on the screen in summary line form. You can also use the –V option for more detailed information.

C:\Program Files\Ethereal>tethereal -r ethereal_capture   1   0.000000 192.168.100.132 -> 192.168.129.201 TCP 1673 > 4243 [SYN] Seq=3548821018 Ack=0 Win=16384 Len=0   2   0.000261 192.168.100.132 -> 192.168.129.201 TCP 1673 > 4243 [SYN] Seq=3548821018 Ack=0 Win=16384 Len=0   3   2.058006 192.168.100.132 -> 192.168.129.201 TCP 1674 > 4243 [SYN] Seq=3551633783 Ack=0 Win=16384 Len=0   4   2.058269 192.168.100.132 -> 192.168.129.201 TCP 1674 > 4243 [SYN] Seq=3551633783 Ack=0 Win=16384 Len=0

TCPDump

TCPDump is the oldest and most commonly used network sniffer. It is command line-based and runs on UNIX-based systems. It was developed by the Network Research Group (NRG) of the Information and Computing Sciences Division (ICSD) at Lawrence Berkeley National Laboratory (LBNL) and is now being actively developed and maintained at www.tcpdump.org.

TCPDump can be used to read live packets from the wire, or to read previously saved packet captures. Ethereal uses the same packet capture library as TCPDump, libpcap. It also uses a very extensive filter language. Ethereal uses this same filter language for its capture filters. When it is finished capturing data it will display the packets received and packets dropped. The detail and length of the TCPDump output can be controlled by various options including –q, –v, –vv, –vvv, and –X. When capturing to a file, however, all of the packet detail is logged.

Note 

To run TCPDump you must have root privileges or it must be installed setuid to root.

The following information is the usage output for the TCPDump program:

[root@localhost root]# tcpdump -h tcpdump version 3.7.2 libpcap version 0.7.2 Usage: tcpdump [-adeflnNOpqRStuvxX] [ -c count ] [ -C file_size ]                 [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ]                 [ -T type ] [ -U user ] [ -w file ] [ -E algo:secret ]                  [ expression ] 

Particularly interesting command line options include the following:

  • –C file_size This option is used when writing output to a file. It will create a new file when the associated parameter file_size (in MB) is reached.

  • –i interface This option lets you choose which interface to use to capture packets.

  • –n This option stops Domain Name System (DNS) lookups. This can make the sniffer more efficient and stealthy.

  • –q This option makes the output shorter by printing less protocol information.

  • –r file This option will allow you to process a previously saved libpcap capture file.

  • –s snaplen This option is the snaplen, the number of bytes of data from each packet that will be captured. The default is 68, so you will want to set this to something larger to get the whole packet, either 65535 or 0, which means capture the whole packet.

  • –v This option prints more verbose output.

  • –vv This option prints even more verbose output.

  • –vvv This option prints the most verbose output.

  • –w file This option writes packets to a file instead of the displaying them on the screen.

  • –X This option will print the packet hexadecimal and ASCII data.

Capturing and Saving Data With TCPDump

The following examples show you how to capture and save traffic with TCPDump using various options and filters; the output can then be opened and analyzed with Ethereal.

This example captures all packets in their entirety by using the snaplen=0 option and logs the output to a file called capture_all.

[root@localhost root]# tcpdump -s 0 -w capture_all tcpdump: listening on eth0 16 packets received by filter 0 packets dropped by kernel 

This example captures all Internet Control Message Protocol (ICMP) packets in their entirety and logs the output to a file called icmp_capture. Notice that the icmp parameter has to be escaped with either the “\” or the “\\” because it is also considered a reserved keyword. In the capture filter language, if you use icmp as a value for “proto”, it must be escaped with a slash. If you are typing such a filter on the UNIX command line, the backslash is special for UNIX shells, so the backslash must be escaped with another backslash.

[root@localhost root]# tcpdump -s 0 -w icmp_capture ip proto \\icmp tcpdump: listening on eth0 8 packets received by filter 0 packets dropped by kernel

This example captures all packets in their entirety for destination IP 192.168.1.1 going to and from Transmission Control Protocol (TCP) port 21 and logs the output to a file called ftp_capture. When you are using more than one parameter for comparison they need to be enclosed in single or double quotes. This is because the && and || parameters also have meaning in the UNIX shell. If you just type tcpdump –s 0 –w ftp_capture dst host 192.168.1.1 && tcp port 21 the UNIX shell will interpret the && for its own purposes and run only tcpdump –s 0 –w ftp_capture dst host 192.168.1.1. Then if the tcpdump process exits with a zero return value (successful), the UNIX shell will attempt to run tcp port 21, but there is no “tcp” program, so it will fail. Using quotes keeps the UNIX shell from interpreting the && and || for its own purposes.

[root@localhost root]# tcpdump -s 0 -w ftp_capture 'dst host 192.168.1.1 && tcp port 21' tcpdump: listening on eth0 15 packets received by filter 0 packets dropped by kernel

This example specifies the capture filter via a different type of format. It is using the byte-offset method and compares the byte to a value. This example is capturing all packets in their entirety where the 9th-byte offset is equal to 6 and logging the output to a file called tcp_capture. This means it is capturing all TCP packets, because the 9th-byte offset represents the protocol and 6 is the decimal value for TCP.

[root@localhost root]# tcpdump -vvv -X -s 0 -w tcp_capture ip[9]=6 tcpdump: listening on eth0 3207 packets received by filter 284 packets dropped by kernel

Now that we have our output saved to capture files, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read it! Figure 7.5 shows the Ethereal output of the TCPDump tcp_capture file. This is a port scanning attempt; notice the scanner is using a static source port of 58173.

Reading Ethereal Files With TCPDump

TCPDump can also read and process libpcap-formatted capture files. This means you can capture files with Ethereal and then read them with TCPDump. Let’s provide an example of saving captured data with Ethereal and reading it with TCPDump. Once you have captured your data with Ethereal, select File | Save As. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to libpcap (tcpdump, Ethereal, etc.). Type in a file name under Selection and click OK.

The following example uses TCPDump to read a file that we saved with Ethereal, called ethereal_capture. The file will be processed and the output will be displayed on screen. You can use the other options discussed earlier to make the output more verbose.

click to expand
Figure 7.5: Ethereal Display of TCPDump Capture

 [root@localhost root]# tcpdump -r ethereal_capture 20:49:45.461642 192.168.1.1 > 192.168.1.2: icmp: echo request 20:49:45.461833 192.168.1.2 > 192.168.1.1: icmp: echo reply 20:49:46.461055 192.168.1.1 > 192.168.1.2: icmp: echo request 20:49:46.461289 192.168.1.2 > 192.168.1.1: icmp: echo reply 20:49:47.461110 192.168.1.1 > 192.168.1.2: icmp: echo request 20:49:47.461346 192.168.1.2 > 192.168.1.1: icmp: echo reply 20:49:48.461224 192.168.1.1 > 192.168.1.2: icmp: echo request 20:49:48.461455 192.168.1.2 > 192.168.1.1: icmp: echo reply

WinDump

WinDump is the Windows version of TCPDump. It uses the WinPcap library, which is the Windows version of libpcap. It is actively maintained at http://windump.polito.it. WinDump can be used to read live packets from the wire, or to read previously saved packet captures. It has all of the same features and capabilities as TCPDump. It also uses the same extensive filter language as TCPDump. For the examples in this section we are using WinDump version 3.8 Alpha, which is the most recent version at the time of this writing. We are also using WinPcap version 3.0 alpha.

The following information is the usage output for the WinDump program:

C:\>windump -h windump version current-cvs.tcpdump.org, based on tcpdump version current-cvs.tcpdump.org WinPcap version 3.0 alpha, based on libpcap version current-cvs.tcpdump.org Usage: windump [-aAdDeflnNOpqRStuvxX] [-B size] [-c count] [ -C file_size ]                 [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ]                 [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]

The only options that are different from the TCPDump options are the following two additions:

  • –B size This option sets the driver’s buffer size in Kilobytes. This will help reduce packet loss and increase performance.

  • –D This option will display a list of available interface cards on the system.

Capturing and Saving Data With WinDump

The examples provided in the TCPDump section can also be applied here. The following examples show you how to capture and save traffic with WinDump using various options and filters. The output can then be opened and analyzed with Ethereal.

This example shows the use and output of the –D option for you to see the different network cards available on your computer:

C:\>windump -D 1.\Device\NPF_NdisWanIp (NDISWANIP NdisWan Adapter) 2.\Device\NPF_NdisWanIpx (NdisWan Adapter) 3.\Device\NPF_NdisWanBh (NdisWan Adapter) 4.\Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F} (PRISM10 D-LINK Air WIRELESS ADAPTER) 5.\Device\NPF_{13698EE2-3DC8-45B1-A300-1B70CEADBE62} (Intel(R) PRO Adapter)

This example captures all packets in their entirety by using the snaplen=0 option and logs the output to a file called capture1.

C:\>windump -i 4 –s 0 -w capture1 windump: listening on \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F} 28 packets received by filter 0 packets dropped by kernel

This example captures all packets that have only the TCP SYN flag set and logs the output to a file called capture2. It uses the byte-offset method and compares it to a value. The value of 2 in the 13th-byte offset means that the SYN flag is set. If you want to capture packets that have their SYN flag and another flag set, you would need to use tcp[13] & 2 == 2.

C:\>windump -i 4 –s 0 -w capture2 tcp[13]==2 windump: listening on \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F} 58 packets received by filter 0 packets dropped by kernel

Now that we have our output saved to a capture file, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open.

Browse to the location of the capture file and select it, then click OK. Figure 7.6 displays the Ethereal output of the WinDump capture2 file. Notice that the source port is steadily increasing, but the destination port stays the same. This is actually personal digital assistant (PDA) software searching for a PDA device.

click to expand
Figure 7.6: Ethereal Display of WinDump Capture

Reading Ethereal Files With WinDump

WinDump can also read and process libpcap formatted capture files. This means you can capture files with Ethereal and then read them with WinDump. Let’s provide an example of saving captured data with Ethereal and reading it with WinDump. Once you have captured your data with Ethereal, select File | Save As. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to libpcap (tcpdump, Ethereal, etc.). Type in a file name under Selection and click OK.

The following example uses WinDump to read a file that we saved with Ethereal, called ethereal_capture. The file will be processed and the output will be displayed on the screen. You can use the other options discussed earlier to make the output more verbose.

C:\>windump -r ethereal_capture 10:31:50.084831 arp who-has 192.168.1.2 tell 192.168.1.1 10:31:50.085184 arp reply 192.168.1.2 is-at 0:2:b3:6:5f:5a 10:31:50.085195 IP 192.168.1.1 > 192.168.1.2: icmp 40: echo request seq 256 10:31:50.087034 IP 192.168.1.2 > 192.168.1.1: icmp 40: echo reply seq 256 10:31:51.077790 IP 192.168.1.1 > 192.168.1.2: icmp 40: echo request seq 512 10:31:51.078193 IP 192.168.1.2 > 192.168.1.1: icmp 40: echo reply seq 512 10:31:52.079235 IP 192.168.1.1 > 192.168.1.2: icmp 40: echo request seq 768 10:31:52.079438 IP 192.168.1.2 > 192.168.1.1: icmp 40: echo reply seq 768 10:31:53.080678 IP 192.168.1.1 > 192.168.1.2: icmp 40: echo request seq 1024 10:31:53.080841 IP 192.168.1.2 > 192.168.1.1: icmp 40: echo reply seq 1024 10:31:55.085369 arp who-has 192.168.1.1 tell 192.168.1.2 10:31:55.085397 arp reply 192.168.1.1 is-at 0:3:47:8b:e6:e2

Snort

Snort is a free, open-source network intrusion detection system (NIDS). It will compare observed network traffic to a predefined set of rules and make a decision about what to do, such as alerting, when a rule is matched. Snort has the capability of running in one of three main modes: sniffer, packet logger, and network intrusion detection engine. Sniffer mode reads the packets from the network and displays them to the screen or logs them to a single file. Packet logger mode logs the packets in a categorized system to the disk. The NIDS mode matches traffic against the rule set and performs an action based upon what it sees. When Snort operates in sniffer mode and logs the capture data to a single file, this file is in binary format. It uses the same libpcap format as TCPDump. This makes packet collection much faster because Snort doesn’t need to translate the data to human-readable format.

We will be looking at some of the packet sniffer options of Snort; however, only two options are needed to log capture data to a file: the log file option -L and the binary option -b. You will specify the name of the log file to create, and Snort appends a timestamp to the end of the specified filename. Since Snort uses libpcap, it can also use all of the filtering syntax of TCPDump. Therefore the filter examples we gave for TCPDump and WinDump can be applied here as well.

The following information is the usage output for the Snort program:

C:\Snort\bin>snort -*> Snort! <*- Version 2.0.2-ODBC-MySQL-WIN32 (Build 92) By Martin Roesch (roesch@sourcefire.com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike@datanerds.net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid@codecraftconsultants.com) USAGE: snort [-options] <filter options>        snort /SERVICE /INSTALL [-options] <filter options>        snort /SERVICE /UNINSTALL        snort /SERVICE /SHOW Options:         -A          Set alert mode: fast, full, console, or none  (alert file alerts only)         -b         Log packets in tcpdump format (much faster!)         -c <rules> Use Rules File <rules>         -C         Print out payloads with character data only (no hex)         -d         Dump the Application Layer         -e         Display the second layer header info         -E         Log alert messages to NT Eventlog. (Win32 only)         -f         Turn off fflush() calls after binary log writes         -F <bpf>   Read BPF filters from file <bpf>         -h <hn>    Home network = <hn>         -i <if>    Listen on interface <if>         -I         Add Interface name to alert output         -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)         -l <ld>    Log to directory <ld>         -L <file>  Log to this tcpdump file         -n <cnt>   Exit after receiving <cnt> packets         -N         Turn off logging (alerts still work)         -o         Change the rule testing order to Pass|Alert|Log         -O         Obfuscate the logged IP addresses         -p         Disable promiscuous mode sniffing         -P <snap>  Set explicit snaplen of packet (default: 1514)         -q         Quiet. Don't show banner and status report         -r <tf>    Read and process tcpdump file <tf>         -R <id>    Include 'id' in snort_intf<id>.pid file name         -s         Log alert messages to syslog         -S <n=v>   Set rules file variable n equal to value v         -T         Test and report on the current Snort configuration         -U         Use UTC for timestamps         -v         Be verbose         -V         Show version number         -W         Lists available interfaces. (Win32 only)         -w         Dump 802.11 management and control frames         -X         Dump the raw packet data starting at the link layer         -y         Include year in timestamp in the alert and log files         -z         Set assurance mode, match on established sesions (for                     TCP)         -?         Show this information <Filter Options> are standard BPF options, as seen in TCPDump

Particularly interesting command line options include the following:

  • –b This option will allow you to log the packets in TCPDump binary format.

  • –d This option will dump the application layer traffic.

  • –e This option will display the data link header information.

  • –i interface This option allows you to specify which interface to use to capture data.

  • –L file This option allows you to specify a name to call the output TCPDump log file.

  • –r file This option allows you to read and process a TCPDump formatted capture file.

  • –v This option specifies verbose output. It is a required option for the packet-sniffing mode.

Capturing and Saving Data With Snort

The following examples show how to capture and save traffic with Snort using various options and filters. Once captured and saved, the output can then be opened and analyzed with Ethereal.

This example demonstrates how to use Snort as a simple real-time network analyzer. This will display the packets along with all of the application and data link layer information. Packets will continue to scroll on the screen until you press Ctrl + C. When the capture is complete it will display some capture statistics as shown:

C:\Snort\bin>snort -dve -i 4 Running in packet dump mode Log directory = log Initializing Network Interface \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F }         --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F }         --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.2-ODBC-MySQL-WIN32 (Build 92) By Martin Roesch (roesch@sourcefire.com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike@datanerds.net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid@codecraftconsultants.com) 11/03-23:37:10.146209 0:5:5D:EE:7E:53 -> 0:5:5D:ED:3B:C6 type:0x800 len:0x4A 192.168.100.132 -> 192.168.100.5 ICMP TTL:128 TOS:0x0 ID:35224 IpLen:20 DgmLen:6 0 Type:8  Code:0  ID:1024   Seq:3328  ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [output removed] =========================================================================== Snort analyzed 19 out of 19 packets, dropping 0(0.000%) packets Breakdown by protocol:                Action Stats:     TCP: 0          (0.000%)          ALERTS: 0     UDP: 6          (31.579%)         LOGGED: 0    ICMP: 12         (63.158%)         PASSED: 0     ARP: 1          (5.263%)   EAPOL: 0          (0.000%)    IPv6: 0          (0.000%)     IPX: 0          (0.000%)   OTHER: 0          (0.000%) DISCARD: 0          (0.000%) =========================================================================== Wireless Stats: Breakdown by type:     Management Packets: 0          (0.000%)     Control Packets:    0          (0.000%)     Data Packets:       0          (0.000%) =========================================================================== Fragmentation Stats: Fragmented IP Packets: 0          (0.000%)     Fragment Trackers: 0    Rebuilt IP Packets: 0    Frag elements used: 0 Discarded(incomplete): 0    Discarded(timeout): 0   Frag2 memory faults: 0 =========================================================================== TCP Stream Reassembly Stats:         TCP Packets Used: 0          (0.000%)          Stream Trackers: 0           Stream flushes: 0            Segments used: 0    Stream4 Memory Faults: 0 =========================================================================== pcap_loop: read error: PacketReceivePacket failed Run time for packet processing was 10.315000 seconds

This example captures raw packets and logs the output to a binary file called test.log. Don’t forget that Snort will append a timestamp to the end of that filename. It will continue capturing until you press Ctrl + C, at which time it will display the statistics information.

C:\Snort\bin>snort -i 4 -b -L test.log 

If you want to see what is going on while also logging to a file, you can combine the options as follows:

C:\Snort\bin>snort -dve -i 4 -b -L test.log

This example captures raw packets and logs them to a binary file called http.log, but also uses a filter syntax. It is capturing all traffic on port 80.

C:\Snort\bin>snort -i 4 -b -L http.log port 80

Now that we have our output saved to capture files, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Figure 7.7 shows the Ethereal output of the Snort http.log file.

click to expand
Figure 7.7: Ethereal Display of Snort Capture

Reading Ethereal Files With Snort

Snort can also read and process TCPDump libpcap formatted capture files. This means you can capture files with Ethereal and then read them with Snort. This would be great to use in running captured data through some rules files! Once you have captured your data with Ethereal, select File | Save As menu item. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to libpcap (tcpdump, Ethereal, etc.). Type in a file name under Selection and click OK.

The following example uses Snort to read a file that we saved with Ethereal, called libpcap_capture. The file will be processed and the output will be displayed on the screen.

C:\Snort\bin>snort -r libpcap_capture No run mode specified, defaulting to verbose mode Running in packet dump mode Log directory = log TCPDUMP file reading mode. Reading network traffic from "libpcap_capture" file. snaplen = 65535 [output removed] 

Snoop

Snoop is a command line network analyzer that is built into the Solaris operating system. Captured packets can be displayed on the screen or saved to a file for later inspection. Snoop uses a different format for storing captures to a file, as documented in Request for Comment (RFC) 1761. However, Ethereal has the ability to interpret this format and open the saved capture file for inspection.

Snoop can display packets in the default single-line summary form, a verbose multiple summary line form, or a very detailed form. When it displays packets in summary form, only the highest protocol layer data is displayed. For example, a File Transfer Protocol (FTP) packet will have the FTP information displayed, but not the underlying IP, TCP, and Ethernet frame information. Verbose options can be used to display summary lines for each protocol in the packet or all of the packet information.

Snoop also has efficient filtering capabilities for capturing a subset of packets from the network. Some are implemented at the kernel level, and others at the snoop packet filter level. The snoop man (or manual) page provides detail for using the filtering syntax. The man page for snoop also warns that snoop may drop packets when processing real-time packets due to higher overhead. Using the –D option will display the number of dropped packets during the capture. Using the –o option to output raw packets to a file for later offline analysis, offers a more reliable capture. When using the –o option the –V, –v, and –x options won’t make any difference because all of the packet information is logged in detail.

Warning 

Snoop does not reassemble IP fragments. When an IP packet is fragmented, interpretation of higher level protocols stop at the end of the first fragment.

The following information is the usage output for the snoop program:

Usage:  snoop         [ -a ]                  # Listen to packets on audio         [ -d device ]           # settable to le?, ie?, bf?, tr?         [ -s snaplen ]          # Truncate packets         [ -c count ]            # Quit after count packets         [ -P ]                  # Turn OFF promiscuous mode         [ -D ]                  # Report dropped packets         [ -S ]                  # Report packet size         [ -i file ]             # Read previously captured packets         [ -o file ]             # Capture packets in file         [ -n file ]             # Load addr-to-name table from file         [ -N ]                  # Create addr-to-name table         [ -t  r|a|d ]           # Time: Relative, Absolute or Delta         [ -v ]                  # Verbose packet display         [ -V ]                  # Show all summary lines         [ -p first[,last] ]     # Select packet(s) to display         [ -x offset[,length] ]  # Hex dump from offset for length         [ -C ]                  # Print packet filter code         [ -q ]                  # Suppress printing packet count         [ -r ]                  # Do not resolve address to name         [ filter expression ] Example:         snoop -o saved  host fred         snoop -i saved -tr -v -p19 

Particularly interesting command line options include the following:

  • –d device This option allows you to specify which network interface device to use to capture packets, for example lo0 or hme0. To see what interfaces you currently have you can use ifconfig –a or netstat –i.

  • –i file This option allows you to read in a previously captured snoop file.

  • –o filename This is the option that you would use to output the captured packets to a file specified by filename. During the capture, a number count of packets saved in the file is displayed on the screen.

  • –q This option allows you to turn off the packet count when capturing network packets to a file. This may improve the performance of your capture by lessening the processing while capturing packets.

  • –r This option disables the resolving of IP addresses to names. This will prevent snoop from generating network traffic when capturing packets, and may improve the performance of your capture by lessening the processing while capturing packets.

  • –s snaplen By default the whole packet is captured with snoop. This option allows you to truncate each packet to a desired length. This will also help with performance because snoop won’t be capturing and interpreting as much information.

  • –V Using the upper-case V option will display output in verbose summary mode. This mode displays a summary line for each protocol layer in the packet. This is a little more information than the default summary line mode. Instead of just printing the FTP summary information, it will also include the IP, TCP, and Ethernet summary information.

  • –v Using the lower-case v option will display output with the most detail.

  • -x offset [ , length] This option will allow you to display the data in hexadecimal and ASCII format. The offset and length values select a portion of the packet to display, however using an offset of 0 will display the whole packet. If a length value is not provided, the rest of the packet will be displayed.

    Note 

    Snoop can only be run by the root user. A regular non-root user will receive the following:
    $ snoop
    snoop: /dev/hme: Permission denied

Capturing and Saving Data With Snoop

The following examples show you how to capture and save traffic with Snoop using various options and filters. The output can then be opened and analyzed with Ethereal.

This example captures all packets to and from 192.168.100.122 and logs the output to a file called capture_snoop. Notice the counter counts ten packets before exiting with Ctrl + C.

 # snoop -o capture_snoop host 192.168.100.122 Using device /dev/hme (promiscuous mode) 10 ^C

This example captures all packets to or from port 23 and logs the output to a file called telnet_capture_snoop.

# snoop -o telnet_capture_snoop port 23 Using device /dev/hme (promiscuous mode) 76 ^C

This example captures all packets between 192.168.100.122 and 192.168.100.132 that are TCP packets on port 21 and logs the output to a file called ftp_capture_snoop. Notice that the –q option suppresses the packet count.

# snoop –q -o ftp_capture_snoop 192.168.100.122 192.168.100.132 and port 21 and tcp Using device /dev/hme (promiscuous mode) ^C

Now that we have our output saved to capture files, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read it! Figure 7.8 shows the Ethereal output of the snoop telnet_capture_snoop file. Notice that all 76 of the packets that the snoop counter listed are there. Tethereal can also read the data saved in the snoop capture by using the command tethereal -r telnet_capture_snoop. You may have to use the full path name to the telnet_capture_snoop file. The –V option can be used to display the output in detail format.

click to expand
Figure 7.8: Ethereal Display of Snoop Capture

Reading Ethereal Files With Snoop

Snoop can also read and process properly formatted capture files. This means you can capture files with Ethereal and then read them with Snoop, as long as you save them in the Snoop format. Once you have captured your data with Ethereal, select File | Save As. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to Sun snoop. Type in a file name under Selection and click OK.

The following example uses Snoop to read a file that we saved with Ethereal, called ethereal_capture. The file will be processed and the output will be displayed on the screen in summary line mode. You can use the other options discussed to create more detailed output. Look how easy it is to read this Telnet user name and password!

# snoop -i ethereal_capture   1   0.00000 192.168.100.132 -> unknown      TELNET C port=1948   2   0.00009      unknown -> 192.168.100.132 TELNET R port=1948   3   0.00268 192.168.100.132 -> unknown      TELNET C port=1948   4   0.04485       unknown -> 192.168.100.5 DNS C 132.100.168.192.in-addr.arpa.Internet PTR ?   5   1.31293 192.168.100.5 -> BROADCAST    DHCP/BOOTP DHCPACK   6   3.69467       unknown -> 192.168.100.5 DNS C 132.100.168.192.in-addr.arpa.Internet PTR ?   7   3.98945      ? -> (broadcast)  ETHER Type=6000 (DEC unass,_                  experimental), size = 114 bytes   8   1.02158      unknown -> 192.168.100.132 TELNET R port=1948   9   0.00383 192.168.100.132 -> unknown      TELNET C port=1948  10   0.00006      unknown -> 192.168.100.132 TELNET R port=1948  11   0.00285 192.168.100.132 -> unknown      TELNET C port=1948  12   0.00006      unknown -> 192.168.100.132 TELNET R port=1948  13   0.00042      unknown -> 192.168.100.132 TELNET R port=1948  14   0.00365 192.168.100.132 -> unknown      TELNET C port=1948  15   0.04792      unknown -> 192.168.100.132 TELNET R port=1948  16   0.00300 192.168.100.132 -> unknown      TELNET C port=1948  17   0.00174      unknown -> 192.168.100.132 TELNET R port=1948  18   0.12602 192.168.100.132 -> unknown      TELNET C port=1948  19   0.00011      unknown -> 192.168.100.132 TELNET R port=1948  20   0.00313 192.168.100.132 -> unknown      TELNET C port=1948  21   0.04600      unknown -> 192.168.100.132 TELNET R port=1948  22   0.00306 192.168.100.132 -> unknown      TELNET C port=1948  23   0.00056      unknown -> 192.168.100.132 TELNET R port=1948  24   0.00323 192.168.100.132 -> unknown      TELNET C port=1948  25   0.04312      unknown -> 192.168.100.132 TELNET R port=1948  26   1.12780 192.168.100.132 -> unknown      TELNET C port=1948 r  27   0.00033      unknown -> 192.168.100.132 TELNET R port=1948 r  28   0.17501 192.168.100.132 -> unknown      TELNET C port=1948  29   0.11204 192.168.100.132 -> unknown      TELNET C port=1948 o  30   0.00032      unknown -> 192.168.100.132 TELNET R port=1948 o  31   0.10154 192.168.100.132 -> unknown      TELNET C port=1948 o  32   0.00026      unknown -> 192.168.100.132 TELNET R port=1948 o 33   0.09330 192.168.100.132 -> unknown      TELNET C port=1948 t  34   0.00024      unknown -> 192.168.100.132 TELNET R port=1948 t  35   0.16460 192.168.100.132 -> unknown      TELNET C port=1948  36   0.00029      unknown -> 192.168.100.132 TELNET R port=1948  37   0.12786 192.168.100.132 -> unknown      TELNET C port=1948  38   0.00007      unknown -> 192.168.100.132 TELNET R port=1948 Password:  39   0.20041 192.168.100.132 -> unknown      TELNET C port=1948  40   0.29647      unknown -> 192.168.100.5 DHCP/BOOTP DHCPREQUEST  41   0.00320 192.168.100.5 -> BROADCAST    DHCP/BOOTP DHCPACK  42   0.10855 192.168.100.132 -> unknown      TELNET C port=1948 p  43   0.04762      unknown -> 192.168.100.132 TELNET R port=1948  44   0.18569 192.168.100.132 -> unknown      TELNET C port=1948 a  45   0.04430      unknown -> 192.168.100.132 TELNET R port=1948  46   0.19398 192.168.100.132 -> unknown      TELNET C port=1948 s  47   0.04604      unknown -> 192.168.100.132 TELNET R port=1948  48   0.11211 192.168.100.132 -> unknown      TELNET C port=1948 s  49   0.03763 192.168.100.5 -> BROADCAST    DHCP/BOOTP DHCPACK  50   0.01023      unknown -> 192.168.100.132 TELNET R port=1948  51   0.15034 192.168.100.132 -> unknown      TELNET C port=1948 w  52   0.04966      unknown -> 192.168.100.132 TELNET R port=1948  53   0.13519 192.168.100.132 -> unknown      TELNET C port=1948 o  54   0.04491      unknown -> 192.168.100.132 TELNET R port=1948  55   0.03270 192.168.100.132 -> unknown      TELNET C port=1948 r  56   0.04717      unknown -> 192.168.100.132 TELNET R port=1948  57   0.14906 192.168.100.132 -> unknown      TELNET C port=1948 d  58   0.04094      unknown -> 192.168.100.132 TELNET R port=1948  59   0.13336 192.168.100.132 -> unknown      TELNET C port=1948  60   0.00081      unknown -> 192.168.100.132 TELNET R port=1948  61   0.13279 192.168.100.132 -> unknown      TELNET C port=1948  62   0.00011       unknown -> 192.168.100.132 TELNET R port=1948 Last login: Tue Nov  63   0.20013 192.168.100.132 -> unknown      TELNET C port=1948  64   1.64003 192.168.100.132 -> unknown      TELNET C port=1948 e  65   0.00033      unknown -> 192.168.100.132 TELNET R port=1948 e  66   0.16253 192.168.100.132 -> unknown      TELNET C port=1948  67   0.09867 192.168.100.132 -> unknown      TELNET C port=1948 x 68   0.00028      unknown -> 192.168.100.132 TELNET R port=1948 x  69   0.20159 192.168.100.132 -> unknown      TELNET C port=1948  70   0.15897 192.168.100.132 -> unknown      TELNET C port=1948 i  71   0.00039      unknown -> 192.168.100.132 TELNET R port=1948 i  72   0.07751 192.168.100.132 -> unknown      TELNET C port=1948 t  73   0.00025      unknown -> 192.168.100.132 TELNET R port=1948 t  74   0.16339 192.168.100.132 -> unknown      TELNET C port=1948

Microsoft Network Monitor

Microsoft Network Monitor is a tool that comes with Windows 2000 Server . It is used to detect and troubleshoot network problems, including identifying network traffic patterns and statistics. It is not installed by default, but it can be added by selecting Management and Monitoring Tools | Network Monitor Tools during installation or later using Add/Remove Programs. Network Monitor can capture packets directly from the network and display, filter, save and print captured packets. It can also open previously saved capture files that are in the proper format. For our example we are using the Network Monitor 2.0 Lite version that is included with Windows 2000Server .

The Network Monitor main window includes four window panes, as shown in Figure 7.9. The top left pane is the Graph pane, and is a graphical representation of current network activity. The middle left pane is the Session Statistics pane, and displays statistics about current individual network data. The bottom pane is the Station Statistics pane, and it displays statistics about session sent to and from the computer that is running Network Monitor. Finally, the top right pane is the Total Statistics pane, and it displays summary statistics about network activity detected since the capture process began.

click to expand
Figure 7.9: Microsoft Network Monitor Window

Note 

The Windows 2000 Network Monitor does not capture packets in promiscuous mode. To do that you need to use the version of Network Monitor included with Systems Management Server version 2.0.

Capturing and Saving Data With Network Monitor

To begin a capture, select Capture | Start. You will notice the statistics begin changing, connections appear, and the time elapsed increasing. Once you have captured data, you can display it by selecting Capture | Stop and View. The Frame View window will open a listing of the captured data in a summary line view. If you double-click on one of the lines, the window will change to a three-pane view. This view has a summary top pane, a detailed protocol tree middle pane, and a hexadecimal data dump bottom pane. Figure 7.10 shows the Frame View window.

click to expand
Figure 7.10: Microsoft Network Monitor Frame View Window

Once you have captured and viewed your data, you can save the capture to a file by selecting File | Save As. You can choose the location that you would like to save the file, give it a filename, and click Save. Now that we have our output saved to a capture file, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read it! Figure 7.11 shows the Ethereal output of the Network Monitor netmon_capture.cap file.

click to expand
Figure 7.11: Ethereal Display of Network Monitor Capture

Reading Ethereal Files With Network Monitor

Network Monitor can also read and process properly formatted capture files. This means you can capture files with Ethereal and then read them with Network Monitor, as long as you save them in the Network Monitor format. Once you have captured your data with Ethereal, select File | Save As. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to Microsoft Network Monitor 2.x. Type in a file name under Selection, make sure to give it a .cap extension, and click OK. Network Monitor will open the file even without the extension, but this makes finding it easier.

You can now open up the Ethereal capture file in Network Monitor by selecting File | Open. Browse to the location of the saved file, select it and click Open. You will now see the packets displayed in the Frame View window.

WildPackets EtherPeek

EtherPeek by WildPackets, is a commercial graphical network analyzer that works on 10/100/1000 Mbps Ethernet networks. It runs on Windows XP and 2000, and there is even a version for Macs! Other network analyzers by WildPackets include TokenPeek, AiroPeek, and GigaPeek.

EtherPeek can capture traffic from more than one network adapter at a time so that you can correlate various network occurrences. EtherPeek offers two distinct ways of looking at the network: the monitor statistics view and the packet capture view. The monitor statistics view lets you looks at various data including network, protocol, and node statistics. It’s important to note that you will not be able to save packets with this function—you will only be able to view them. The packet capture view allows you to view packet decodes of a capture, view saved captures, or save your current capture to a file. For our example we will be focusing on the packet capture view. We are using EtherPeek version 5.1, and a demo version can be downloaded from www.wildpackets.com. However, the demo version doesn’t include the ability to save capture files. You will need to speak to a sale representative if you would like to try additional features.

Capturing and Saving Data With EtherPeek

To begin a capture with EtherPeek, click on the Capture menu and select Start Capture to open a new capture window. The first time you do this you will see the Capture Options dialog box. This dialog box allows you to choose parameters such as which network adapter to use, the name of the capture, size of the capture buffer, and much more. If you do not want this dialog box to appear each time you start a capture you can uncheck the Show this dialog when creating a new capture window option. Once you have selected the appropriate settings, click OK. Next, you will see the main capture window. Click the Start Capture button in the upper right-hand corner to start the capture. The button will change to Stop Capture, and the status bar in the bottom left will change from Idle to Capturing. You will also see packets start appearing in the packet list. Once you have captured enough data, you can stop the capture by clicking on the Stop Capture button in the upper right-hand corner. You can click on any one of the packets in the packet list to display the protocol tree view and hex view. You can also do this while you are still capturing packets. Figure 7.12 shows an example of the Packet Decode view of the Capture Window.

click to expand
Figure 7.12: The Packet Decode of the Capture Window

Note 

To see all three panes in the Capture Window, make sure you have enabled the toggle buttons on the menu bar for Show Packet List, Show Decode View, and Show Hex View.

Once you have captured and viewed your data, you can save the capture to a file by selecting File | Save All Packets. You can choose the location that you would like to save the file and select the file type. If you want Ethereal to read the capture file you will need to save it as either EtherPeek Classic Packet File or Networks Associate’s Sniffer DOS file. Next, enter a filename and click Save. Now that we have our output saved to a capture file, all we need to do it open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read it. Figure 7.13 shows the Ethereal output of the EtherPeek etherpeek.pkt file.

Reading Ethereal Files With EtherPeek

EtherPeek can also read and process properly formatted capture files. This means you can capture files with Ethereal and then read them with EtherPeek, as long as you save them in the proper format. Ethereal doesn’t offer EtherPeek as a format to save files, unless you are already reading an Etherpeek file; however, there are still methods that you can use to transfer files from Ethereal to EtherPeek. Once you have captured your data with Ethereal, select File | Save As. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to libpcap (tcpdump, Ethereal, etc.). Type in a filename under Selection, make sure to give it a .dmp extension, and click OK.

click to expand
Figure 7.13: Ethereal Display of EtherPeek Capture

You can now open up the Ethereal capture file in EtherPeek by selecting File | Open. Browse to the location of the saved file, select it and click Open. You will now see the packets displayed in the Capture Window!

We also tested several other methods of transferring files between Ethereal and EtherPeek and these are some that worked:

  • Save as file type Novell LANalyzer and give the file name a .tr1 extension.

  • Save as file type Network Associates Sniffer (DOS-based) and give the file name a .enc extension.

  • Save as file type Network Associates Sniffer (Windows-based) 1.1 and give the file name a .cap extension.

  • Save as file type Network Associates Sniffer (Windows-based) 2.00x and give the file name a .cap extension.

Network Associates’ Sniffer Technologies Netasyst

The Netasyst Network Analyzer is a commercial graphical network analyzer for 10/100 Mbps Ethernet networks that runs on Windows XP and 2000. There are several different versions of the Netasyst product offering support for one or more of the following: LAN support, wireless support, the Expert analysis engine, and some offer combinations of the three.

Netasyst can monitor network traffic in real time and display various statistics through its monitor applications such as the Dashboard. The monitor applications display data on network load and errors, protocol usage, node usage, and many other useful statistics. Netasyst also has a capture function that stores and decodes network packets. You can view current network packets, view saved packet captures, or save your capture to a file. For our example we will be focusing on the packet capture feature; however Netasyst has many other features and enhancements. We are using Netasyst WLX version 1.0.003 for our example. You can download a time-limited free trial at www.nai.com.

Capturing and Saving Data With Netasyst

To begin a capture with Netasyst, click on the Capture menu and select Start. This will open up the real-time Expert window and a capture gauge that shows the number of packets captured and the percentage of used buffer space. Once you have captured enough data, you can stop the capture by clicking on the Capture menu and selecting Stop and Display. This will open the Packet Display window. You can click on the Decode tab at the bottom of the window to bring up a three-pane view of the packets, as shown in Figure 7.14.

click to expand
Figure 7.14: The Packet Display Window

Once you have captured and viewed your data, you can save the capture to a file by selecting File | Save As. You can choose the location that you would like to save the file and the file type. We will be using the default Sniffer Files file type. Next, enter a filename and click Save. Now that we have our output saved to a capture file, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read it. Figure 7.15 shows the Ethereal output of the Netasyst Snif1.cap file.

click to expand
Figure 7.15: Ethereal Display of Netasyst Capture

Note 

Ethereal can also open Netasyst files that are saved in a compressed format.

Reading Ethereal Files With Netasyst

Netasyst can also read and process properly formatted capture files. This means you can capture files with Ethereal and then read them with Netasyst, as long as you save them in the proper format. Ethereal doesn’t offer Netasyst as a format to save files, but, there are still methods that you can use to transfer files from Ethereal to Netasyst. Once you have captured your data with Ethereal, select File | Save As. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to Network Associates Sniffer (Windows-based) 2.00x. Type in a file name under Selection, make sure to give it a .cap extension, and click OK.

You can now open up the Ethereal capture file in Netasyst by selecting File | Open. Browse to the location of the saved file, select it and click Open. You will now see the packets displayed in the Packet Display Window.

We also tested several other methods of transferring files between Ethereal and Netasyst and these are some that worked:

  • Save as file type Novell LANalyzer and give the filename a .tr1 extension.

  • Save as file type Network Associates Sniffer (DOS-based) and give the filename a .enc extension.

  • Save as file type Network Associates Sniffer (Windows-based) 1.1 and give the filename a .cap extension.

HP-UX’s nettl

The HP-UX operating system has a built-in command, nettl, to perform packet capturing and network monitoring. Nettl stands for NETwork Tracing and Logging and is used to control the network tracing and logging facility. Tracing is used to capture incoming and outgoing network packets. Logging is used to capture network activities such as state changes, errors, and connection establishment.

start sidebar
Notes from the Underground…
What happened to Sniffer Pro?

You have probably noticed that a lot of the Ethereal documentation, as well as this book, make reference to Network Associate’s Sniffer and Sniffer Pro products when talking about interoperability. If you don’t already own a copy of Sniffer Pro, you probably visited the NAI website to get more information. However, there isn’t any product listed called Sniffer Pro.

Network Associates launched a new product line called Netasyst Network Analyzer, which replaces some of the older Sniffer products, specifically Sniffer Basic, Sniffer Pro, and Sniffer Investigator. This new product line is targeted to small to medium sized customers and businesses. You will notice that the Netasyst products are “Powered by Sniffer Technologies”. This is the division of Network Associates that also made Sniffer Pro. Netasyst is compatible with Ethereal using the same capture file format as the previous NAI Sniffer versions.

end sidebar

The netfmt command can be used to format binary trace and log data gathered from the tracing and logging facility. It is used to read binary trace information from previously saved capture files. Netfmt filters are out of the scope of this book, so we won’t be covering them here, however they are documented in the netfmt man page.

Note 

To run nettl you must have a user ID of 0, meaning root privileges. The only exception to this is the nettl –status option.

The following information is the usage output for the nettl program:

      /etc/nettl -start       /etc/nettl -stop       /etc/nettl -status [info]       /etc/nettl -traceon kind [kind...] -entity subsystem [subsystem...]                              _      [-       file name] [-card dev_name] [-size limit] [-tracemax maxsize] [-m       bytes]       /etc/nettl -traceoff -entity subsystem [subsystem...]       /etc/nettl -log class -entity subsystem [subsystem...]       /etc/nettl -firmlog 0|1|2 -card dev_name

Particularly interesting command line options include the following:

  • –start (-st) This option is used to initialize the tracing and logging facility. It is used alone with no other options.

  • –stop (-sp) This option is used to terminate the tracing and logging facility. It is used alone with no other options.

  • –status (-ss) This option is used to report the status of the tracing and logging facility. It is used alone with no other options.

  • –traceon (-tn) kind This option is used to start tracing on a specified subsystem. It must be used after the –start option. Kind specifies the trace masks to be used for capturing, for example: pduin 0x20000000, pduout 0x10000000, and loopback 0x00800000. Multiple kinds can be specified separately or combined into a single number. For example, both pduin and pduout can be specified with 0x30000000.

  • –entity (-e) subsystem This option is used to specify the protocol layers or software modules. The keyword all can be used to specify all subsystems. The nettl –ss command can be used to get a listing of all supported subsystems. Examples include network, transport, ns_ls_nfs, ns_ls_ip, ns_ls_tcp, and ns_ls_udp.

  • –file (-f) name This option is used to save the captured data to a file. It is used with the first use of the –traceon command. It automatically appends the .TRC0 extension to the filename. If you would like to start saving to a file with a different name, you will have to turn tracing off and turn it back on with the new name. If tracing is started and the trace file with name.TRC0 already exists, the new data will be appended to the end of the file. If a trace file fills up, nettl will automatically create a new file of name.TRC1. Currently only two generations of trace files can exist with the same filename.

  • –tracemax (-tm) maxsize This option is used to specify the maximum size for both trace files, .TRC0 and .TRC1, combined. The default is 1 MB.

  • –size (-s) limit This option is used to set the trace buffer size, up to 512 Kilobytes, that is used to hold trace file messages until they are written to the file. The default is 32 KB. This value may need to be increased if nettl is dropping packets.

  • –traceoff (-tf) This option is used to stop tracing on a specified subsystem. It can be specified with the all keyword to stop all traces. The trace file can then be viewed with the netfmt command.

    Note 

    When saving your trace to a file, the filename must not exceed 8 characters in length. Longer names will be truncated and you will have to use the nettl –status command to view the actual name of the trace file.

Capturing and Saving Data with nettl

The following examples show you how to capture and save traffic with nettl to be opened and analyzed with Ethereal.

This example shows how to capture all incoming and out going IP traffic and log it to the file nettl.TRC0.

# nettl -tn pduin pudout -e ns_ls_ip -f nettl or # nettl -tn 0x30000000 -e ns_ls_ip -f nettl

If you would like to verify the capture before sending it to Ethereal, you can use the netfmt command. The following example shows the use and the output of the netfmt command:

# netfmt -f nettl.TRC0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ARPA/9000 NETWORKING^^^^^^^^^^^^^^^^^^^^^^^^^^@#%   Timestamp            : Sun Nov 09 MST 2003 10:42:30.708797   Process ID           : [ICS]              Subsystem        : NS_LS_IP   User ID ( UID )      : -1                 Trace Kind       : PDU IN TRACE   Device ID            : -1                 Path ID          : 0   Connection ID        : 0   Location             : 00123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Received 48 bytes via IP  Sun Nov 09 10:42:30.070879 MST 2003   pid=[ICS]    0: 45 00 00 30 8c 96 40 00 80 06 ea a9 c0 a8 01 0b  E..0..@.........   16: c0 a8 01 2c 08 82 00 17 1a 7d fb 7e 00 00 00 00  ...,.....}.~....   32: 70 02 40 00 a1 02 00 00 02 04 05 b4 01 01 04 02  p.@............. vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvARPA/9000 NETWORKINGvvvvvvvvvvvvvvvvvvvvvvvvvv@#%   Timestamp            : Sun Nov 09 MST 2003 10:42:30.708878   Process ID           : [ICS]              Subsystem        : NS_LS_IP   User ID ( UID )      : -1                 Trace Kind       : PDU OUT TRACE   Device ID            : -1                 Path ID          : 0   Connection ID        : 0   Location             : 00123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Transmitted 44 bytes via IP  Sun Nov 09 10:42:30.070887 MST 2003   pid=[ICS]    0: 45 00 00 2c 84 06 00 00 40 06 73 3e c0 a8 01 2c  E..,....@.s>...,   16: c0 a8 01 0b 00 17 08 82 09 cd a2 d6 1a 7d fb 7f  .............}..   32: 60 12 80 00 c9 54 00 00 02 04 05 b4 -- -- -- --  `....T..........  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ARPA/9000 NETWORKING^^^^^^^^^^^^^^^^^^^^^^^^^^@#%   Timestamp            : Sun Nov 09 MST 2003 10:42:30.709065   Process ID           : [ICS]              Subsystem        : NS_LS_IP   User ID ( UID )      : -1                 Trace Kind       : PDU IN TRACE   Device ID            : -1                 Path ID          : 0   Connection ID        : 0   Location             : 00123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Received 46 bytes via IP  Sun Nov 09 10:42:30.070906 MST 2003   pid=[ICS]    0: 45 00 00 28 8c 97 40 00 80 06 ea b0 c0 a8 01 0b  E..(..@.........   16: c0 a8 01 2c 08 82 00 17 1a 7d fb 7f 09 cd a2 d7  ...,.....}......   32: 50 10 44 70 1c a2 00 00 20 20 20 20 20 20 -- --  P.Dp....      .. vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvARPA/9000 NETWORKINGvvvvvvvvvvvvvvvvvvvvvvvvvv@#%   Timestamp            : Sun Nov 09 MST 2003 10:42:30.724471   Process ID           : 1227               Subsystem        : NS_LS_IP   User ID ( UID )      : 0                  Trace Kind       : PDU OUT TRACE   Device ID            : -1                 Path ID          : 0   Connection ID        : 0   Location             : 00123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Transmitted 71 bytes via IP  Sun Nov 09 10:42:30.072447 MST 2003   pid=1227    0: 45 00 00 47 97 ca 00 00 40 11 00 00 7f 00 00 01  E..G....@.......   16: 7f 00 00 01 d1 00 00 35 00 33 00 33 00 01 01 00  .......5.3.3....   32: 00 01 00 00 00 00 00 00 02 31 31 01 31 03 31 36  .........11.1.16   48: 38 03 31 39 32 07 69 6e 2d 61 64 64 72 04 61 72  8.192.in-addr.ar   64: 70 61 00 00 0c 00 01 -- -- -- -- -- -- -- -- --  pa.............. [output removed] 

Now that we have our output saved to capture files, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read it. Figure 7.16 shows the Ethereal output of the nettl.TRC0 capture file.

click to expand
Figure 7.16: Ethereal Display of nettl Capture

Reading Ethereal Files with nettl

Currently Ethereal does not have the ability to save capture files into the HP-UX nettl format. If you are reading a nettl formatted file, you can re-save into that format, but you can’t convert a native Ethereal capture, or any of the other supported formats, into the HP-UX nettl format. Future wiretap enhancements could someday add this ability.

start sidebar
Notes from the Underground…
Zethereal

Zethereal is a free GNU General Public licensed version of Ethereal written by Philippe Biondi for the Sharp Zaurus. It is a Qt-embedded interface for the Ethereal program. Zethereal is currently at version 1.0.0 and can be downloaded in both binary and source code format from www.cartel-info.fr/pbiondi/zaurus. You may need to install the provided libraries, libpcap and libglib for binary installation. The following installation notes are from the Zethereal README file:

  • you must first download ethereal sources (works with 0.9.5, maybe with others)

  • compile it (./configure [—disable-ethereal] && make)

  • untar zetheral tarball into the ethereal sources root directory

  • cd qtopia

  • ./mklibzethereal

  • have your qpe developing environment set up ok (http://docs.zaurus.com/index.php?id=linux_compiler_setup_howto)

  • tmake zethereal.pro -o Makefile

  • make

    Figure 7.17 shows the interface for Zethereal. It differs from the regular version of Ethereal due to the limited screen space for a handheld device.


    Figure 7.17: Zethereal User Interface

    The Zethereal website also contains extensive notes for cross-compiling source code on the Sharp Zaurus. Since Zethereal uses libpcap and is based on the original Ethereal source code, Zethereal capture files are easily readable by Ethereal.

end sidebar



 < Day Day Up > 



Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net