Protocol analyzers (also called sniffers) are versatile tools for a variety of tasks:
Debugging network problems
Verifying proper operation of cryptographic protocols
Diagnosing flawed protocol implementations
Identifying unwanted traffic
Replaying of stored traffic for testing purposes
Reverse-engineering protocol implementations
Performing security checks
Identifying network background noise (broadcast protocols, NetBIOS, Appletalk)
If you ever find yourself confronted with learning or reverse-engineering an unknown or unfamiliar protocol, equip yourself with a sniffer, a hex editor, test gear, and any RFCs or standard documents you can find and start investigating the behavior of the protocol, the types of headers involved, the state transitions, and so on. This is really the best way of understanding the internals of protocols, and probably the most efficient as well. If available, you can also compare your observations with open source implementations and derive additional clues from the sources. When debugging a real-life problem, it is always a good approach to start from the bottom and work your way to the top of the stack in a structured manner.
Most UNIX systems come with tcpdump installed, which is a standard text-based protocol analyzer. Several graphical front ends and ancillary tools exist for tcpdump. By the way, Solaris provides the snoop utility for sniffing. Most people's tool of choice is the ethereal graphical protocol analyzer, which also provides a text-only version called tethereal (see Figure 6-7). The ngrep tool enables you to apply the functionality of the well-known UNIX grep utility to the network layer. It is a practical tool as well
Statistical Tools
ntop, designed by Dr. Luca Deri, is an advanced graphical tool to dissect network traffic, derive statistics, and produce traffic distributions (see Figure 6-8). It is also capable of operating as a NetFlow collector/probe and runs on an embedded web server. You can download it from http://www.ntop.org
Port Scanners
Modern port scanners can probe in stealthy, patient, and subtle ways, in combination with operating system fingerprinting, which refers to the art of guessing the operating system from stack peculiarities and additional hints derived from intelligent probing. Two of the most popular tools are the nmap and strobe programs. Example 6-1 provides two examples of these tools in action. The /etc/services file on UNIX systems provides a mapping between TCD/UDP port numbers and their textual names. This list is maintained by Internet Assigned Numbers Authority (IANA, http://www.iana.org/assignments/port-numbers) and consists of three port groups:
Well-known ports (0–1023)
Registered ports (1024–49151)
Dynamic ports (49152–65535)
Example 6-1. nmap and strobe Port-Scan Examples
[root@castor:~#] nmap -p 1-4000 localhost
Starting nmap V. 2.54BETA34 ( www.insecure.org/nmap/ )
Interesting ports on localhost.nerdzone.org (127.0.0.1):
(The 3994 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
1899/tcp open unknown
2070/tcp open unknown
2410/tcp open unknown
2560/tcp open unknown
3046/tcp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds
[root@ganymed:~#] strobe -b 1 -e 4000 localhost
strobe 1.05 (c) 1995-1999 Julian Assange
localhost 22 ssh Secure Shell - RSA encrypted rsh
-> SSH-2.0-OpenSSH_3.4\n
localhost 80 http www www-http World Wide Web HTTP
www World Wide Web HTTP [TXL]
socklist and netstat
socklist(8) is a useful tool for displaying open TCP/UDP sockets in an overview fashion (see Example 6-2).
Example 6-2. socklist Output
[root@callisto:~#] socklist
type port inode uid pid fd name
tcp 32768 986 29 681 6 rpc.statd
tcp 32769 1058 0 754 4 rpc.mountd
tcp 929 1042 0 749 4 rpc.rquotad
tcp 32770 1632 0 1157 6 xinetd
tcp 963 1631 0 1157 5 xinetd
tcp 139 1183 0 844 9 smbd
tcp 111 913 0 653 4 portmap
tcp 6000 1986 0 1449 1 X
tcp 10000 1924 0 1385 4 miniserv.pl
tcp 21 1636 0 1157 9 xinetd
tcp 22 1520 0 1066 3 sshd
tcp 505 2968 0 1343 4 rcd
tcp 33424 28161 500 3704 47 mozilla-bin
tcp 22 27806 0 3776 4 sshd
udp 32768 983 29 681 4 rpc.statd
udp 2049 1082 0 0 0
udp 32769 1055 0 754 3 rpc.mountd
udp 32770 1088 0 0 0
udp 137 3257 0 849 15 nmbd
udp 137 1194 0 849 10 nmbd
udp 137 1192 0 849 8 nmbd
udp 137 1189 0 849 6 nmbd
udp 138 3258 0 849 16 nmbd
udp 138 1195 0 849 11 nmbd
udp 138 1193 0 849 9 nmbd
udp 138 1190 0 849 7 nmbd
udp 10000 1925 0 1385 5 miniserv.pl
udp 926 1037 0 749 3 rpc.rquotad
udp 69 1635 0 1157 8 xinetd
udp 111 910 0 653 3 portmap
udp 500 1515 0 939 10 pluto
udp 123 1704 0 1175 7 ntpd
udp 123 1703 0 1175 6 ntpd
udp 123 1702 0 1175 5 ntpd
udp 123 1701 0 1175 4 ntpd
netstat(8) provides additional details about the UNIX network subsystem, such as network connections, routing tables, interface statistics, and multicast memberships (see Example 6-3).
Example 6-3. netstat Output
[root@callisto:~#] netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 0 0 0 0 439 0 0 0 BMRU
eth1 1500 0 10098 0 0 0 8208 0 0 0 BMRU
eth1: 1500 0 - no statistics available - BMRU
ipsec 16260 0 0 0 0 0 7096 0 129 0 ORU
lo 16436 0 64 0 0 0 64 0 0 0 LRU
[root@callisto:~#] netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 *:32769 *:* LISTEN
tcp 0 0 *:929 *:* LISTEN
tcp 0 0 localhost:32770 *:* LISTEN
tcp 0 0 *:pkcipe *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 callisto:10000 *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:505 *:* LISTEN
udp 0 0 *:32768 *:*
udp 0 0 *:nfs *:*
udp 0 0 *:32769 *:*
udp 0 0 *:32770 *:*
udp 0 0 192.168.45.2:netbios-ns *:*
udp 0 0 192.168.14.1:netbios-ns *:*
udp 0 0 callisto:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 192.168.45.:netbios-dgm *:*
udp 0 0 192.168.14.:netbios-dgm *:*
udp 0 0 callisto:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:10000 *:*
udp 0 0 *:926 *:*
udp 0 0 *:tftp *:*
udp 0 0 *:sunrpc *:*
udp 0 0 callisto:isakmp *:*
udp 0 0 callisto:ntp *:*
udp 0 0 192.168.14.1:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2969 /var/run/rcd/rcd
unix 2 [ ACC ] STREAM LISTENING 2564 /tmp/ksocket-gschmied/kdeinit-:0
unix 2 [ ACC ] STREAM LISTENING 2569 /tmp/.ICE-unix/dcop1571-1062316048
unix 2 [ ACC ] STREAM LISTENING 2704 /tmp/.ICE-unix/1598
unix 2 [ ACC ] STREAM LISTENING 2592 /tmp/ksocket-gschmied
/klauncherKIy0fa.slave-socket
unix 2 [ ACC ] STREAM LISTENING 1404 /var/run/pluto.ctl
unix 2 [ ACC ] STREAM LISTENING 2675 /tmp/mcop-gschmied
/callisto-0631-3f51a81c
unix 2 [ ACC ] STREAM LISTENING 1987 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 1712 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 1766 /tmp/.font-unix/fs7100
[root@callisto:~#] netstat -s
Ip:
11160 total packets received
0 forwarded
0 incoming packets discarded
11143 incoming packets delivered
10339 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP messages failed.
ICMP input histogram:
4 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 4
Tcp:
703 active connections openings
2 passive connection openings
0 failed connection attempts
2 connection resets received
2 connections established
10272 segments received
9535 segments sent out
37 segments retransmitted
0 bad segments received.
2 resets sent
Udp:
875 packets received
4 packets to unknown port received.
0 packet receive errors
800 packets sent
TcpExt:
ArpFilter: 0
21 TCP sockets finished time wait in fast timer
597 delayed acks sent
2 delayed acks further delayed because of locked socket
Quick ack mode was activated 30 times
3 packets directly queued to recvmsg prequeue.
1 packets directly received from prequeue
4825 packets header predicted
TCPPureAcks: 1549
TCPHPAcks: 2674
TCPRenoRecovery: 0
TCPSackRecovery: 0
TCPSACKReneging: 0
TCPFACKReorder: 0
TCPSACKReorder: 0
TCPRenoReorder: 0
TCPTSReorder: 0
TCPFullUndo: 0
TCPPartialUndo: 0
TCPDSACKUndo: 0
TCPLossUndo: 9
TCPLoss: 0
TCPLostRetransmit: 0
TCPRenoFailures: 0
TCPSackFailures: 0
TCPLossFailures: 0
TCPFastRetrans: 0
TCPForwardRetrans: 0
TCPSlowStartRetrans: 0
TCPTimeouts: 22
TCPRenoRecoveryFail: 0
TCPSackRecoveryFail: 0
TCPSchedulerFailed: 0
TCPRcvCollapsed: 0
TCPDSACKOldSent: 10
TCPDSACKOfoSent: 0
TCPDSACKRecv: 1
TCPDSACKOfoRecv: 0
TCPAbortOnSyn: 0
TCPAbortOnData: 0
TCPAbortOnClose: 1
TCPAbortOnMemory: 0
TCPAbortOnTimeout: 0
TCPAbortOnLinger: 0
TCPAbortFailed: 0
TCPMemoryPressures: 0
The Linux netstat -M command sequence additionally displays masqueraded connections. netstat options can be combined with the -ev switch for extended and even more verbose output (type netstat -ev). We will extensively rely on netstat -rn (the routing table) and netstat -i. netstat -i presents interface counter statistics such as transmitted and received frames, frame errors, and dropped frames. The netstat -g multicast command sequence is discussed in detail in Chapter 14, "Multicast Architectures."
Note that netstat displays various types of sockets:
TCP
UDP
Raw
UNIX domain sockets