Icon
Icon
Icon
Icon
Icon
Icon
4:42 AM
0 comments


Protocol Analyzer
Protocol analyzers (also called sniffers) are versatile tools for a variety of tasks:

Debugging network problems

Verifying proper operation of cryptographic protocols

Diagnosing flawed protocol implementations

Identifying unwanted traffic

Replaying of stored traffic for testing purposes

Reverse-engineering protocol implementations

Performing security checks

Identifying network background noise (broadcast protocols, NetBIOS, Appletalk)

If you ever find yourself confronted with learning or reverse-engineering an unknown or unfamiliar protocol, equip yourself with a sniffer, a hex editor, test gear, and any RFCs or standard documents you can find and start investigating the behavior of the protocol, the types of headers involved, the state transitions, and so on. This is really the best way of understanding the internals of protocols, and probably the most efficient as well. If available, you can also compare your observations with open source implementations and derive additional clues from the sources. When debugging a real-life problem, it is always a good approach to start from the bottom and work your way to the top of the stack in a structured manner.

Most UNIX systems come with tcpdump installed, which is a standard text-based protocol analyzer. Several graphical front ends and ancillary tools exist for tcpdump. By the way, Solaris provides the snoop utility for sniffing. Most people's tool of choice is the ethereal graphical protocol analyzer, which also provides a text-only version called tethereal (see Figure 6-7). The ngrep tool enables you to apply the functionality of the well-known UNIX grep utility to the network layer. It is a practical tool as well
Statistical Tools
ntop, designed by Dr. Luca Deri, is an advanced graphical tool to dissect network traffic, derive statistics, and produce traffic distributions (see Figure 6-8). It is also capable of operating as a NetFlow collector/probe and runs on an embedded web server. You can download it from http://www.ntop.org
Port Scanners
Modern port scanners can probe in stealthy, patient, and subtle ways, in combination with operating system fingerprinting, which refers to the art of guessing the operating system from stack peculiarities and additional hints derived from intelligent probing. Two of the most popular tools are the nmap and strobe programs. Example 6-1 provides two examples of these tools in action. The /etc/services file on UNIX systems provides a mapping between TCD/UDP port numbers and their textual names. This list is maintained by Internet Assigned Numbers Authority (IANA, http://www.iana.org/assignments/port-numbers) and consists of three port groups:

Well-known ports (0–1023)

Registered ports (1024–49151)

Dynamic ports (49152–65535)

Example 6-1. nmap and strobe Port-Scan Examples

[root@castor:~#] nmap -p 1-4000 localhost



Starting nmap V. 2.54BETA34 ( www.insecure.org/nmap/ )

Interesting ports on localhost.nerdzone.org (127.0.0.1):

(The 3994 ports scanned but not shown below are in state: closed)

Port State Service

22/tcp open ssh

1899/tcp open unknown

2070/tcp open unknown

2410/tcp open unknown

2560/tcp open unknown

3046/tcp open unknown



Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds



[root@ganymed:~#] strobe -b 1 -e 4000 localhost

strobe 1.05 (c) 1995-1999 Julian Assange .

localhost 22 ssh Secure Shell - RSA encrypted rsh

-> SSH-2.0-OpenSSH_3.4\n

localhost 80 http www www-http World Wide Web HTTP

www World Wide Web HTTP [TXL]

socklist and netstat
socklist(8) is a useful tool for displaying open TCP/UDP sockets in an overview fashion (see Example 6-2).

Example 6-2. socklist Output

[root@callisto:~#] socklist

type port inode uid pid fd name

tcp 32768 986 29 681 6 rpc.statd

tcp 32769 1058 0 754 4 rpc.mountd

tcp 929 1042 0 749 4 rpc.rquotad

tcp 32770 1632 0 1157 6 xinetd

tcp 963 1631 0 1157 5 xinetd

tcp 139 1183 0 844 9 smbd

tcp 111 913 0 653 4 portmap

tcp 6000 1986 0 1449 1 X

tcp 10000 1924 0 1385 4 miniserv.pl

tcp 21 1636 0 1157 9 xinetd

tcp 22 1520 0 1066 3 sshd

tcp 505 2968 0 1343 4 rcd

tcp 33424 28161 500 3704 47 mozilla-bin

tcp 22 27806 0 3776 4 sshd

udp 32768 983 29 681 4 rpc.statd

udp 2049 1082 0 0 0

udp 32769 1055 0 754 3 rpc.mountd

udp 32770 1088 0 0 0

udp 137 3257 0 849 15 nmbd

udp 137 1194 0 849 10 nmbd

udp 137 1192 0 849 8 nmbd

udp 137 1189 0 849 6 nmbd

udp 138 3258 0 849 16 nmbd

udp 138 1195 0 849 11 nmbd

udp 138 1193 0 849 9 nmbd

udp 138 1190 0 849 7 nmbd

udp 10000 1925 0 1385 5 miniserv.pl

udp 926 1037 0 749 3 rpc.rquotad

udp 69 1635 0 1157 8 xinetd

udp 111 910 0 653 3 portmap

udp 500 1515 0 939 10 pluto

udp 123 1704 0 1175 7 ntpd

udp 123 1703 0 1175 6 ntpd

udp 123 1702 0 1175 5 ntpd

udp 123 1701 0 1175 4 ntpd




netstat(8) provides additional details about the UNIX network subsystem, such as network connections, routing tables, interface statistics, and multicast memberships (see Example 6-3).

Example 6-3. netstat Output

[root@callisto:~#] netstat -i

Kernel Interface table

Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg

eth0 1500 0 0 0 0 0 439 0 0 0 BMRU

eth1 1500 0 10098 0 0 0 8208 0 0 0 BMRU

eth1: 1500 0 - no statistics available - BMRU

ipsec 16260 0 0 0 0 0 7096 0 129 0 ORU

lo 16436 0 64 0 0 0 64 0 0 0 LRU



[root@callisto:~#] netstat -l

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 *:32768 *:* LISTEN

tcp 0 0 *:32769 *:* LISTEN

tcp 0 0 *:929 *:* LISTEN

tcp 0 0 localhost:32770 *:* LISTEN

tcp 0 0 *:pkcipe *:* LISTEN

tcp 0 0 *:netbios-ssn *:* LISTEN

tcp 0 0 *:sunrpc *:* LISTEN

tcp 0 0 *:x11 *:* LISTEN

tcp 0 0 callisto:10000 *:* LISTEN

tcp 0 0 *:ftp *:* LISTEN

tcp 0 0 *:ssh *:* LISTEN

tcp 0 0 *:505 *:* LISTEN

udp 0 0 *:32768 *:*

udp 0 0 *:nfs *:*

udp 0 0 *:32769 *:*

udp 0 0 *:32770 *:*

udp 0 0 192.168.45.2:netbios-ns *:*

udp 0 0 192.168.14.1:netbios-ns *:*

udp 0 0 callisto:netbios-ns *:*

udp 0 0 *:netbios-ns *:*

udp 0 0 192.168.45.:netbios-dgm *:*

udp 0 0 192.168.14.:netbios-dgm *:*

udp 0 0 callisto:netbios-dgm *:*

udp 0 0 *:netbios-dgm *:*

udp 0 0 *:10000 *:*

udp 0 0 *:926 *:*

udp 0 0 *:tftp *:*

udp 0 0 *:sunrpc *:*

udp 0 0 callisto:isakmp *:*

udp 0 0 callisto:ntp *:*

udp 0 0 192.168.14.1:ntp *:*

udp 0 0 localhost:ntp *:*

udp 0 0 *:ntp *:*

Active UNIX domain sockets (only servers)

Proto RefCnt Flags Type State I-Node Path

unix 2 [ ACC ] STREAM LISTENING 2969 /var/run/rcd/rcd

unix 2 [ ACC ] STREAM LISTENING 2564 /tmp/ksocket-gschmied/kdeinit-:0

unix 2 [ ACC ] STREAM LISTENING 2569 /tmp/.ICE-unix/dcop1571-1062316048

unix 2 [ ACC ] STREAM LISTENING 2704 /tmp/.ICE-unix/1598

unix 2 [ ACC ] STREAM LISTENING 2592 /tmp/ksocket-gschmied

/klauncherKIy0fa.slave-socket

unix 2 [ ACC ] STREAM LISTENING 1404 /var/run/pluto.ctl

unix 2 [ ACC ] STREAM LISTENING 2675 /tmp/mcop-gschmied

/callisto-0631-3f51a81c

unix 2 [ ACC ] STREAM LISTENING 1987 /tmp/.X11-unix/X0

unix 2 [ ACC ] STREAM LISTENING 1712 /dev/gpmctl

unix 2 [ ACC ] STREAM LISTENING 1766 /tmp/.font-unix/fs7100



[root@callisto:~#] netstat -s

Ip:

11160 total packets received

0 forwarded

0 incoming packets discarded

11143 incoming packets delivered

10339 requests sent out

Icmp:

0 ICMP messages received

0 input ICMP messages failed.

ICMP input histogram:

4 ICMP messages sent

0 ICMP messages failed

ICMP output histogram:

destination unreachable: 4

Tcp:

703 active connections openings

2 passive connection openings

0 failed connection attempts

2 connection resets received

2 connections established

10272 segments received

9535 segments sent out

37 segments retransmitted

0 bad segments received.

2 resets sent

Udp:

875 packets received

4 packets to unknown port received.

0 packet receive errors

800 packets sent

TcpExt:

ArpFilter: 0

21 TCP sockets finished time wait in fast timer

597 delayed acks sent

2 delayed acks further delayed because of locked socket

Quick ack mode was activated 30 times

3 packets directly queued to recvmsg prequeue.

1 packets directly received from prequeue

4825 packets header predicted

TCPPureAcks: 1549

TCPHPAcks: 2674

TCPRenoRecovery: 0

TCPSackRecovery: 0

TCPSACKReneging: 0

TCPFACKReorder: 0

TCPSACKReorder: 0

TCPRenoReorder: 0

TCPTSReorder: 0

TCPFullUndo: 0

TCPPartialUndo: 0

TCPDSACKUndo: 0

TCPLossUndo: 9

TCPLoss: 0

TCPLostRetransmit: 0

TCPRenoFailures: 0

TCPSackFailures: 0

TCPLossFailures: 0

TCPFastRetrans: 0

TCPForwardRetrans: 0

TCPSlowStartRetrans: 0

TCPTimeouts: 22

TCPRenoRecoveryFail: 0

TCPSackRecoveryFail: 0

TCPSchedulerFailed: 0

TCPRcvCollapsed: 0

TCPDSACKOldSent: 10

TCPDSACKOfoSent: 0

TCPDSACKRecv: 1

TCPDSACKOfoRecv: 0

TCPAbortOnSyn: 0

TCPAbortOnData: 0

TCPAbortOnClose: 1

TCPAbortOnMemory: 0

TCPAbortOnTimeout: 0

TCPAbortOnLinger: 0

TCPAbortFailed: 0

TCPMemoryPressures: 0




The Linux netstat -M command sequence additionally displays masqueraded connections. netstat options can be combined with the -ev switch for extended and even more verbose output (type netstat -ev). We will extensively rely on netstat -rn (the routing table) and netstat -i. netstat -i presents interface counter statistics such as transmitted and received frames, frame errors, and dropped frames. The netstat -g multicast command sequence is discussed in detail in Chapter 14, "Multicast Architectures."

Note that netstat displays various types of sockets:

TCP

UDP

Raw

UNIX domain sockets

If You Enjoyed This Post Please Take a Second To Share It.

You Might Also Like

Stay Connected With Free Updates

Subscribe via Email

teaser