How to Eavesdrop on Network Communications
CS 3000 -- Lab Assignment #4
A Small Tour through the Use of Snoop.
Ordinary users can't run snoop, so I have furnished you with
this script of some tests I did with snoop. Please read this
and think about the "thought provocations."
We capture 25 network packets that are using the Internet
Control Message Protocol (ICMP). The packet information
(header info only) is placed into a file named snoop.icmp.
john@castor: sudo snoop -c 25 -o snoop.icmp icmp
Using device /dev/hme (promiscuous mode)
25 snoop: 25 packets captured
john@castor: ls
./ ../ snoop.gateway snoop.icmp snoop.out
Next we use snoop with some different options to extract the
header information from the file. We use the -V option in
order to get output that is somewhat verbose -- it shows header
info for all the protocol layers in the packet.
In the display below, the first column contains a sequence
number. The second column is the elapsed time between the
previous packet's arrival and the current packet's arrival.
The next column shows the source and destination addresses (in
domain name form, if available, else the IP address). The rest
of the information is either self explanatory or too arcane to
be worried about at the moment (take your pick :-)
john@castor: snoop -V -i snoop.icmp
________________________________
1 0.00000 130.17.20.51 -> 130.17.2.7 ETHER Type=0800 (IP), size = 62 bytes
1 0.00000 130.17.20.51 -> 130.17.2.7 IP D=130.17.2.7 S=130.17.20.51 LEN=48, ID=59398
1 0.00000 130.17.20.51 -> 130.17.2.7 ICMP Echo request
________________________________
2 19.14865 130.17.20.51 -> 130.17.4.67 ETHER Type=0800 (IP), size = 62 bytes
2 19.14865 130.17.20.51 -> 130.17.4.67 IP D=130.17.4.67 S=130.17.20.51 LEN=48, ID=13012
2 19.14865 130.17.20.51 -> 130.17.4.67 ICMP Echo request
________________________________
3 22.22285 130.17.20.51 -> 130.17.6.94 ETHER Type=0800 (IP), size = 62 bytes
3 22.22285 130.17.20.51 -> 130.17.6.94 IP D=130.17.6.94 S=130.17.20.51 LEN=48, ID=35302
3 22.22285 130.17.20.51 -> 130.17.6.94 ICMP Echo request
________________________________
4 10.03097 130.17.20.51 -> 130.17.2.169 ETHER Type=0800 (IP), size = 62 bytes
4 10.03097 130.17.20.51 -> 130.17.2.169 IP D=130.17.2.169 S=130.17.20.51 LEN=48, ID=44352
4 10.03097 130.17.20.51 -> 130.17.2.169 ICMP Echo request
________________________________
5 11.09061 130.17.20.51 -> 130.17.2.5 ETHER Type=0800 (IP), size = 62 bytes
5 11.09061 130.17.20.51 -> 130.17.2.5 IP D=130.17.2.5 S=130.17.20.51 LEN=48, ID=55442
5 11.09061 130.17.20.51 -> 130.17.2.5 ICMP Echo request
________________________________
6 16.45332 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
6 16.45332 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43002
6 16.45332 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
7 0.00108 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
7 0.00108 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22907
7 0.00108 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
8 1.03174 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
8 1.03174 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43006
8 1.03174 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
9 0.00002 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
9 0.00002 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22908
9 0.00002 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
10 0.73664 130.17.20.51 -> hexe.csustan.edu ETHER Type=0800 (IP), size = 62 bytes
10 0.73664 130.17.20.51 -> hexe.csustan.edu IP D=130.17.1.40 S=130.17.20.51 LEN=48, ID=9136
10 0.73664 130.17.20.51 -> hexe.csustan.edu ICMP Echo request
________________________________
11 0.29625 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
11 0.29625 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43008
11 0.29625 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
12 0.00003 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
12 0.00003 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22909
12 0.00003 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
13 1.03288 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
13 1.03288 ishi.csustan.edu -> castor.csustan.edu IP D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43010
13 1.03288 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
14 0.00002 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
14 0.00002 castor.csustan.edu -> ishi.csustan.edu IP D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22910
14 0.00002 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
15 4.76062 130.17.20.51 -> 130.17.14.69 ETHER Type=0800 (IP), size = 62 bytes
15 4.76062 130.17.20.51 -> 130.17.14.69 IP D=130.17.14.69 S=130.17.20.51 LEN=48, ID=15196
15 4.76062 130.17.20.51 -> 130.17.14.69 ICMP Echo request
________________________________
16 7.05082 130.17.20.51 -> 130.17.4.88 ETHER Type=0800 (IP), size = 62 bytes
16 7.05082 130.17.20.51 -> 130.17.4.88 IP D=130.17.4.88 S=130.17.20.51 LEN=48, ID=22256
16 7.05082 130.17.20.51 -> 130.17.4.88 ICMP Echo request
________________________________
17 24.21246 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes
17 24.21246 130.17.20.51 -> 130.17.13.56 IP D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46396
17 24.21246 130.17.20.51 -> 130.17.13.56 ICMP Echo request
________________________________
18 2.02017 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes
18 2.02017 130.17.20.51 -> 130.17.13.46 IP D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48516
18 2.02017 130.17.20.51 -> 130.17.13.46 ICMP Echo request
________________________________
19 0.98959 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes
19 0.98959 130.17.20.51 -> 130.17.13.56 IP D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46397
19 0.98959 130.17.20.51 -> 130.17.13.56 ICMP Echo request
________________________________
20 2.02025 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes
20 2.02025 130.17.20.51 -> 130.17.13.46 IP D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48517
20 2.02025 130.17.20.51 -> 130.17.13.46 ICMP Echo request
________________________________
21 0.00043 130.17.20.51 -> fuji.csustan.edu ETHER Type=0800 (IP), size = 62 bytes
21 0.00043 130.17.20.51 -> fuji.csustan.edu IP D=130.17.2.3 S=130.17.20.51 LEN=48, ID=51536
21 0.00043 130.17.20.51 -> fuji.csustan.edu ICMP Echo request
________________________________
22 0.98968 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes
22 0.98968 130.17.20.51 -> 130.17.13.56 IP D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46398
22 0.98968 130.17.20.51 -> 130.17.13.56 ICMP Echo request
________________________________
23 0.02041 130.17.20.51 -> 130.17.2.184 ETHER Type=0800 (IP), size = 62 bytes
23 0.02041 130.17.20.51 -> 130.17.2.184 IP D=130.17.2.184 S=130.17.20.51 LEN=48, ID=52546
23 0.02041 130.17.20.51 -> 130.17.2.184 ICMP Echo request
________________________________
24 1.99998 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes
24 1.99998 130.17.20.51 -> 130.17.13.46 IP D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48518
24 1.99998 130.17.20.51 -> 130.17.13.46 ICMP Echo request
________________________________
25 6.07091 130.17.20.51 -> 130.17.2.180 ETHER Type=0800 (IP), size = 62 bytes
25 6.07091 130.17.20.51 -> 130.17.2.180 IP D=130.17.2.180 S=130.17.20.51 LEN=48, ID=60626
25 6.07091 130.17.20.51 -> 130.17.2.180 ICMP Echo request
Thought Provocation: What do you suppose is the reason for the
existence of the "Echo requests?"
Next we capture 50 network packets that are coming from or
going to the host "gateway", which is the gateway from the
campus LAN into the Internet. The packet information is placed
into a file named snoop.gateway.
john@castor: sudo snoop -c 50 -o snoop.gateway host gateway
Using device /dev/hme (promiscuous mode)
50 snoop: 50 packets captured
We execute ifconfig -a to show that "hme" refers to the
ethernet interface on castor.
john@castor: ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 130.17.1.54 netmask ffff0000 broadcast 130.17.255.255
Finally we "play back" the file snoop.gateway to see the header
information on the 50 packets.
john@castor: snoop -i snoop.gateway
1 0.00000 gateway.csustan.edu -> BROADCAST RIP R (1 destinations)
2 0.38200 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
3 2.30444 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
4 2.41780 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
5 2.41519 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
6 2.03181 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
7 1.33411 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
8 0.92151 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
9 1.25853 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
10 0.93555 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
11 2.14228 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
12 2.63607 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
13 2.03084 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
14 1.84747 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.164.115, 130.17.164.115 ?
15 0.62431 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
16 2.36503 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
17 0.46838 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
18 0.96590 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.166.176, 130.17.166.176 ?
19 0.35060 gateway.csustan.edu -> BROADCAST RIP R (1 destinations)
20 0.62714 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
21 0.23584 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
22 2.01666 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
23 3.40633 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
24 2.36060 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
25 2.85561 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
26 0.48642 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.14.250, 130.17.14.250 ?
27 1.98372 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
28 0.11110 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
29 0.90410 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.14.250, 130.17.14.250 ?
30 1.11467 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
31 0.67126 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
32 1.51204 gateway.csustan.edu -> * ARP C Who is 130.17.16.40, 130.17.16.40 ?
33 1.18029 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
34 2.74488 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
35 2.74643 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
36 2.74574 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
37 1.55007 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
38 0.33808 gateway.csustan.edu -> BROADCAST RIP R (1 destinations)
39 0.52874 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
40 1.33413 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
41 0.75142 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
42 2.14213 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
43 2.58212 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
44 2.47015 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
45 2.47173 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
46 2.71147 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
47 0.09273 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
48 2.10706 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.32.53, 130.17.32.53 ?
49 0.30658 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
50 2.58324 gateway.csustan.edu -> (broadcast) ARP C Who is 130.17.1.99, wagener.csustan.edu ?
Thought Provocation: Can you make any sense out of the display
above? Can you explain what is happening? If so, can you
explain why?