Teldat Router. Sniffer Feature

Transcription

1 Teldat Router Sniffer Feature Doc. DM778-I Ver February, 2007

2 INDEX Chapter 1 Teldat Router Sniffer Feature Introduction Sniffer Feature: General Overview Capture File Capture Modes Capture Device... 5 Chapter 2 Configuring the Sniffer Feature Configuring the Sniffer Feature ? (HELP) CAPTURE... 9 a) Capture <interface>... 9 b) Capture any EXIT Commands Summary ii -

3 Chapter 1 Teldat Router Sniffer Feature

4 1. Introduction In the majority of the networks, due to the shared nature of the transmission environment, a message sent to a determined device can be intercepted by any other one. Although in practice, devices ignore messages sent to other devices, it is possible they decide not to ignore them and consequently obtain access to all the information traveling over their network. A Sniffer is specifically a program that allows you to intercept and log traffic in a network or part of a network. Once a packet has been captured, it can decode it and analyze it according to the appropriate RFC or other specification. This monitoring of the network permits you to detect bottlenecks or other network problems. In Ethernet environments for example, each device has a physical address, uniquely identifying it in the network, known as a MAC address (Media Access Control). The link layer inserts the device MAC address for the device in transmission and checks it at reception. If the packet destination MAC address coincides with its MAC, the frame is accepted and sent to the higher layers to be processed. In order to capture all the packets, the Sniffer sets the network card in a mode known as promiscuous where it is capable of capturing all the frames being transmitted over the media, even if the destination address does not coincides with its address. In this way, it can sniff information from any device connected to the same network. Figure 1. Traditional Ethernet Network. In Figure 1, packets whose source or destination address is device A are received by all the devices connected to the same broadcast domain, in this case B and C. Under normal conditions, both B and C drop the packets if the destination does not coincide with their MAC addresses. However, either one of them can intercept all the traffic from station A by simply setting the network card to promiscuous mode. TELDAT ROUTER Sniffer Feature Introduction I - 2

5 2. Sniffer Feature: General Overview The Teldat Router Sniffer feature allows you to intercept network traffic on the network the device is connected to, storing all the collected information in a file with.cap extension. This file can be extracted from the device memory and are later used to analyze the network behavior. The following sections describe the Sniffer feature operations Capture File By default, the file where the captured traffic information is stored is CAPTURE.CAP, although the user can assign a different name. SNIFFER config>filename prueba SNIFFER config> In our example, we have assigned prueba.cap as the capture file name. It is important to remember that it s necessary to save the configuration and restart the device so the association becomes effective. The.CAP file is stored in the device s memory /mem directory and can be accessed through an FTP connection. Figure 2.1. FTP Connection and extraction of capture file. In the above example (Figure 2.1), once logged in an FTP connection has been established with the device that executed the capture and a list of the contents has been obtained from the /mem directory and the CAPTURE.CAP file has been extracted using the get command. The file content can be displayed by using a protocol analyzer as shown in Figure 2.2. TELDAT ROUTER Sniffer Feature Introduction I - 3

6 Figure 2.2 Displaying the CAPTURE.CAP file through a protocol analyzer. The analyzer used divides the screen into three sub-windows. The first sub-window displays the different intercepted packets which are numerated; in the second the packet marked in the first window has been analyzed, identifying the different involved protocols; the last displays the selected packet at byte level. The packet flow corresponds to a ping process between device and device , firstly showing the initial exchange of ARP messages and subsequently the ICMP Request and ICMP Replay packet sequence Capture Modes The devices connected to a network are constantly listening to the media while waiting to receive data, checking to see if the packet destination address coincides with its address, in which case it is accepted and processed. On the basis of this operating principle, the Sniffer feature offers two packet capture modes: single-host: The device stores all packets, whose source or destination address coincides with its own, in the capture file. promiscuous: In this mode, the device intercepts and stores every one of the packets circulating over the network it is connected to. TELDAT ROUTER Sniffer Feature Introduction I - 4

7 2.3. Capture Device There are two alternatives to execute a capture: to specify a specific interface through which traffic is sniffed, e.g. ethernet0/0; or select an any device capture which permits you to capture traffic from the different interfaces which are active in the device. Capture execution is only possible in the P 5 process, as this must be carried out over an interface that is operative in the device. *p 5 Config$ feature sniffer capture ethernet0/0 100 promiscuous Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. capture bri0/0 10 single-host pcap_open_live failed: Chosen device not supported CLI Error: Command error In the first example, a capture of 100 packets has been carried out in the ethernet0/0 interface using the network card in promiscuous mode; and in the second an interface where the Sniffer feature has not been enabled has been selected and the console displays the following error message: pcap_open_live failed: Chosen device not supported. In the any device captures, the packets are directly obtained from the kernel and encapsulated in a pseudo-protocol known as SLL, where the fictitious layer two header is added to them. capture any 100 single-host Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. In this example, an any device capture for 100 packets has been executed in single-host mode with the aim of monitoring the same Ping process shown in Figure 2.2. Figure 2.3 shows a sequence of intercepted packets. In contrary to the first capture, the selected packet is not analyzed by identifying the different protocols it is composed of. Instead, we have a payload of 102 bytes encapsulated in SLL protocol. The packet corresponding with an ICMP Echo Request and an analysis of the data field permits you to identify the Ethernet, IP ICMP headers and finally the real data of the user. TELDAT ROUTER Sniffer Feature Introduction I - 5

8 Figure 2.3 Displaying an any device capture in Figure 2.2 ping process. capture any 100 promiscuous Warning: Promiscuous mode not supported on the "any" device Warning: Switching capture to single host... Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. This last example gives information on the fact that the promiscuous mode is incompatible with the any device captures. If you try and force this combination, the device displays a warning message indicating that the capture mode has internally changed to single-host. TELDAT ROUTER Sniffer Feature Introduction I - 6

9 Chapter 2 Configuring the Sniffer Feature

10 1. Configuring the Sniffer Feature The following example shows you how to access the Sniffer feature configuration menu. *p 4 Config>feature sniffer SNIFFER config> The available commands are as follows: Command Function? (HELP) Displays the available commands or their options. FILENAME Permits you to specify the file name where the intercepted packets are saved. EXIT Returns to the configuration prompt (Config>). If you access the configuration menu from the RUNNING_CONFIG (P5), the available commands are as follows: Command Function? (HELP) Displays the available commands or their options. CAPTURE Starts packet capture. FILENAME Permits you to specify the file name where the intercepted packets are saved. EXIT Returns to the configuration prompt (Config>). *p 5 Config$feature sniffer? capture Start capturing packets filename Choose default file name exit Exit to parent menu The discrepancy in the Sniffer feature menu between the CONFIG and RUNNING-CONFIG is due to the fact that captures have to be carried out over the interfaces that are operating in the device, which limits P 5 to using the capture command. 1.1.? (HELP) Displays the list of available commands. TELDAT ROUTER Sniffer FeatureConfiguring II - 8

11 From P 4: Syntax: SNIFFER config>? SNIFFER config>? filename Choose default file name exit Exit to parent menu SNIFFER config> From P 5: Syntax:?? capture Start capturing packets filename Choose default file name exit Exit to parent menu 1.2. CAPTURE By executing this command, you initiate packet capture in the selected interface. You also need to specify the number of packets to be captured and the operating mode. The capture command is only available in the P 5 process in the Sniffer feature menu. Syntax: capture? <interface> Interface name any Any device a) Capture <interface> Permits you to specify a specific interface where packet capture is carried out. If the selected interface is not permitted to capture traffic, the console displays an error message. Syntax: capture <interface> <No. of packets( )> <mode> capture ethernet0/0 200 promiscuous Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. TELDAT ROUTER Sniffer FeatureConfiguring II - 9

12 capture ethernet0/0 100 single-host Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. In the first example, a capture of 200 packets in promiscuous mode has been carried out, and in the second, a capture of 100 packets in single-host mode. In the first case, you have all the packets which arrived at the Ethernet network card and in the second case, only packets whose source or destination address coincides with the device s network card have been captured. The user can abort the capture process by simply pressing any key. The file.cap collects the packets captured up until this point. b) Capture any Executes an any device capture. I.e. the packets which enter or exit the device encapsulated in a fictional layer 2 frame are available. The data field is made up of a layer 3 real packet and, if possible, the real header from the link layer. Syntax: capture any <No. of packets( )> <mode> capture any 10 single-host Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory EXIT Exits the Sniffer feature configuration environment and returns to the previous configuration prompt. Syntax: SNIFFER config>exit SNIFFER config>exit Config> TELDAT ROUTER Sniffer FeatureConfiguring II - 10

13 2. Commands Summary CAPTURE < interface any > <No. of packets ( )> <promiscuous single-host> FILENAME <File_name(1..8 chars)> EXIT TELDAT ROUTER Sniffer FeatureConfiguring II - 11