A Small Tour through the Use of Snoop. Ordinary users can't run snoop, so I have furnished you with this script of some tests I did with snoop. Please read this and think about the "thought provocations." %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% We capture 25 network packets that are using the Internet Control Message Protocol (ICMP). The packet information (header info only) is placed into a file named snoop.icmp. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% john@castor: sudo snoop -c 25 -o snoop.icmp icmp Using device /dev/hme (promiscuous mode) 25 snoop: 25 packets captured john@castor: ls ./ ../ snoop.gateway snoop.icmp snoop.out %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Next we use snoop with some different options to extract the header information from the file. We use the -V option in order to get output that is somewhat verbose -- it shows header info for all the protocol layers in the packet. In the display below, the first column contains a sequence number. The second column is the elapsed time between the previous packet's arrival and the current packet's arrival. The next column shows the source and destination addresses (in domain name form, if available, else the IP address). The rest of the information is either self explanatory or too arcane to be worried about at the moment (take your pick :-) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% john@castor: snoop -V -i snoop.icmp ________________________________ 1 0.00000 130.17.20.51 -> 130.17.2.7 ETHER Type=0800 (IP), size = 62 bytes 1 0.00000 130.17.20.51 -> 130.17.2.7 IP D=130.17.2.7 S=130.17.20.51 LEN=48, ID=59398 1 0.00000 130.17.20.51 -> 130.17.2.7 ICMP Echo request ________________________________ 2 19.14865 130.17.20.51 -> 130.17.4.67 ETHER Type=0800 (IP), size = 62 bytes 2 19.14865 130.17.20.51 -> 130.17.4.67 IP D=130.17.4.67 S=130.17.20.51 LEN=48, ID=13012 2 19.14865 130.17.20.51 -> 130.17.4.67 ICMP Echo request ________________________________ 3 22.22285 130.17.20.51 -> 130.17.6.94 ETHER Type=0800 (IP), size = 62 bytes 3 22.22285 130.17.20.51 -> 130.17.6.94 IP D=130.17.6.94 S=130.17.20.51 LEN=48, ID=35302 3 22.22285 130.17.20.51 -> 130.17.6.94 ICMP Echo request ________________________________ 4 10.03097 130.17.20.51 -> 130.17.2.169 ETHER Type=0800 (IP), size = 62 bytes 4 10.03097 130.17.20.51 -> 130.17.2.169 IP D=130.17.2.169 S=130.17.20.51 LEN=48, ID=44352 4 10.03097 130.17.20.51 -> 130.17.2.169 ICMP Echo request ________________________________ 5 11.09061 130.17.20.51 -> 130.17.2.5 ETHER Type=0800 (IP), size = 62 bytes 5 11.09061 130.17.20.51 -> 130.17.2.5 IP D=130.17.2.5 S=130.17.20.51 LEN=48, ID=55442 5 11.09061 130.17.20.51 -> 130.17.2.5 ICMP Echo request ________________________________ 6 16.45332 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 6 16.45332 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43002 6 16.45332 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request ________________________________ 7 0.00108 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 7 0.00108 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22907 7 0.00108 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply ________________________________ 8 1.03174 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 8 1.03174 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43006 8 1.03174 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request ________________________________ 9 0.00002 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 9 0.00002 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22908 9 0.00002 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply ________________________________ 10 0.73664 130.17.20.51 -> hexe.csustan.edu ETHER Type=0800 (IP), size = 62 bytes 10 0.73664 130.17.20.51 -> hexe.csustan.edu IP D=130.17.1.40 S=130.17.20.51 LEN=48, ID=9136 10 0.73664 130.17.20.51 -> hexe.csustan.edu ICMP Echo request ________________________________ 11 0.29625 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 11 0.29625 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43008 11 0.29625 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request ________________________________ 12 0.00003 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 12 0.00003 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22909 12 0.00003 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply ________________________________ 13 1.03288 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 13 1.03288 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43010 13 1.03288 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request ________________________________ 14 0.00002 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes 14 0.00002 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22910 14 0.00002 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply ________________________________ 15 4.76062 130.17.20.51 -> 130.17.14.69 ETHER Type=0800 (IP), size = 62 bytes 15 4.76062 130.17.20.51 -> 130.17.14.69 IP D=130.17.14.69 S=130.17.20.51 LEN=48, ID=15196 15 4.76062 130.17.20.51 -> 130.17.14.69 ICMP Echo request ________________________________ 16 7.05082 130.17.20.51 -> 130.17.4.88 ETHER Type=0800 (IP), size = 62 bytes 16 7.05082 130.17.20.51 -> 130.17.4.88 IP D=130.17.4.88 S=130.17.20.51 LEN=48, ID=22256 16 7.05082 130.17.20.51 -> 130.17.4.88 ICMP Echo request ________________________________ 17 24.21246 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes 17 24.21246 130.17.20.51 -> 130.17.13.56 IP D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46396 17 24.21246 130.17.20.51 -> 130.17.13.56 ICMP Echo request ________________________________ 18 2.02017 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes 18 2.02017 130.17.20.51 -> 130.17.13.46 IP D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48516 18 2.02017 130.17.20.51 -> 130.17.13.46 ICMP Echo request ________________________________ 19 0.98959 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes 19 0.98959 130.17.20.51 -> 130.17.13.56 IP D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46397 19 0.98959 130.17.20.51 -> 130.17.13.56 ICMP Echo request ________________________________ 20 2.02025 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes 20 2.02025 130.17.20.51 -> 130.17.13.46 IP D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48517 20 2.02025 130.17.20.51 -> 130.17.13.46 ICMP Echo request ________________________________ 21 0.00043 130.17.20.51 -> fuji.csustan.edu ETHER Type=0800 (IP), size = 62 bytes 21 0.00043 130.17.20.51 -> fuji.csustan.edu IP D=130.17.2.3 S=130.17.20.51 LEN=48, ID=51536 21 0.00043 130.17.20.51 -> fuji.csustan.edu ICMP Echo request ________________________________ 22 0.98968 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes 22 0.98968 130.17.20.51 -> 130.17.13.56 IP D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46398 22 0.98968 130.17.20.51 -> 130.17.13.56 ICMP Echo request ________________________________ 23 0.02041 130.17.20.51 -> 130.17.2.184 ETHER Type=0800 (IP), size = 62 bytes 23 0.02041 130.17.20.51 -> 130.17.2.184 IP D=130.17.2.184 S=130.17.20.51 LEN=48, ID=52546 23 0.02041 130.17.20.51 -> 130.17.2.184 ICMP Echo request ________________________________ 24 1.99998 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes 24 1.99998 130.17.20.51 -> 130.17.13.46 IP D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48518 24 1.99998 130.17.20.51 -> 130.17.13.46 ICMP Echo request ________________________________ 25 6.07091 130.17.20.51 -> 130.17.2.180 ETHER Type=0800 (IP), size = 62 bytes 25 6.07091 130.17.20.51 -> 130.17.2.180 IP D=130.17.2.180 S=130.17.20.51 LEN=48, ID=60626 25 6.07091 130.17.20.51 -> 130.17.2.180 ICMP Echo request %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Thought Provocation: What do you suppose is the reason for the existence of the "Echo requests?" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Next we capture 50 network packets that are coming from or going to the host "gateway", which is the gateway from the campus LAN into the Internet. The packet information is placed into a file named snoop.gateway. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% john@castor: sudo snoop -c 50 -o snoop.gateway host gateway Using device /dev/hme (promiscuous mode) 50 snoop: 50 packets captured %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% We execute ifconfig -a to show that "hme" refers to the ethernet interface on castor. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% john@castor: ifconfig -a lo0: flags=849 mtu 8232 inet 127.0.0.1 netmask ff000000 hme0: flags=863 mtu 1500 inet 130.17.1.54 netmask ffff0000 broadcast 130.17.255.255 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Finally we "play back" the file snoop.gateway to see the header information on the 50 packets. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% john@castor: snoop -i snoop.gateway 1 0.00000 gateway.csustan.edu -> BROADCAST RIP R (1 destinations) 2 0.38200 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 3 2.30444 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 4 2.41780 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 5 2.41519 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 6 2.03181 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 7 1.33411 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 8 0.92151 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 9 1.25853 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 10 0.93555 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 11 2.14228 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 12 2.63607 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 13 2.03084 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 14 1.84747 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.164.115, 130.17.164.115 ? 15 0.62431 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 16 2.36503 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 17 0.46838 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 18 0.96590 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.166.176, 130.17.166.176 ? 19 0.35060 gateway.csustan.edu -> BROADCAST RIP R (1 destinations) 20 0.62714 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 21 0.23584 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 22 2.01666 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 23 3.40633 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 24 2.36060 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 25 2.85561 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 26 0.48642 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.14.250, 130.17.14.250 ? 27 1.98372 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 28 0.11110 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 29 0.90410 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.14.250, 130.17.14.250 ? 30 1.11467 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 31 0.67126 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 32 1.51204 gateway.csustan.edu -> * ARP C Who is 130.17.16.40, 130.17.16.40 ? 33 1.18029 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 34 2.74488 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 35 2.74643 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 36 2.74574 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 37 1.55007 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 38 0.33808 gateway.csustan.edu -> BROADCAST RIP R (1 destinations) 39 0.52874 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 40 1.33413 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 41 0.75142 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 42 2.14213 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 43 2.58212 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 44 2.47015 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 45 2.47173 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 46 2.71147 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 47 0.09273 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 48 2.10706 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ? 49 0.30658 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? 50 2.58324 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Thought Provocation: Can you make any sense out of the display above? Can you explain what is happening? If so, can you explain why? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%