TEXT   113


Guest on 14th September 2021 09:14:34 PM

  1. Sniffers have exploded in popularity over the past several years, from
  2. Network General�s Netxray and Microsoft�s Network Monitor, to public
  3. domain tools such as Etherman and Curry Sniffer. These tools are used
  4. for various reasons, including network troubleshooting, traffic
  5. analysis, node discovery, etc. We will be covering one of the most
  6. common, yet effective sniffers, snoop. Of all the sniffers, this is one
  7. standby you always have access to with Solaris. The purpose of this
  8. article is to demonstrate how to leverage snoop, with examples focusing
  9. on network security.
  12. What is snoop?
  14. Snoop is an executable binary that puts your system�s interface(s) in
  15. promiscuous mode. By being in promiscuous mode, snoop captures all
  16. packets on you network, in either real time or capture file format.
  17. What makes snoop so powerful is the detail of information it provides
  18. and the flexibility of the tool.
  20. In the first half of this article we will focus on snoop commands, how
  21. to get the information we want. The second half of this article we will
  22. focus on analyzing network traffic with real world examples, focusing
  23. on security. The examples will be IP, but snoop can be used to capture
  24. and analyze other network packets, such as DECnet and AppleTalk. For
  25. packet analysis, I will be using the standard 7 layer OSI model (see
  26. Figure 1 for a refresher).
  29. How to Use Snoop
  31. The first thing you have to decide is do you want real time data, or
  32. capture packets to a snoop capture file? Most of the time, you will
  33. capture the data to a file. In real-time mode the data flies across you
  34. screen to fast to read. Its only real benefit is to give you a quick
  35. feel of what traffic is moving on your network. To do some serious
  36. analysis, you will want to capture your network traffic to a file so
  37. you can take your time.
  39. To capture data to a file, the command is
  40. #snoop �o filename
  42. This saves all the data in binary format to filename. To see data real-
  43. time, exclude the command "-o filename". Otherwise, all command syntax
  44. is the same for snoop.
  46. The first thing we need to do is determine how many packets to capture.
  47. If no number is determined, snoop will continue to gather packets until
  48. you CRTL-C or run out of resources. To set the number, use the command.
  50. #snoop �o filename �c 1000 .
  52. Snoop will capture 1000 packets in about 60 seconds on a standard
  53. 10Mbps network.
  55. Next, we want to determine what level of detail we need. Snoop comes in
  56. three flavors, summary (default), verbose summary (-V), and verbose
  57. mode (-v). Summary gives us the least information, only the highest
  58. protocol level, layer 5,6 or 7 , and packet source/destination. Below
  59. is a single packet in summary mode. This is the 27th packet captured,
  60. it shows a Telnet connection between squirrel and my school account.
  61. 0.01743 is the time between packet 26 and 27.
  63. 27 0.01743 squirrel -> ICARUS.CC.UIC.EDU TELNET C port=45330
  65. Verbose summary (-V) gives us all the layers of the OSI model, (layers
  66. 2,3,4, and 5, 6 or 7) but in summarized fashion, one line for each
  67. layer. Below we see an example, packet 27 again. Notice it gives us
  68. layer 2 (ETHER), layer 3 (IP), layer 4 (TCP), and layer 7 (Telnet).
  69. Note how it also gives Syn and Seq (sequence number). There is no Ack
  70. (Acknowledge number) so this is the first packet for this Telnet
  71. session.
  73. 27 0.01743 squirrel -> ICARUS.CC.UIC.EDU ETHER Type=0800 (IP), size =
  74. 58 bytes
  75. 27 0.01743 squirrel -> ICARUS.CC.UIC.EDU IP D=
  76. S= LEN=44, ID=6082
  77. 27 0.01743 squirrel -> ICARUS.CC.UIC.EDU TCP D=23 S=45330 Syn
  78. Seq=678057692 Len=0 Win=8760
  79. 27 0.01743 squirrel -> ICARUS.CC.UIC.EDU TELNET C port=45330
  81. Verbose gives us all the gory details of each packet, all the way to
  82. the bit level on the OSI model. Below is a packet 27 in verbose mode.
  83. Here we see detailed information of each layer, layer 2 (Ethernet),
  84. layer 3 (IP), and layer 4 (TCP) header. See RFC 894 (Ether), 791 (IP),
  85. and 793 (TCP) for specific header information.
  87. ETHER: ----- Ether Header -----
  88. ETHER:
  89. ETHER: Packet 27 arrived at 10:40:36.07
  90. ETHER: Packet size = 58 bytes
  91. ETHER: Destination = 8:0:20:8d:fc:d2, Sun
  92. ETHER: Source = 8:0:20:c:df:aa, Sun
  93. ETHER: Ethertype = 0800 (IP)
  94. ETHER:
  95. IP: ----- IP Header -----
  96. IP:
  97. IP: Version = 4
  98. IP: Header length = 20 bytes
  99. IP: Type of service = 0x00
  100. IP: xxx. .... = 0 (precedence)
  101. IP: ...0 .... = normal delay
  102. IP: .... 0... = normal throughput
  103. IP: .... .0.. = normal reliability
  104. IP: Total length = 44 bytes
  105. IP: Identification = 6082
  106. IP: Flags = 0x4
  107. IP: .1.. .... = do not fragment
  108. IP: ..0. .... = last fragment
  109. IP: Fragment offset = 0 bytes
  110. IP: Time to live = 255 seconds/hops
  111. IP: Protocol = 6 (TCP)
  112. IP: Header checksum = 7005
  113. IP: Source address =, squirrel
  114. IP: Destination address =, ICARUS.CC.UIC.EDU
  115. IP: No options
  116. IP:
  117. TCP: ----- TCP Header -----
  118. TCP:
  119. TCP: Source port = 45330
  120. TCP: Destination port = 23 (TELNET)
  121. TCP: Sequence number = 678057692
  122. TCP: Acknowledgement number = 0
  123. TCP: Data offset = 24 bytes
  124. TCP: Flags = 0x02
  125. TCP: ..0. .... = No urgent pointer
  126. TCP: ...0 .... = No acknowledgement
  127. TCP: .... 0... = No push
  128. TCP: .... .0.. = No reset
  129. TCP: .... ..1. = Syn
  130. TCP: .... ...0 = No Fin
  131. TCP: Window = 8760
  132. TCP: Checksum = 0x517a
  133. TCP: Urgent pointer = 0
  134. TCP: Options: (4 bytes)
  135. TCP: - Maximum segment size = 1460 bytes
  136. TCP:
  137. TELNET: ----- TELNET: -----
  138. TELNET:
  139. TELNET: ""
  140. TELNET:
  142. No one level of detail is "better" then the other. It depends on what
  143. type of information you are looking for. Keep in mind however that
  144. snoop can be resource intensive. In verbose mode, snoop may overwhelm
  145. the system, forcing it to drop packets depending on your network
  146. traffic. In some cases, you may have to use a dedicated server for
  147. snoop, depending on your verbose level and number of packets gathered.
  148. To capture 1000 packets in verbose summary mode:
  150. #snoop �V �o filename �c 1000
  152. To read a capture file, use �i filename. If you captured packets in
  153. verbose mode, you can read a capture file in summary, verbose summary,
  154. or verbose mode. I recommend you scan through the capture file in
  155. summary mode, identify what packets are interesting, then view specific
  156. packets in verbose mode. To look at a specific packet, use �ppacket#.
  157. Below is an example of looking at packets 10-32 and packet 56 in
  158. verbose mode.
  160. snoop �i filename �v �p10-32,56
  162. Now lets leverage the true power of snoop. Snoop has a variety of
  163. filtering tools, allowing us to focus on the type of packets we
  164. capture, be it source, destination, protocol layer, etc. Here we will
  165. cover some of the most commonly used options. However, for complete
  166. information, be sure to do a man on snoop(1).
  168. First, we can select what systems, by either MAC (layer 2) or IP or
  169. host name, (layer 3) will be snooped. This limits what packets are
  170. captured at the interface. If you have just one node you want to snoop,
  171. include its IP address. If there are several, use the expression "and"
  172. or "or" between the nodes. You can focus the expression even more with
  173. the qualifier "from" or "to" which match the source or destination
  174. address. The "!" or "not" performs a logical NOT operation. Last, the
  175. expression "net" captures all packets that belong to a specific
  176. network. The command below captures all packets coming from zeus, going
  177. to 8:0:20:f1:b3:51, or packets belonging to the network,
  178. except Note, the host name zeus must be resolvable, be it
  179. /etc/hosts or DNS.
  181. snoop �o filename from zeus or to 8:0:20:f1:b3:51or net not
  184. Just as we can qualify specific hosts or networks at layer 2 or 3, we
  185. can limit packets captured at layers 4, 5, 6, and 7. At layer 4, we can
  186. qualify "tcp", "udp", or "icmp" (actually RFC 792 states icmp is a
  187. layer 3 protocol, but I have placed it here to reflect snoop�s man
  188. page). For layers 5,6 and 7 use the qualifiers "port" and "rpc" (based
  189. on the /etc/services and /etc/rpc files). The command below captures
  190. all DNS or NFS packets
  192. snoop o filename V port domain or rpc nfs
  194. Snoop and Security
  196. Now that we have covered the flexibility of snoop, lets apply it to
  197. your network security. With snoop, you silently sit on the network and
  198. capture data. Unlike active measures, such as network discovery using
  199. ICMP, snoop does not alert anyone to its presence. This allows you to
  200. analyze the security of your network, without notifying anyone. Also,
  201. snoop can run over a long period of time, compared to active measures
  202. that run in a single point of time. If a server is down for several
  203. minutes while you are pinging the network, you will miss it. Snoop will
  204. pick up these servers, as long as they eventually send or receive
  205. traffic.
  207. Snoop does two critical things for security, it tells you who is on
  208. your network, and what they are doing. You need to first identify what
  209. your security concern is, then configure snoop to find that
  210. information.
  212. Often, a security concern is having a node or gateway on your network
  213. that you do not know about. This node could be an innocent dial-up
  214. server, or a gateway a hacker set-up. I know of a company where an
  215. unknown Internet connection was recently identified with a sniffer.
  216. Active measures will tell you who is on the network, only if the
  217. machine is on. But what if a node is on only at night, or has been
  218. configured not to ICMP_REPLY, then what? Using the qualifiers we
  219. covered above, snoop could capture information on your network. With a
  220. perl or shell script, you could parse this information, identifying
  221. unknown nodes on your network.
  223. Another security issue is what is going on your network. You may be
  224. concerned about specific websites or downloads. Perhaps you are
  225. concerned that users are downloading the latest hacker attacks. You can
  226. snoop your network, looking for FTP downloads from known websites. I
  227. know of a recent incident where an employee was identified of this
  228. during a routine network analysis.
  230. Perhaps you have several critical servers that have been hit with
  231. denial of service attacks, such as land.c or ping of death. You can
  232. qualify snoop to look for land.c by capturing packets with source and
  233. destination the same. For ping of death, look for icmp packets with
  234. extremely large lengths.
  236. So far we have discussed what snoop can do, now we will cover what
  237. snoop cannot do. Unlike active measures, snoop, like most sniffers,
  238. cannot operate in a switched environment. Snoop only records packets
  239. that cross the designated interface. Switches block and forward IP
  240. packets based on their MAC , layer 2, address. If you have a switch,
  241. snoop will capture only the packets in its collision domain.
  243. Where you snoop is just as important as what you snoop. If you want to
  244. monitor all the traffic on your network, place your sniffer on the
  245. Internet router segment. This way your are capturing all Internet
  246. traffic, you are no limited to specific collision domains.
  248. This limitation of snoop can also be used to your advantage. A common
  249. tactic of hackers is to compromise a system and implement. Once
  250. compromised, the sniffer picks up user names and passwords. Several
  251. months ago, the SANS Institute was compromised by this same method. A
  252. prime target for this are systems on your DMZ, or the network segment
  253. between your Internet router and Firewall. Often companies place
  254. unsecured systems outside the firewall, such as webservers. However,
  255. once compromised, these systems make excellent platforms for capturing
  256. user names and passwords. To protect your network, place these systems
  257. behind a switch. If compromised, they are still isolated in their
  258. collision domain, thus protecting you from sniffing (note, if possible,
  259. you may want to hardcode the MAC address on the switch to specific
  260. ports).
  262. Snoop is an extremely powerful and flexible tool. Its uses are as
  263. varied as its qualifiers. The ideas and concepts covered in this
  264. article are only an i

Raw Paste

Login or Register to edit or fork this paste. It's free.