Features:
1. Packet capturing facilities (ALL levels of OSI model, minus physical)
2. Packet playback/replay facility
3. Sniffs on first detected, non-loopback interface - output to STDOUT
4. MUST be executed as root
Note: Try to snoop to output of file as opposed to STDOUT for performance reasons (to minimize packet loss)
snoop
snoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out'
and returns a packet-count to STDOUT
Note: If connected to a switched environment, MIRROR the traffic to the Sun box in order for traffic to be available to snoop
snoop -i snoop1.out - reads the captured files
Note: snoop captures packets until killed with CTRL-C or disk runs out of space
snoop -i snoop1.out -p 11573,11577 - extracts packet ranges 11573-11577
snoop -v -i snoop1.out - VERBOSE (ALL OSI layers, 2-7)
snoop -V -i snoop1.out - SUMMARY (Returns interesting packet payload)
Note: snoop supports Boolean primitivies (host,tcp,udp,ip) & Boolean operators (AND,OR,NOT)
snoop -i snoop1.out tcp port 80
Note: snoop -o output_file - captures layers 2-7
snoop -o snoop1.out udp
snoop -o snoop1.out 192.168.1.50 192.168.1.102
###FTP Traffic Snoop###
snoop -o snoop_ftp_traffic.out host 192.168.1.102 linuxcbtsun1 and tcp and port 21
###TCPDump###
www.tcpdump.org
Packet Capturing - captures packets from network interfaces
Note: 2 major utilities supporting TCPDump's format include:
1. Ethereal - GUI protocol analyzer/Sniffer
2. Snort NIDS - Sniffer/Logger/NIDS
TCPDump supports 3 qualifiers to assist in creating expressions:
1. Type - host|net|port i.e. host 192.168.1.102
2. Direction - src|dst|src or dst|src and dst
3. Protocol - tcp|udp|ip
Syntax:
tcpdump options expression
tcpdump
tcpdump -D - returns available interfaces
tcpdump -i interface_name - binds to specific interface
tcpdump -q suppresses some packet header information
tcpdump -n - avoids name resoltion - improves performance
0 comments:
Post a Comment