snooping and sniffing

( Latest revision 03/30/2007 )

How to Eavesdrop on Network Communications
Using the `snoop` Command

Read the first couple of pages of the manual page for the snoop command by executing:

man snoop

In order to protect private information, computer administrators don't give "ordinary" users permission to eavesdrop on the LAN. An ordinary user may execute snoop but s/he won't be able to use it to read packets from the network interface.

What follows is basically an annotated script of some tests I did with snoop. Please read the material and spend some time trying to answer the questions you find in the "thought provocation" sections.

We capture 10 network packets that use the Internet User Datagram Protocol (UDP). The packet information (header info only) is placed into a file named snoop.udp.

john@centauri: sudo snoop -c 10 -o snoop.udp udp
Password:
Using device /dev/hme (promiscuous mode)
10 10 packets captured

Next we use snoop with some different options to extract the header information from the file. We use the -V option in order to get output that is somewhat verbose -- it shows header info for all the protocol layers in the packet.

In the display below, the first column contains a sequence number. The second column is the elapsed time between the previous packet's arrival and the current packet's arrival. The next column shows the source and destination addresses of the packet (in domain name form, if available, else the IP address). Much (but probably not all :-) of the rest of the information is self-explanatory.

john@centauri: snoop -V -i snoop.udp
________________________________
  1   0.00000 centauri.csustan.edu -> eos.csustan.edu ETHER Type=0800 (IP), size = 182 bytes
  1   0.00000 centauri.csustan.edu -> eos.csustan.edu IP  D=130.17.70.2 S=130.17.70.10 LEN=168, ID=38702, TOS=0x0, TTL=255
  1   0.00000 centauri.csustan.edu -> eos.csustan.edu UDP D=33767 S=39007 LEN=148
  1   0.00000 centauri.csustan.edu -> eos.csustan.edu RPC C XID=1107014792 PROG=100300 (NIS+) VERS=3 PROC=5
  1   0.00000 centauri.csustan.edu -> eos.csustan.edu NIS+ C IBlist "passwd.org_dir.csustan.edu." [name = "ccastane"]
________________________________
  2   0.00122 eos.csustan.edu -> centauri.csustan.edu ETHER Type=0800 (IP), size = 410 bytes
  2   0.00122 eos.csustan.edu -> centauri.csustan.edu IP  D=130.17.70.10 S=130.17.70.2 LEN=396, ID=45614, TOS=0x0, TTL=255
  2   0.00122 eos.csustan.edu -> centauri.csustan.edu UDP D=39007 S=33767 LEN=376
  2   0.00122 eos.csustan.edu -> centauri.csustan.edu RPC R (#1) XID=1107014792 Success
  2   0.00122 eos.csustan.edu -> centauri.csustan.edu NIS+ R IBlist [Success] and 1 object
________________________________
  3  10.25216 rodan.csustan.edu -> 130.17.71.255 ETHER Type=0800 (IP), size = 243 bytes
  3  10.25216 rodan.csustan.edu -> 130.17.71.255 IP  D=130.17.71.255 S=130.17.70.108 LEN=229, ID=12710, TOS=0x0, TTL=128
  3  10.25216 rodan.csustan.edu -> 130.17.71.255 UDP D=138 S=138 LEN=209
  3  10.25216 rodan.csustan.edu -> 130.17.71.255 NBT Datagram Service Type=17 Source=RODAN[20]
________________________________
  4   0.86467 battera.csustan.edu -> BROADCAST    ETHER Type=0800 (IP), size = 80 bytes
  4   0.86467 battera.csustan.edu -> BROADCAST    IP  D=255.255.255.255 S=130.17.70.91 LEN=66, ID=22321, TOS=0x0, TTL=128
  4   0.86467 battera.csustan.edu -> BROADCAST    UDP D=1971 S=1971 LEN=46
________________________________
  5   1.03235 centauri.csustan.edu -> www.cs.csustan.edu ETHER Type=0800 (IP), size = 85 bytes
  5   1.03235 centauri.csustan.edu -> www.cs.csustan.edu IP  D=130.17.70.35 S=130.17.70.10 LEN=71, ID=23764, TOS=0x0, TTL=255
  5   1.03235 centauri.csustan.edu -> www.cs.csustan.edu UDP D=53 S=40704 LEN=51
  5   1.03235 centauri.csustan.edu -> www.cs.csustan.edu DNS C 97.84.116.68.in-addr.arpa. Internet PTR ?
________________________________
  6   0.00042 www.cs.csustan.edu -> centauri.csustan.edu ETHER Type=0800 (IP), size = 249 bytes
  6   0.00042 www.cs.csustan.edu -> centauri.csustan.edu IP  D=130.17.70.10 S=130.17.70.35 LEN=235, ID=38693, TOS=0x0, TTL=64
  6   0.00042 www.cs.csustan.edu -> centauri.csustan.edu UDP D=40704 S=53 LEN=215
  6   0.00042 www.cs.csustan.edu -> centauri.csustan.edu DNS R 97.84.116.68.in-addr.arpa. Internet PTR 68-116-84-97.ca.charter.com.
________________________________
  7   0.00064 centauri.csustan.edu -> www.cs.csustan.edu ETHER Type=0800 (IP), size = 87 bytes
  7   0.00064 centauri.csustan.edu -> www.cs.csustan.edu IP  D=130.17.70.35 S=130.17.70.10 LEN=73, ID=23765, TOS=0x0, TTL=255
  7   0.00064 centauri.csustan.edu -> www.cs.csustan.edu UDP D=53 S=40705 LEN=53
  7   0.00064 centauri.csustan.edu -> www.cs.csustan.edu DNS C 68-116-84-97.ca.charter.com. Internet Addr ?
________________________________
  8   0.00027 www.cs.csustan.edu -> centauri.csustan.edu ETHER Type=0800 (IP), size = 226 bytes
  8   0.00027 www.cs.csustan.edu -> centauri.csustan.edu IP  D=130.17.70.10 S=130.17.70.35 LEN=212, ID=38694, TOS=0x0, TTL=64
  8   0.00027 www.cs.csustan.edu -> centauri.csustan.edu UDP D=40705 S=53 LEN=192
  8   0.00027 www.cs.csustan.edu -> centauri.csustan.edu DNS R 68-116-84-97.ca.charter.com. Internet Addr 68.116.84.97
________________________________
  9   7.97021 CompSci-160-071.csustan.edu -> 130.17.71.255 ETHER Type=0800 (IP), size = 92 bytes
  9   7.97021 CompSci-160-071.csustan.edu -> 130.17.71.255 IP  D=130.17.71.255 S=130.17.71.160 LEN=78, ID=60979, TOS=0x0, TTL=128
  9   7.97021 CompSci-160-071.csustan.edu -> 130.17.71.255 UDP D=137 S=137 LEN=58
  9   7.97021 CompSci-160-071.csustan.edu -> 130.17.71.255 NBT NS Query Request for CSUS2100[1b], Success
________________________________
 10   0.74999 CompSci-160-071.csustan.edu -> 130.17.71.255 ETHER Type=0800 (IP), size = 92 bytes
 10   0.74999 CompSci-160-071.csustan.edu -> 130.17.71.255 IP  D=130.17.71.255 S=130.17.71.160 LEN=78, ID=60980, TOS=0x0, TTL=128
 10   0.74999 CompSci-160-071.csustan.edu -> 130.17.71.255 UDP D=137 S=137 LEN=58
 10   0.74999 CompSci-160-071.csustan.edu -> 130.17.71.255 NBT NS Query Request for CSUS2100[1b], Success

Thought Provocation: What can you guess or discover about the purpose of each of the 10 packets documented above? Hint: Look on the right side of the bottom line corresponding to each packet. You can use a search engine to look up generic parts of the information - like the string "NBT NS Query Request." You can find out quite a lot if you sift through the results of searches appropriately.

Next we capture 10 network packets that are coming from or going to the host "ra", which is the fileserver for the CS lab Sun Ultra's. The packet information is placed into a file named snoop.ra.


john@centauri: sudo snoop -c 10 -o snoop.ra host ra
Password:
Using device /dev/hme (promiscuous mode)
10 10 packets captured

Now we "play back" the file snoop.ra to see the header information from each layer of each packet:

john@centauri: snoop -V -i snoop.ra
________________________________
  1   0.00000 centauri.csustan.edu -> ra.csustan.edu ETHER Type=0800 (IP), size = 54 bytes
  1   0.00000 centauri.csustan.edu -> ra.csustan.edu IP  D=130.17.70.30 S=130.17.70.10 LEN=40, ID=13929, TOS=0x0, TTL=64
  1   0.00000 centauri.csustan.edu -> ra.csustan.edu TCP D=2049 S=636 Ack=2300760921 Seq=2007437271 Len=0 Win=49640
________________________________
  2   1.15883 centauri.csustan.edu -> ra.csustan.edu ETHER Type=0800 (IP), size = 206 bytes
  2   1.15883 centauri.csustan.edu -> ra.csustan.edu IP  D=130.17.70.30 S=130.17.70.10 LEN=192, ID=13930, TOS=0x0, TTL=64
  2   1.15883 centauri.csustan.edu -> ra.csustan.edu TCP D=2049 S=636 Push Ack=2300760921 Seq=2007437271 Len=152 Win=49640
  2   1.15883 centauri.csustan.edu -> ra.csustan.edu RPC C XID=3950768159 PROG=100003 (NFS) VERS=3 PROC=1
  2   1.15883 centauri.csustan.edu -> ra.csustan.edu NFS C GETATTR3 FH=05DA
________________________________
  3   0.00033 ra.csustan.edu -> centauri.csustan.edu ETHER Type=0800 (IP), size = 170 bytes
  3   0.00033 ra.csustan.edu -> centauri.csustan.edu IP  D=130.17.70.10 S=130.17.70.30 LEN=156, ID=40942, TOS=0x0, TTL=64
  3   0.00033 ra.csustan.edu -> centauri.csustan.edu TCP D=636 S=2049 Push Ack=2007437423 Seq=2300760921 Len=116 Win=49640
  3   0.00033 ra.csustan.edu -> centauri.csustan.edu RPC R (#2) XID=3950768159 Success
  3   0.00033 ra.csustan.edu -> centauri.csustan.edu NFS R GETATTR3 OK
________________________________
  4   0.00031 centauri.csustan.edu -> ra.csustan.edu ETHER Type=0800 (IP), size = 206 bytes
  4   0.00031 centauri.csustan.edu -> ra.csustan.edu IP  D=130.17.70.30 S=130.17.70.10 LEN=192, ID=13931, TOS=0x0, TTL=64
  4   0.00031 centauri.csustan.edu -> ra.csustan.edu TCP D=2049 S=636 Push Ack=2300761037 Seq=2007437423 Len=152 Win=49640
  4   0.00031 centauri.csustan.edu -> ra.csustan.edu RPC C XID=3950768160 PROG=100003 (NFS) VERS=3 PROC=1
  4   0.00031 centauri.csustan.edu -> ra.csustan.edu NFS C GETATTR3 FH=05DA
________________________________
  5   0.00023 ra.csustan.edu -> centauri.csustan.edu ETHER Type=0800 (IP), size = 170 bytes
  5   0.00023 ra.csustan.edu -> centauri.csustan.edu IP  D=130.17.70.10 S=130.17.70.30 LEN=156, ID=40943, TOS=0x0, TTL=64
  5   0.00023 ra.csustan.edu -> centauri.csustan.edu TCP D=636 S=2049 Push Ack=2007437575 Seq=2300761037 Len=116 Win=49640
  5   0.00023 ra.csustan.edu -> centauri.csustan.edu RPC R (#4) XID=3950768160 Success
  5   0.00023 ra.csustan.edu -> centauri.csustan.edu NFS R GETATTR3 OK
________________________________
  6   0.04031 centauri.csustan.edu -> ra.csustan.edu ETHER Type=0800 (IP), size = 54 bytes
  6   0.04031 centauri.csustan.edu -> ra.csustan.edu IP  D=130.17.70.30 S=130.17.70.10 LEN=40, ID=13932, TOS=0x0, TTL=64
  6   0.04031 centauri.csustan.edu -> ra.csustan.edu TCP D=2049 S=636 Ack=2300761153 Seq=2007437575 Len=0 Win=49640
________________________________
  7   1.85616 centauri.csustan.edu -> ra.csustan.edu ETHER Type=0800 (IP), size = 206 bytes
  7   1.85616 centauri.csustan.edu -> ra.csustan.edu IP  D=130.17.70.30 S=130.17.70.10 LEN=192, ID=13933, TOS=0x0, TTL=64
  7   1.85616 centauri.csustan.edu -> ra.csustan.edu TCP D=2049 S=636 Push Ack=2300761153 Seq=2007437575 Len=152 Win=49640
  7   1.85616 centauri.csustan.edu -> ra.csustan.edu RPC C XID=3950768161 PROG=100003 (NFS) VERS=3 PROC=1
  7   1.85616 centauri.csustan.edu -> ra.csustan.edu NFS C GETATTR3 FH=05DA
________________________________
  8   0.00026 ra.csustan.edu -> centauri.csustan.edu ETHER Type=0800 (IP), size = 170 bytes
  8   0.00026 ra.csustan.edu -> centauri.csustan.edu IP  D=130.17.70.10 S=130.17.70.30 LEN=156, ID=40944, TOS=0x0, TTL=64
  8   0.00026 ra.csustan.edu -> centauri.csustan.edu TCP D=636 S=2049 Push Ack=2007437727 Seq=2300761153 Len=116 Win=49640
  8   0.00026 ra.csustan.edu -> centauri.csustan.edu RPC R (#7) XID=3950768161 Success
  8   0.00026 ra.csustan.edu -> centauri.csustan.edu NFS R GETATTR3 OK
________________________________
  9   0.00030 centauri.csustan.edu -> ra.csustan.edu ETHER Type=0800 (IP), size = 206 bytes
  9   0.00030 centauri.csustan.edu -> ra.csustan.edu IP  D=130.17.70.30 S=130.17.70.10 LEN=192, ID=13934, TOS=0x0, TTL=64
  9   0.00030 centauri.csustan.edu -> ra.csustan.edu TCP D=2049 S=636 Push Ack=2300761269 Seq=2007437727 Len=152 Win=49640
  9   0.00030 centauri.csustan.edu -> ra.csustan.edu RPC C XID=3950768162 PROG=100003 (NFS) VERS=3 PROC=1
  9   0.00030 centauri.csustan.edu -> ra.csustan.edu NFS C GETATTR3 FH=05DA
________________________________
 10   0.00023 ra.csustan.edu -> centauri.csustan.edu ETHER Type=0800 (IP), size = 170 bytes
 10   0.00023 ra.csustan.edu -> centauri.csustan.edu IP  D=130.17.70.10 S=130.17.70.30 LEN=156, ID=40945, TOS=0x0, TTL=64
 10   0.00023 ra.csustan.edu -> centauri.csustan.edu TCP D=636 S=2049 Push Ack=2007437879 Seq=2300761269 Len=116 Win=49640
 10   0.00023 ra.csustan.edu -> centauri.csustan.edu RPC R (#9) XID=3950768162 Success
 10   0.00023 ra.csustan.edu -> centauri.csustan.edu NFS R GETATTR3 OK

Thought Provocation: What does the structure of the display above tell you about how the file service is implemented?

How to Eavesdrop on Network Communications Using the snoop Command

How to Eavesdrop on Network Communications
Using the `snoop` Command