Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Sniffer

Reply
Thread Tools

Sniffer

 
 
John
Guest
Posts: n/a
 
      11-20-2003
Hi,
Can anyone recommened a good sniffer book.


 
Reply With Quote
 
 
 
 
Hansang Bae
Guest
Posts: n/a
 
      11-20-2003
In article <puUub.744$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)
says...
> Hi,
> Can anyone recommened a good sniffer book.


Not really. Protocol analysis is still more "art" then science. But
the "Troubleshooting TCP/IP" by Mark Miller is pretty good place to
start.

--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
 
 
 
dmcknigh
Guest
Posts: n/a
 
      11-20-2003
Hansang Bae <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> In article <puUub.744$(E-Mail Removed)>, (E-Mail Removed)
> says...
> > Hi,
> > Can anyone recommened a good sniffer book.

>
> Not really. Protocol analysis is still more "art" then science. But
> the "Troubleshooting TCP/IP" by Mark Miller is pretty good place to
> start.
>
> --
>
> hsb
>
> "Somehow I imagined this experience would be more rewarding" Calvin
> *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
> ************************************************** ******************
> Due to the volume of email that I receive, I may not not be able to
> reply to emails sent to my account. Please post a followup instead.
> ************************************************** ******************


Unfortunately, AFAIK, there aren't any good third party books
specifically on using Sniffer software. I'd be happy to answer
questions about "how-to"s if you'd like. I've been using Sniffer for a
long time.

There are cheaper analyzers, but Sniffer has a lot of capabilities
that are useful in troubleshooting a large network (if your willing to
pop for the Distributed Sniffer) and it's the capture format most
likely to be useable in the event that you have to send traces to a
vendor for troubleshooting purposes. It can also be used in *very*
limited way as an "Internet Worm Detector" and for monitoring/alerting
on intrusion attempts.

The aforementioned Net X-ray no longer exists (acquired by NAI and
product became basis of Sniffer PRO) but I understand that Network
Observer is
a pretty strong product at a good price. As mentioned, earlier
versions of Sniffer PRO were somewhat limited (it was really just Net
X-ray with a few feature add.s), but it's pretty solid now, having 99%
of the DOS features plus some added under Win platform.
You might want to compare NAI's Netasyst Network Analyzer with some
others. You can download a free eval. copy at
http://www.networkassociates.com/us/...ls/default.asp

IMHO, "Network/Protocol Analysis is more of an art form than a
science" is certainly true. Remember that the analyzer is just a tool
and that an "Expert Analysis" feature is never going to be as powerful
as an experienced, focused mind.

-dmcknigh-
 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      11-21-2003
In article <(E-Mail Removed) >,
(E-Mail Removed) says...
[snip]
> product became basis of Sniffer PRO) but I understand that Network
> Observer is
> a pretty strong product at a good price. As mentioned, earlier
> versions of Sniffer PRO were somewhat limited (it was really just Net
> X-ray with a few feature add.s), but it's pretty solid now, having 99%
> of the DOS features plus some added under Win platform.


It was amazing that the Windows version lacked the ease of filtering
available on the DOS version.

Ethereal is pretty slick as well. It has one killer function that NAI's
product lacks. "Follow the TCP Stream" will stitch HTTP packets back
together to show you the actual html code. Quite nice.

The command line filtering is also quite nice.

--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
Pete Mainwaring
Guest
Posts: n/a
 
      11-21-2003
(E-Mail Removed) (dmcknigh) wrote in message news:<(E-Mail Removed). com>...
> Hansang Bae <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> > In article <puUub.744$(E-Mail Removed)>, (E-Mail Removed)
> > says...
> > > Hi,
> > > Can anyone recommened a good sniffer book.

> >
> > Not really. Protocol analysis is still more "art" then science. But
> > the "Troubleshooting TCP/IP" by Mark Miller is pretty good place to
> > start.
> >
> > --
> >
> > hsb
> >


SNIP ....

> Unfortunately, AFAIK, there aren't any good third party books
> specifically on using Sniffer software. I'd be happy to answer
> questions about "how-to"s if you'd like. I've been using Sniffer for a
> long time.
> ...
> ...
> ...
> IMHO, "Network/Protocol Analysis is more of an art form than a
> science" is certainly true. Remember that the analyzer is just a tool
> and that an "Expert Analysis" feature is never going to be as powerful
> as an experienced, focused mind.
>
> -dmcknigh-


This is probably somewhat "off-group", but I was attached to a
2950G-48 using a monitor port (there - will that do?).

I've also been using sniffer (and similar products) for many years,
but came across something the other day that I couldn't work out how
to do.

We were suffering from W32.HLLW.Raleka attacks on our internal network
and I set up our sniffer to monitor for virus activity, to establish
which IP addresses were involved. Characteristics of this virus were
that it tried to connect on ports 135 and 6667, so that was easy to
trap. However, it also tried to use a random port above port 32767,
but do you think I could find a way to trap a destination port
Greater-Than a value?

Any thoughts?

TIA

Pete
 
Reply With Quote
 
M.C. van den Bovenkamp
Guest
Posts: n/a
 
      11-21-2003
Pete Mainwaring wrote:

> but do you think I could find a way to trap a destination port
> Greater-Than a value?
>
> Any thoughts?


Tcpdump can do it: 'tcp[2:2] > 32767'. And so can Ethereal, because it
uses libpcap/tcpdump filters as capture filters. An Ethereal display
filter to do the same would be 'tcp.dstport gt 32767'.

Replace with 'udp' where appropriate.

Regards,

Marco.

 
Reply With Quote
 
Andre Beck
Guest
Posts: n/a
 
      11-21-2003
Hansang Bae <(E-Mail Removed)> writes:
>
> Ethereal is pretty slick as well. It has one killer function that NAI's
> product lacks. "Follow the TCP Stream" will stitch HTTP packets back
> together to show you the actual html code. Quite nice.


There's also a new "port" of Ethereal to Windows that looks better than
the original and seems to be more capable, too. It's called Packetizer
(IIRC) and it's of course GPL.

--
The _S_anta _C_laus _O_peration
or "how to turn a complete illusion into a neverending money source"

-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      11-22-2003
In article <(E-Mail Removed)>, (E-Mail Removed) says...
> There's also a new "port" of Ethereal to Windows that looks better than
> the original and seems to be more capable, too. It's called Packetizer
> (IIRC) and it's of course GPL.


Let me know if you can find a link....google didn't turn anything up.

thanks!
--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      11-22-2003
In article <(E-Mail Removed) >,
(E-Mail Removed) says...
> We were suffering from W32.HLLW.Raleka attacks on our internal network
> and I set up our sniffer to monitor for virus activity, to establish
> which IP addresses were involved. Characteristics of this virus were
> that it tried to connect on ports 135 and 6667, so that was easy to
> trap. However, it also tried to use a random port above port 32767,
> but do you think I could find a way to trap a destination port
> Greater-Than a value?


Ethereal can do it..but I don't think NAI's product can do it (easily).
What might be easier is to capture on the signature of the releka
attacks (if one is known)


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
M.C. van den Bovenkamp
Guest
Posts: n/a
 
      11-22-2003
Hansang Bae wrote:

>>There's also a new "port" of Ethereal to Windows that looks better than
>>the original and seems to be more capable, too. It's called Packetizer
>>(IIRC) and it's of course GPL.

>
> Let me know if you can find a link....google didn't turn anything up.


That's because it's called 'Packetyzer':

http://www.networkchemistry.com/products/packetyzer/

Regards,

Marco.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Managment/traffic sniffer? Oystein Cisco 1 11-04-2003 07:04 AM
sniffer traces Taishi Cisco 3 10-15-2003 06:30 AM
HTTP Sniffer extension Alain Viguier Firefox 0 09-17-2003 07:00 AM
Network Sniffer on a Cisco 4000 spikestik Cisco 1 07-14-2003 07:28 PM
Sniffer on 3550 Sam Soh Cisco 1 06-23-2003 07:21 AM



Advertisments