Teldat Router. Sniffer Feature

Similar documents
Teldat Router. ARP Proxy

Teldat Router. RADIUS Protocol

A Research Study on Packet Sniffing Tool TCPDUMP

Computer Networks I Laboratory Exercise 1

BASIC ANALYSIS OF TCP/IP NETWORKS

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

What is VLAN Routing?

Introduction to Network Security Lab 1 - Wireshark

Common Application Guide

Packet Sniffing on Layer 2 Switched Local Area Networks

Lab VI Capturing and monitoring the network traffic

Lab 1: Packet Sniffing and Wireshark

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Internet Control Protocols Reading: Chapter 3

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Lab - Using Wireshark to View Network Traffic

Module 1: Reviewing the Suite of TCP/IP Protocols

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Chapter 3 Using Access Control Lists (ACLs)

LAB THREE STATIC ROUTING

Chapter 7 Protecting Against Denial of Service Attacks

Modern snoop lab lite version

EKT 332/4 COMPUTER NETWORK

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Introduction to Analyzer and the ARP protocol

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

AlliedWare Plus OS How To Use sflow in a Network

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Lab Configure Cisco IOS Firewall CBAC

Introduction to Routing and Packet Forwarding. Routing Protocols and Concepts Chapter 1

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Workstation ARP. Objective. Background / Preparation

Topic 7 DHCP and NAT. Networking BAsics.

Network Protocol Configuration

IP Routing Features. Contents

Chapter 2 Quality of Service (QoS)

Lab - Using IOS CLI with Switch MAC Address Tables

Intrusion Detection, Packet Sniffing

Lab 7.1.9b Introduction to Fluke Protocol Inspector

Packet Sniffer Detection with AntiSniff

Lab 1: Network Devices and Technologies - Capturing Network Traffic

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Packet Sniffing and Spoofing Lab

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Networking Test 4 Study Guide

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Distinct. Network Monitor. User s Guide

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Configuring MAC ACLs

Computer Networks/DV2 Lab

Configuring Network Address Translation (NAT)

Network Packet Analysis and Scapy Introduction

Guideline for setting up a functional VPN

Ethereal: Getting Started

Network Load Balancing

File Sharing. Peter Lo. CP582 Peter Lo

How To Understand and Configure Your Network for IntraVUE

GlobalSCAPE DMZ Gateway, v1. User Guide

Lab - Observing DNS Resolution

Internet Packets. Forwarding Datagrams

Chapter 10 Troubleshooting

Computer Networks/DV2 Lab

Transport and Network Layer

How To Configure A Network Monitor Probe On A Network Wire On A Microsoft Ipv6 (Networking) Device (Netware) On A Pc Or Ipv4 (Network) On An Ipv2 (Netnet) Or Ip

Fundamentals of UNIX Lab Networking Commands (Estimated time: 45 min.)

Network Security: Workshop

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Objectives. Router as a Computer. Router components and their functions. Router components and their functions

LESSON Networking Fundamentals. Understand TCP/IP

ACHILLES CERTIFICATION. SIS Module SLS 1508

Lab 5.5 Configuring Logging

CHAPTER 3 STATIC ROUTING

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

Lab 1: Introduction to the network lab

How Do I Upgrade Firmware and Save Configurations on PowerConnect Switches?

netkit lab two-hosts Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

Cisco Configuring Commonly Used IP ACLs

Troubleshooting Tools

netkit lab static-routing Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

Laboratory Exercises V: IP Security Protocol (IPSec)

IP - The Internet Protocol

Own your LAN with Arp Poison Routing

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

The Wireless Network Road Trip

04 Internet Protocol (IP)

Figure 1. Wireshark Menu Bar

TOE2-IP FTP Server Demo Reference Design Manual Rev1.0 9-Jan-15

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

FILE TRANSFER PROTOCOL (FTP) SITE

1 PC to WX64 direction connection with crossover cable or hub/switch

QualNet 4.5 Network Emulation Interface Model Library

TREK HOSC PAYLOAD ETHERNET GATEWAY (HPEG) USER GUIDE

Network Connect & Junos Pulse Performance Logs on Windows

Upgrading Software Using the Online Installer

CCNA Access List Sim

Network Probe User Guide

Transcription:

Teldat Router Sniffer Feature Doc. DM778-I Ver. 10.60 February, 2007

INDEX Chapter 1 Teldat Router Sniffer Feature...1 1. Introduction... 2 2. Sniffer Feature: General Overview... 3 2.1. Capture File... 3 2.2. Capture Modes... 4 2.3. Capture Device... 5 Chapter 2 Configuring the Sniffer Feature...7 1. Configuring the Sniffer Feature... 8 1.1.? (HELP)... 8 1.2. CAPTURE... 9 a) Capture <interface>... 9 b) Capture any... 10 1.3. EXIT... 10 2. Commands Summary... 11 - ii -

Chapter 1 Teldat Router Sniffer Feature

1. Introduction In the majority of the networks, due to the shared nature of the transmission environment, a message sent to a determined device can be intercepted by any other one. Although in practice, devices ignore messages sent to other devices, it is possible they decide not to ignore them and consequently obtain access to all the information traveling over their network. A Sniffer is specifically a program that allows you to intercept and log traffic in a network or part of a network. Once a packet has been captured, it can decode it and analyze it according to the appropriate RFC or other specification. This monitoring of the network permits you to detect bottlenecks or other network problems. In Ethernet environments for example, each device has a physical address, uniquely identifying it in the network, known as a MAC address (Media Access Control). The link layer inserts the device MAC address for the device in transmission and checks it at reception. If the packet destination MAC address coincides with its MAC, the frame is accepted and sent to the higher layers to be processed. In order to capture all the packets, the Sniffer sets the network card in a mode known as promiscuous where it is capable of capturing all the frames being transmitted over the media, even if the destination address does not coincides with its address. In this way, it can sniff information from any device connected to the same network. Figure 1. Traditional Ethernet Network. In Figure 1, packets whose source or destination address is device A are received by all the devices connected to the same broadcast domain, in this case B and C. Under normal conditions, both B and C drop the packets if the destination does not coincide with their MAC addresses. However, either one of them can intercept all the traffic from station A by simply setting the network card to promiscuous mode. TELDAT ROUTER Sniffer Feature Introduction I - 2

2. Sniffer Feature: General Overview The Teldat Router Sniffer feature allows you to intercept network traffic on the network the device is connected to, storing all the collected information in a file with.cap extension. This file can be extracted from the device memory and are later used to analyze the network behavior. The following sections describe the Sniffer feature operations. 2.1. Capture File By default, the file where the captured traffic information is stored is CAPTURE.CAP, although the user can assign a different name. SNIFFER config>filename prueba SNIFFER config> In our example, we have assigned prueba.cap as the capture file name. It is important to remember that it s necessary to save the configuration and restart the device so the association becomes effective. The.CAP file is stored in the device s memory /mem directory and can be accessed through an FTP connection. Figure 2.1. FTP Connection and extraction of capture file. In the above example (Figure 2.1), once logged in an FTP connection has been established with the device that executed the capture and a list of the contents has been obtained from the /mem directory and the CAPTURE.CAP file has been extracted using the get command. The file content can be displayed by using a protocol analyzer as shown in Figure 2.2. TELDAT ROUTER Sniffer Feature Introduction I - 3

Figure 2.2 Displaying the CAPTURE.CAP file through a protocol analyzer. The analyzer used divides the screen into three sub-windows. The first sub-window displays the different intercepted packets which are numerated; in the second the packet marked in the first window has been analyzed, identifying the different involved protocols; the last displays the selected packet at byte level. The packet flow corresponds to a ping process between device 172.24.79.56 and device 172.24.79.55, firstly showing the initial exchange of ARP messages and subsequently the ICMP Request and ICMP Replay packet sequence. 2.2. Capture Modes The devices connected to a network are constantly listening to the media while waiting to receive data, checking to see if the packet destination address coincides with its address, in which case it is accepted and processed. On the basis of this operating principle, the Sniffer feature offers two packet capture modes: single-host: The device stores all packets, whose source or destination address coincides with its own, in the capture file. promiscuous: In this mode, the device intercepts and stores every one of the packets circulating over the network it is connected to. TELDAT ROUTER Sniffer Feature Introduction I - 4

2.3. Capture Device There are two alternatives to execute a capture: to specify a specific interface through which traffic is sniffed, e.g. ethernet0/0; or select an any device capture which permits you to capture traffic from the different interfaces which are active in the device. Capture execution is only possible in the P 5 process, as this must be carried out over an interface that is operative in the device. *p 5 Config$ feature sniffer capture ethernet0/0 100 promiscuous Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. capture bri0/0 10 single-host pcap_open_live failed: Chosen device not supported CLI Error: Command error In the first example, a capture of 100 packets has been carried out in the ethernet0/0 interface using the network card in promiscuous mode; and in the second an interface where the Sniffer feature has not been enabled has been selected and the console displays the following error message: pcap_open_live failed: Chosen device not supported. In the any device captures, the packets are directly obtained from the kernel and encapsulated in a pseudo-protocol known as SLL, where the fictitious layer two header is added to them. capture any 100 single-host Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. In this example, an any device capture for 100 packets has been executed in single-host mode with the aim of monitoring the same Ping process shown in Figure 2.2. Figure 2.3 shows a sequence of intercepted packets. In contrary to the first capture, the selected packet is not analyzed by identifying the different protocols it is composed of. Instead, we have a payload of 102 bytes encapsulated in SLL protocol. The packet corresponding with an ICMP Echo Request and an analysis of the data field permits you to identify the Ethernet, IP ICMP headers and finally the real data of the user. TELDAT ROUTER Sniffer Feature Introduction I - 5

Figure 2.3 Displaying an any device capture in Figure 2.2 ping process. capture any 100 promiscuous Warning: Promiscuous mode not supported on the "any" device Warning: Switching capture to single host... Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. This last example gives information on the fact that the promiscuous mode is incompatible with the any device captures. If you try and force this combination, the device displays a warning message indicating that the capture mode has internally changed to single-host. TELDAT ROUTER Sniffer Feature Introduction I - 6

Chapter 2 Configuring the Sniffer Feature

1. Configuring the Sniffer Feature The following example shows you how to access the Sniffer feature configuration menu. *p 4 Config>feature sniffer SNIFFER config> The available commands are as follows: Command Function? (HELP) Displays the available commands or their options. FILENAME Permits you to specify the file name where the intercepted packets are saved. EXIT Returns to the configuration prompt (Config>). If you access the configuration menu from the RUNNING_CONFIG (P5), the available commands are as follows: Command Function? (HELP) Displays the available commands or their options. CAPTURE Starts packet capture. FILENAME Permits you to specify the file name where the intercepted packets are saved. EXIT Returns to the configuration prompt (Config>). *p 5 Config$feature sniffer? capture Start capturing packets filename Choose default file name exit Exit to parent menu The discrepancy in the Sniffer feature menu between the CONFIG and RUNNING-CONFIG is due to the fact that captures have to be carried out over the interfaces that are operating in the device, which limits P 5 to using the capture command. 1.1.? (HELP) Displays the list of available commands. TELDAT ROUTER Sniffer FeatureConfiguring II - 8

From P 4: Syntax: SNIFFER config>? SNIFFER config>? filename Choose default file name exit Exit to parent menu SNIFFER config> From P 5: Syntax:?? capture Start capturing packets filename Choose default file name exit Exit to parent menu 1.2. CAPTURE By executing this command, you initiate packet capture in the selected interface. You also need to specify the number of packets to be captured and the operating mode. The capture command is only available in the P 5 process in the Sniffer feature menu. Syntax: capture? <interface> Interface name any Any device a) Capture <interface> Permits you to specify a specific interface where packet capture is carried out. If the selected interface is not permitted to capture traffic, the console displays an error message. Syntax: capture <interface> <No. of packets(0..1000)> <mode> capture ethernet0/0 200 promiscuous Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. TELDAT ROUTER Sniffer FeatureConfiguring II - 9

capture ethernet0/0 100 single-host Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. In the first example, a capture of 200 packets in promiscuous mode has been carried out, and in the second, a capture of 100 packets in single-host mode. In the first case, you have all the packets which arrived at the Ethernet network card and in the second case, only packets whose source or destination address coincides with the device s network card have been captured. The user can abort the capture process by simply pressing any key. The file.cap collects the packets captured up until this point. b) Capture any Executes an any device capture. I.e. the packets which enter or exit the device encapsulated in a fictional layer 2 frame are available. The data field is made up of a layer 3 real packet and, if possible, the real header from the link layer. Syntax: capture any <No. of packets(0..1000)> <mode> capture any 10 single-host Capturing traffic (Press any key to abort)... Capture finished CAP file is available, by means of FTP connection, in /mem directory. 1.3. EXIT Exits the Sniffer feature configuration environment and returns to the previous configuration prompt. Syntax: SNIFFER config>exit SNIFFER config>exit Config> TELDAT ROUTER Sniffer FeatureConfiguring II - 10

2. Commands Summary CAPTURE < interface any > <No. of packets (1..1000)> <promiscuous single-host> FILENAME <File_name(1..8 chars)> EXIT TELDAT ROUTER Sniffer FeatureConfiguring II - 11