Sniffer

Discussion in 'Cisco' started by John, Nov 20, 2003.

  1. John

    John Guest

    Hi,
    Can anyone recommened a good sniffer book.
    John, Nov 20, 2003
    #1
    1. Advertising

  2. John

    Hansang Bae Guest

    In article <puUub.744$>,
    says...
    > Hi,
    > Can anyone recommened a good sniffer book.


    Not really. Protocol analysis is still more "art" then science. But
    the "Troubleshooting TCP/IP" by Mark Miller is pretty good place to
    start.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Nov 20, 2003
    #2
    1. Advertising

  3. John

    dmcknigh Guest

    Hansang Bae <> wrote in message news:<>...
    > In article <puUub.744$>,
    > says...
    > > Hi,
    > > Can anyone recommened a good sniffer book.

    >
    > Not really. Protocol analysis is still more "art" then science. But
    > the "Troubleshooting TCP/IP" by Mark Miller is pretty good place to
    > start.
    >
    > --
    >
    > hsb
    >
    > "Somehow I imagined this experience would be more rewarding" Calvin
    > *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    > ********************************************************************
    > Due to the volume of email that I receive, I may not not be able to
    > reply to emails sent to my account. Please post a followup instead.
    > ********************************************************************


    Unfortunately, AFAIK, there aren't any good third party books
    specifically on using Sniffer software. I'd be happy to answer
    questions about "how-to"s if you'd like. I've been using Sniffer for a
    long time.

    There are cheaper analyzers, but Sniffer has a lot of capabilities
    that are useful in troubleshooting a large network (if your willing to
    pop for the Distributed Sniffer) and it's the capture format most
    likely to be useable in the event that you have to send traces to a
    vendor for troubleshooting purposes. It can also be used in *very*
    limited way as an "Internet Worm Detector" and for monitoring/alerting
    on intrusion attempts.

    The aforementioned Net X-ray no longer exists (acquired by NAI and
    product became basis of Sniffer PRO) but I understand that Network
    Observer is
    a pretty strong product at a good price. As mentioned, earlier
    versions of Sniffer PRO were somewhat limited (it was really just Net
    X-ray with a few feature add.s), but it's pretty solid now, having 99%
    of the DOS features plus some added under Win platform.
    You might want to compare NAI's Netasyst Network Analyzer with some
    others. You can download a free eval. copy at
    http://www.networkassociates.com/us/downloads/evals/default.asp

    IMHO, "Network/Protocol Analysis is more of an art form than a
    science" is certainly true. Remember that the analyzer is just a tool
    and that an "Expert Analysis" feature is never going to be as powerful
    as an experienced, focused mind.

    -dmcknigh-
    dmcknigh, Nov 20, 2003
    #3
  4. John

    Hansang Bae Guest

    In article <>,
    says...
    [snip]
    > product became basis of Sniffer PRO) but I understand that Network
    > Observer is
    > a pretty strong product at a good price. As mentioned, earlier
    > versions of Sniffer PRO were somewhat limited (it was really just Net
    > X-ray with a few feature add.s), but it's pretty solid now, having 99%
    > of the DOS features plus some added under Win platform.


    It was amazing that the Windows version lacked the ease of filtering
    available on the DOS version.

    Ethereal is pretty slick as well. It has one killer function that NAI's
    product lacks. "Follow the TCP Stream" will stitch HTTP packets back
    together to show you the actual html code. Quite nice.

    The command line filtering is also quite nice.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Nov 21, 2003
    #4
  5. (dmcknigh) wrote in message news:<>...
    > Hansang Bae <> wrote in message news:<>...
    > > In article <puUub.744$>,
    > > says...
    > > > Hi,
    > > > Can anyone recommened a good sniffer book.

    > >
    > > Not really. Protocol analysis is still more "art" then science. But
    > > the "Troubleshooting TCP/IP" by Mark Miller is pretty good place to
    > > start.
    > >
    > > --
    > >
    > > hsb
    > >


    SNIP ....

    > Unfortunately, AFAIK, there aren't any good third party books
    > specifically on using Sniffer software. I'd be happy to answer
    > questions about "how-to"s if you'd like. I've been using Sniffer for a
    > long time.
    > ...
    > ...
    > ...
    > IMHO, "Network/Protocol Analysis is more of an art form than a
    > science" is certainly true. Remember that the analyzer is just a tool
    > and that an "Expert Analysis" feature is never going to be as powerful
    > as an experienced, focused mind.
    >
    > -dmcknigh-


    This is probably somewhat "off-group", but I was attached to a
    2950G-48 using a monitor port (there - will that do?).

    I've also been using sniffer (and similar products) for many years,
    but came across something the other day that I couldn't work out how
    to do.

    We were suffering from W32.HLLW.Raleka attacks on our internal network
    and I set up our sniffer to monitor for virus activity, to establish
    which IP addresses were involved. Characteristics of this virus were
    that it tried to connect on ports 135 and 6667, so that was easy to
    trap. However, it also tried to use a random port above port 32767,
    but do you think I could find a way to trap a destination port
    Greater-Than a value?

    Any thoughts?

    TIA

    Pete
    Pete Mainwaring, Nov 21, 2003
    #5
  6. Pete Mainwaring wrote:

    > but do you think I could find a way to trap a destination port
    > Greater-Than a value?
    >
    > Any thoughts?


    Tcpdump can do it: 'tcp[2:2] > 32767'. And so can Ethereal, because it
    uses libpcap/tcpdump filters as capture filters. An Ethereal display
    filter to do the same would be 'tcp.dstport gt 32767'.

    Replace with 'udp' where appropriate.

    Regards,

    Marco.
    M.C. van den Bovenkamp, Nov 21, 2003
    #6
  7. John

    Andre Beck Guest

    Hansang Bae <> writes:
    >
    > Ethereal is pretty slick as well. It has one killer function that NAI's
    > product lacks. "Follow the TCP Stream" will stitch HTTP packets back
    > together to show you the actual html code. Quite nice.


    There's also a new "port" of Ethereal to Windows that looks better than
    the original and seems to be more capable, too. It's called Packetizer
    (IIRC) and it's of course GPL.

    --
    The _S_anta _C_laus _O_peration
    or "how to turn a complete illusion into a neverending money source"

    -> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
    Andre Beck, Nov 21, 2003
    #7
  8. John

    Hansang Bae Guest

    In article <>, says...
    > There's also a new "port" of Ethereal to Windows that looks better than
    > the original and seems to be more capable, too. It's called Packetizer
    > (IIRC) and it's of course GPL.


    Let me know if you can find a link....google didn't turn anything up.

    thanks!
    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Nov 22, 2003
    #8
  9. John

    Hansang Bae Guest

    In article <>,
    says...
    > We were suffering from W32.HLLW.Raleka attacks on our internal network
    > and I set up our sniffer to monitor for virus activity, to establish
    > which IP addresses were involved. Characteristics of this virus were
    > that it tried to connect on ports 135 and 6667, so that was easy to
    > trap. However, it also tried to use a random port above port 32767,
    > but do you think I could find a way to trap a destination port
    > Greater-Than a value?


    Ethereal can do it..but I don't think NAI's product can do it (easily).
    What might be easier is to capture on the signature of the releka
    attacks (if one is known)


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Nov 22, 2003
    #9
  10. Hansang Bae wrote:

    >>There's also a new "port" of Ethereal to Windows that looks better than
    >>the original and seems to be more capable, too. It's called Packetizer
    >>(IIRC) and it's of course GPL.

    >
    > Let me know if you can find a link....google didn't turn anything up.


    That's because it's called 'Packetyzer':

    http://www.networkchemistry.com/products/packetyzer/

    Regards,

    Marco.
    M.C. van den Bovenkamp, Nov 22, 2003
    #10
  11. John

    Hansang Bae Guest

    In article <3fbeaf5b$0$50802$4all.nl>,
    says...
    > That's because it's called 'Packetyzer':
    > http://www.networkchemistry.com/products/packetyzer/



    Thanks. Someone else posted:
    http://www.stearns.org/doc/pcap-apps.html

    And grabbed it from there!

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Nov 22, 2003
    #11
  12. Hansang Bae <> wrote in message news:<>...
    > Let me know if you can find a link....google didn't turn anything up.
    >
    > thanks!
    > --
    >
    > hsb




    http://www.ethereal.com

    -RFH
    Ramon F Herrera, Nov 23, 2003
    #12
  13. Hansang Bae <> wrote in message news:<>...
    > In article <>,
    > says...
    > > We were suffering from W32.HLLW.Raleka attacks on our internal network
    > > and I set up our sniffer to monitor for virus activity, to establish
    > > which IP addresses were involved. Characteristics of this virus were
    > > that it tried to connect on ports 135 and 6667, so that was easy to
    > > trap. However, it also tried to use a random port above port 32767,
    > > but do you think I could find a way to trap a destination port
    > > Greater-Than a value?

    >
    > Ethereal can do it..but I don't think NAI's product can do it (easily).
    > What might be easier is to capture on the signature of the releka
    > attacks (if one is known)
    >
    >
    > --
    >
    > hsb
    >
    > "Somehow I imagined this experience would be more rewarding" Calvin
    > *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    > ********************************************************************
    > Due to the volume of email that I receive, I may not not be able to
    > reply to emails sent to my account. Please post a followup instead.
    > ********************************************************************


    Thanks for the replies - they confirmed what I thought - that NAI
    can't do it (not very good for such an expensive product, don't you
    think?).

    We use Ethereal as well, but that was monitoring the Token Ring part
    of the network (yes - we still have Token Ring, and quite a lot of
    it). We also use TCPDUMP, but didn't have it set up on any of the
    affected VLANs at the time.

    We managed to find all of the infected PCs using the port 135 and 6667
    triggers, so we are all clean again.

    Thanks again,

    Pete
    Pete Mainwaring, Nov 24, 2003
    #13
  14. Pete Mainwaring wrote:
    [...]
    > We managed to find all of the infected PCs using the port 135 and 6667
    > triggers, so we are all clean again.


    Am I the only one worried by this statement? It suggests that no A/V
    software is installed.


    B

    --
    http://www.mailtrap.org.uk/
    http://www.ibrox.demon.co.uk/
    Bob { Goddard }, Nov 24, 2003
    #14
  15. Bob { Goddard } <> wrote in message news:<bptaar$1rr705$-berlin.de>...
    > Pete Mainwaring wrote:
    > [...]
    > > We managed to find all of the infected PCs using the port 135 and 6667
    > > triggers, so we are all clean again.

    >
    > Am I the only one worried by this statement? It suggests that no A/V
    > software is installed.
    >
    >
    > B


    That last statement of mine does make it sound like that was the case
    doesn't it? We do have AV S/W installed, but the first report came
    from one of our offices in Europe (we are in the UK) who noticed
    virus-like activity (ping sweeps etc.) before any of our users were
    in. We started getting calls from our users as soon as they started
    using their PCs.

    The sniffer monitoring was set up to preempt further problems, or at
    least reduce their impact. It meant we could find the infected PCs
    quickly and apply the Windows O/S fixes asap. As you probably know,
    the Windows vulnerabilities that existed meant that even PCs with the
    AV software running could still be infected.

    Pete
    Pete Mainwaring, Nov 25, 2003
    #15
  16. John

    Guest


    > s you probably know,
    >the Windows vulnerabilities that existed meant that even PCs with the
    >AV software running could still be infected.


    Infected isn't quite the right word. Without the OS patches, they
    could still be attacked, but the actual virus file could not be
    transfered onto the machine.

    -Chris
    , Nov 28, 2003
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alain Viguier

    HTTP Sniffer extension

    Alain Viguier, Sep 17, 2003, in forum: Firefox
    Replies:
    0
    Views:
    11,200
    Alain Viguier
    Sep 17, 2003
  2. Sam Soh

    Sniffer on 3550

    Sam Soh, Jun 23, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,410
    Erik Tamminga
    Jun 23, 2003
  3. spikestik

    Network Sniffer on a Cisco 4000

    spikestik, Jul 14, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,558
    M.C. van den Bovenkamp
    Jul 14, 2003
  4. Taishi

    sniffer traces

    Taishi, Oct 14, 2003, in forum: Cisco
    Replies:
    3
    Views:
    671
    Walter Roberson
    Oct 15, 2003
  5. Oystein

    Managment/traffic sniffer?

    Oystein, Nov 4, 2003, in forum: Cisco
    Replies:
    1
    Views:
    393
    Andrey Tarasov
    Nov 4, 2003
Loading...

Share This Page