Tuesday, July 14, 2009

Snoop Notes

1. Packet capturing facilities (ALL levels of OSI model, minus physical)
2. Packet playback/replay facility
3. Sniffs on first detected, non-loopback interface - output to STDOUT
4. MUST be executed as root

Note: Try to snoop to output of file as opposed to STDOUT for performance reasons (to minimize packet loss)

snoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out'
and returns a packet-count to STDOUT

Note: If connected to a switched environment, MIRROR the traffic to the Sun box in order for traffic to be available to snoop

snoop -i snoop1.out - reads the captured files
Note: snoop captures packets until killed with CTRL-C or disk runs out of space

snoop -i snoop1.out -p 11573,11577 - extracts packet ranges 11573-11577
snoop -v -i snoop1.out - VERBOSE (ALL OSI layers, 2-7)
snoop -V -i snoop1.out - SUMMARY (Returns interesting packet payload)

Note: snoop supports Boolean primitivies (host,tcp,udp,ip) & Boolean operators (AND,OR,NOT)

snoop -i snoop1.out tcp port 80

Note: snoop -o output_file - captures layers 2-7

snoop -o snoop1.out udp

snoop -o snoop1.out

###FTP Traffic Snoop###
snoop -o snoop_ftp_traffic.out host linuxcbtsun1 and tcp and port 21


Packet Capturing - captures packets from network interfaces

Note: 2 major utilities supporting TCPDump's format include:
1. Ethereal - GUI protocol analyzer/Sniffer
2. Snort NIDS - Sniffer/Logger/NIDS

TCPDump supports 3 qualifiers to assist in creating expressions:
1. Type - host|net|port i.e. host
2. Direction - src|dst|src or dst|src and dst
3. Protocol - tcp|udp|ip

tcpdump options expression

tcpdump -D - returns available interfaces
tcpdump -i interface_name - binds to specific interface
tcpdump -q suppresses some packet header information
tcpdump -n - avoids name resoltion - improves performance

Readers who read this page, also read:

Bookmark and Share My Zimbio http://www.wikio.com