Snooping and Sniffing

How to Eavesdrop on Network Communications

CS 3000 -- Lab Assignment #4

A Small Tour through the Use of Snoop.

Ordinary users can't run snoop, so I have furnished you with this script of some tests I did with snoop. Please read this and think about the "thought provocations."

We capture 25 network packets that are using the Internet Control Message Protocol (ICMP). The packet information (header info only) is placed into a file named snoop.icmp.

john@castor: sudo snoop -c 25 -o snoop.icmp icmp
Using device /dev/hme (promiscuous mode)
25 snoop: 25 packets captured
john@castor: ls
./              ../             snoop.gateway   snoop.icmp      snoop.out

Next we use snoop with some different options to extract the header information from the file. We use the -V option in order to get output that is somewhat verbose -- it shows header info for all the protocol layers in the packet.

In the display below, the first column contains a sequence number. The second column is the elapsed time between the previous packet's arrival and the current packet's arrival. The next column shows the source and destination addresses (in domain name form, if available, else the IP address). The rest of the information is either self explanatory or too arcane to be worried about at the moment (take your pick :-)

john@castor: snoop -V -i snoop.icmp
________________________________
  1   0.00000 130.17.20.51 -> 130.17.2.7   ETHER Type=0800 (IP), size = 62 bytes
  1   0.00000 130.17.20.51 -> 130.17.2.7   IP  D=130.17.2.7 S=130.17.20.51 LEN=48, ID=59398
  1   0.00000 130.17.20.51 -> 130.17.2.7   ICMP Echo request
________________________________
  2  19.14865 130.17.20.51 -> 130.17.4.67  ETHER Type=0800 (IP), size = 62 bytes
  2  19.14865 130.17.20.51 -> 130.17.4.67  IP  D=130.17.4.67 S=130.17.20.51 LEN=48, ID=13012
  2  19.14865 130.17.20.51 -> 130.17.4.67  ICMP Echo request
________________________________
  3  22.22285 130.17.20.51 -> 130.17.6.94  ETHER Type=0800 (IP), size = 62 bytes
  3  22.22285 130.17.20.51 -> 130.17.6.94  IP  D=130.17.6.94 S=130.17.20.51 LEN=48, ID=35302
  3  22.22285 130.17.20.51 -> 130.17.6.94  ICMP Echo request
________________________________
  4  10.03097 130.17.20.51 -> 130.17.2.169 ETHER Type=0800 (IP), size = 62 bytes
  4  10.03097 130.17.20.51 -> 130.17.2.169 IP  D=130.17.2.169 S=130.17.20.51 LEN=48, ID=44352
  4  10.03097 130.17.20.51 -> 130.17.2.169 ICMP Echo request
________________________________
  5  11.09061 130.17.20.51 -> 130.17.2.5   ETHER Type=0800 (IP), size = 62 bytes
  5  11.09061 130.17.20.51 -> 130.17.2.5   IP  D=130.17.2.5 S=130.17.20.51 LEN=48, ID=55442
  5  11.09061 130.17.20.51 -> 130.17.2.5   ICMP Echo request
________________________________
  6  16.45332 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
  6  16.45332 ishi.csustan.edu -> castor.csustan.edu IP  D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43002
  6  16.45332 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
  7   0.00108 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
  7   0.00108 castor.csustan.edu -> ishi.csustan.edu IP  D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22907
  7   0.00108 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
  8   1.03174 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
  8   1.03174 ishi.csustan.edu -> castor.csustan.edu IP  D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43006
  8   1.03174 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
  9   0.00002 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
  9   0.00002 castor.csustan.edu -> ishi.csustan.edu IP  D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22908
  9   0.00002 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
 10   0.73664 130.17.20.51 -> hexe.csustan.edu ETHER Type=0800 (IP), size = 62 bytes
 10   0.73664 130.17.20.51 -> hexe.csustan.edu IP  D=130.17.1.40 S=130.17.20.51 LEN=48, ID=9136
 10   0.73664 130.17.20.51 -> hexe.csustan.edu ICMP Echo request
________________________________
 11   0.29625 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
 11   0.29625 ishi.csustan.edu -> castor.csustan.edu IP  D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43008
 11   0.29625 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
 12   0.00003 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
 12   0.00003 castor.csustan.edu -> ishi.csustan.edu IP  D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22909
 12   0.00003 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
 13   1.03288 ishi.csustan.edu -> castor.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
 13   1.03288 ishi.csustan.edu -> castor.csustan.edu IP  D=130.17.1.54 S=130.17.1.71 LEN=84, ID=43010
 13   1.03288 ishi.csustan.edu -> castor.csustan.edu ICMP Echo request
________________________________
 14   0.00002 castor.csustan.edu -> ishi.csustan.edu ETHER Type=0800 (IP), size = 98 bytes
 14   0.00002 castor.csustan.edu -> ishi.csustan.edu IP  D=130.17.1.71 S=130.17.1.54 LEN=84, ID=22910
 14   0.00002 castor.csustan.edu -> ishi.csustan.edu ICMP Echo reply
________________________________
 15   4.76062 130.17.20.51 -> 130.17.14.69 ETHER Type=0800 (IP), size = 62 bytes
 15   4.76062 130.17.20.51 -> 130.17.14.69 IP  D=130.17.14.69 S=130.17.20.51 LEN=48, ID=15196
 15   4.76062 130.17.20.51 -> 130.17.14.69 ICMP Echo request
________________________________
 16   7.05082 130.17.20.51 -> 130.17.4.88  ETHER Type=0800 (IP), size = 62 bytes
 16   7.05082 130.17.20.51 -> 130.17.4.88  IP  D=130.17.4.88 S=130.17.20.51 LEN=48, ID=22256
 16   7.05082 130.17.20.51 -> 130.17.4.88  ICMP Echo request
________________________________
 17  24.21246 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes
 17  24.21246 130.17.20.51 -> 130.17.13.56 IP  D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46396
 17  24.21246 130.17.20.51 -> 130.17.13.56 ICMP Echo request
________________________________
 18   2.02017 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes
 18   2.02017 130.17.20.51 -> 130.17.13.46 IP  D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48516
 18   2.02017 130.17.20.51 -> 130.17.13.46 ICMP Echo request
________________________________
 19   0.98959 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes
 19   0.98959 130.17.20.51 -> 130.17.13.56 IP  D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46397
 19   0.98959 130.17.20.51 -> 130.17.13.56 ICMP Echo request
________________________________
 20   2.02025 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes
 20   2.02025 130.17.20.51 -> 130.17.13.46 IP  D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48517
 20   2.02025 130.17.20.51 -> 130.17.13.46 ICMP Echo request
________________________________
 21   0.00043 130.17.20.51 -> fuji.csustan.edu ETHER Type=0800 (IP), size = 62 bytes
 21   0.00043 130.17.20.51 -> fuji.csustan.edu IP  D=130.17.2.3 S=130.17.20.51 LEN=48, ID=51536
 21   0.00043 130.17.20.51 -> fuji.csustan.edu ICMP Echo request
________________________________
 22   0.98968 130.17.20.51 -> 130.17.13.56 ETHER Type=0800 (IP), size = 62 bytes
 22   0.98968 130.17.20.51 -> 130.17.13.56 IP  D=130.17.13.56 S=130.17.20.51 LEN=48, ID=46398
 22   0.98968 130.17.20.51 -> 130.17.13.56 ICMP Echo request
________________________________
 23   0.02041 130.17.20.51 -> 130.17.2.184 ETHER Type=0800 (IP), size = 62 bytes
 23   0.02041 130.17.20.51 -> 130.17.2.184 IP  D=130.17.2.184 S=130.17.20.51 LEN=48, ID=52546
 23   0.02041 130.17.20.51 -> 130.17.2.184 ICMP Echo request
________________________________
 24   1.99998 130.17.20.51 -> 130.17.13.46 ETHER Type=0800 (IP), size = 62 bytes
 24   1.99998 130.17.20.51 -> 130.17.13.46 IP  D=130.17.13.46 S=130.17.20.51 LEN=48, ID=48518
 24   1.99998 130.17.20.51 -> 130.17.13.46 ICMP Echo request
________________________________
 25   6.07091 130.17.20.51 -> 130.17.2.180 ETHER Type=0800 (IP), size = 62 bytes
 25   6.07091 130.17.20.51 -> 130.17.2.180 IP  D=130.17.2.180 S=130.17.20.51 LEN=48, ID=60626
 25   6.07091 130.17.20.51 -> 130.17.2.180 ICMP Echo request

Thought Provocation: What do you suppose is the reason for the existence of the "Echo requests?"

Next we capture 50 network packets that are coming from or going to the host "gateway", which is the gateway from the campus LAN into the Internet. The packet information is placed into a file named snoop.gateway.

john@castor: sudo snoop -c 50 -o snoop.gateway host gateway
Using device /dev/hme (promiscuous mode)
50 snoop: 50 packets captured

We execute ifconfig -a to show that "hme" refers to the ethernet interface on castor.

john@castor: ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet 127.0.0.1 netmask ff000000 
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        inet 130.17.1.54 netmask ffff0000 broadcast 130.17.255.255

Finally we "play back" the file snoop.gateway to see the header information on the 50 packets.

john@castor: snoop -i snoop.gateway
  1   0.00000 gateway.csustan.edu -> BROADCAST    RIP R (1 destinations)
  2   0.38200 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
  3   2.30444 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
  4   2.41780 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
  5   2.41519 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
  6   2.03181 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
  7   1.33411 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
  8   0.92151 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
  9   1.25853 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 10   0.93555 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 11   2.14228 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 12   2.63607 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 13   2.03084 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 14   1.84747 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.164.115, 130.17.164.115 ?
 15   0.62431 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 16   2.36503 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 17   0.46838 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 18   0.96590 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.166.176, 130.17.166.176 ?
 19   0.35060 gateway.csustan.edu -> BROADCAST    RIP R (1 destinations)
 20   0.62714 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 21   0.23584 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 22   2.01666 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 23   3.40633 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 24   2.36060 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 25   2.85561 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 26   0.48642 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.14.250, 130.17.14.250 ?
 27   1.98372 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 28   0.11110 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 29   0.90410 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.14.250, 130.17.14.250 ?
 30   1.11467 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 31   0.67126 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 32   1.51204 gateway.csustan.edu -> *            ARP C Who is 130.17.16.40, 130.17.16.40 ?
 33   1.18029 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 34   2.74488 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 35   2.74643 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 36   2.74574 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 37   1.55007 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 38   0.33808 gateway.csustan.edu -> BROADCAST    RIP R (1 destinations)
 39   0.52874 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 40   1.33413 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 41   0.75142 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 42   2.14213 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 43   2.58212 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 44   2.47015 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 45   2.47173 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 46   2.71147 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 47   0.09273 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 48   2.10706 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.32.53, 130.17.32.53 ?
 49   0.30658 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?
 50   2.58324 gateway.csustan.edu -> (broadcast)  ARP C Who is 130.17.1.99, wagener.csustan.edu ?

Thought Provocation: Can you make any sense out of the display above? Can you explain what is happening? If so, can you explain why?