Sniffer

Discussion in 'Cisco' started by John, Nov 20, 2003.

  1. John

    John Guest

    Hi,
    Can anyone recommened a good sniffer book.
     
    John, Nov 20, 2003
    #1
    1. Advertisements

  2. John

    Hansang Bae Guest

    Not really. Protocol analysis is still more "art" then science. But
    the "Troubleshooting TCP/IP" by Mark Miller is pretty good place to
    start.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 20, 2003
    #2
    1. Advertisements

  3. John

    dmcknigh Guest

    Unfortunately, AFAIK, there aren't any good third party books
    specifically on using Sniffer software. I'd be happy to answer
    questions about "how-to"s if you'd like. I've been using Sniffer for a
    long time.

    There are cheaper analyzers, but Sniffer has a lot of capabilities
    that are useful in troubleshooting a large network (if your willing to
    pop for the Distributed Sniffer) and it's the capture format most
    likely to be useable in the event that you have to send traces to a
    vendor for troubleshooting purposes. It can also be used in *very*
    limited way as an "Internet Worm Detector" and for monitoring/alerting
    on intrusion attempts.

    The aforementioned Net X-ray no longer exists (acquired by NAI and
    product became basis of Sniffer PRO) but I understand that Network
    Observer is
    a pretty strong product at a good price. As mentioned, earlier
    versions of Sniffer PRO were somewhat limited (it was really just Net
    X-ray with a few feature add.s), but it's pretty solid now, having 99%
    of the DOS features plus some added under Win platform.
    You might want to compare NAI's Netasyst Network Analyzer with some
    others. You can download a free eval. copy at
    http://www.networkassociates.com/us/downloads/evals/default.asp

    IMHO, "Network/Protocol Analysis is more of an art form than a
    science" is certainly true. Remember that the analyzer is just a tool
    and that an "Expert Analysis" feature is never going to be as powerful
    as an experienced, focused mind.

    -dmcknigh-
     
    dmcknigh, Nov 20, 2003
    #3
  4. John

    Hansang Bae Guest

    [snip]
    It was amazing that the Windows version lacked the ease of filtering
    available on the DOS version.

    Ethereal is pretty slick as well. It has one killer function that NAI's
    product lacks. "Follow the TCP Stream" will stitch HTTP packets back
    together to show you the actual html code. Quite nice.

    The command line filtering is also quite nice.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 21, 2003
    #4
  5. SNIP ....
    This is probably somewhat "off-group", but I was attached to a
    2950G-48 using a monitor port (there - will that do?).

    I've also been using sniffer (and similar products) for many years,
    but came across something the other day that I couldn't work out how
    to do.

    We were suffering from W32.HLLW.Raleka attacks on our internal network
    and I set up our sniffer to monitor for virus activity, to establish
    which IP addresses were involved. Characteristics of this virus were
    that it tried to connect on ports 135 and 6667, so that was easy to
    trap. However, it also tried to use a random port above port 32767,
    but do you think I could find a way to trap a destination port
    Greater-Than a value?

    Any thoughts?

    TIA

    Pete
     
    Pete Mainwaring, Nov 21, 2003
    #5
  6. Tcpdump can do it: 'tcp[2:2] > 32767'. And so can Ethereal, because it
    uses libpcap/tcpdump filters as capture filters. An Ethereal display
    filter to do the same would be 'tcp.dstport gt 32767'.

    Replace with 'udp' where appropriate.

    Regards,

    Marco.
     
    M.C. van den Bovenkamp, Nov 21, 2003
    #6
  7. John

    Andre Beck Guest

    There's also a new "port" of Ethereal to Windows that looks better than
    the original and seems to be more capable, too. It's called Packetizer
    (IIRC) and it's of course GPL.
     
    Andre Beck, Nov 21, 2003
    #7
  8. John

    Hansang Bae Guest

    Let me know if you can find a link....google didn't turn anything up.

    thanks!
    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 22, 2003
    #8
  9. John

    Hansang Bae Guest

    Ethereal can do it..but I don't think NAI's product can do it (easily).
    What might be easier is to capture on the signature of the releka
    attacks (if one is known)


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 22, 2003
    #9
  10. M.C. van den Bovenkamp, Nov 22, 2003
    #10
  11. John

    Hansang Bae Guest


    Thanks. Someone else posted:
    http://www.stearns.org/doc/pcap-apps.html

    And grabbed it from there!

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 22, 2003
    #11


  12. http://www.ethereal.com

    -RFH
     
    Ramon F Herrera, Nov 23, 2003
    #12
  13. Thanks for the replies - they confirmed what I thought - that NAI
    can't do it (not very good for such an expensive product, don't you
    think?).

    We use Ethereal as well, but that was monitoring the Token Ring part
    of the network (yes - we still have Token Ring, and quite a lot of
    it). We also use TCPDUMP, but didn't have it set up on any of the
    affected VLANs at the time.

    We managed to find all of the infected PCs using the port 135 and 6667
    triggers, so we are all clean again.

    Thanks again,

    Pete
     
    Pete Mainwaring, Nov 24, 2003
    #13
  14. Pete Mainwaring wrote:
    [...]
    Am I the only one worried by this statement? It suggests that no A/V
    software is installed.


    B
     
    Bob { Goddard }, Nov 24, 2003
    #14
  15. That last statement of mine does make it sound like that was the case
    doesn't it? We do have AV S/W installed, but the first report came
    from one of our offices in Europe (we are in the UK) who noticed
    virus-like activity (ping sweeps etc.) before any of our users were
    in. We started getting calls from our users as soon as they started
    using their PCs.

    The sniffer monitoring was set up to preempt further problems, or at
    least reduce their impact. It meant we could find the infected PCs
    quickly and apply the Windows O/S fixes asap. As you probably know,
    the Windows vulnerabilities that existed meant that even PCs with the
    AV software running could still be infected.

    Pete
     
    Pete Mainwaring, Nov 25, 2003
    #15
  16. John

    chris Guest

    Infected isn't quite the right word. Without the OS patches, they
    could still be attacked, but the actual virus file could not be
    transfered onto the machine.

    -Chris
     
    chris, Nov 28, 2003
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.