A passive approach to your network security
The Secrets of Snoop
Lance Spitzner

Sniffers have exploded in popularity over the past several years, from Network General’s Netxray and Microsoft’s Network Monitor, to public domain tools such as Etherman and Curry Sniffer. These tools are used for various reasons, including network troubleshooting, traffic analysis, node discovery, etc. We will be covering one of the most common, yet effective sniffers, snoop. Of all the sniffers, this is one standby you always have access to with Solaris. The purpose of this article is to demonstrate how to leverage snoop, with examples focusing on network security.
 

What is snoop?

Snoop is an executable binary that puts your system’s interface(s) in promiscuous mode. By being in promiscuous mode, snoop captures all packets on you network, in either real time or capture file format. What makes snoop so powerful is the detail of information it provides and the flexibility of the tool.

In the first half of this article we will focus on snoop commands, how to get the information we want. The second half of this article we will focus on analyzing network traffic with real world examples, focusing on security. The examples will be IP, but snoop can be used to capture and analyze other network packets, such as DECnet and AppleTalk. For packet analysis, I will be using the standard 7 layer OSI model (see Figure 1 for a refresher).
 

How to Use Snoop

The first thing you have to decide is do you want real time data, or capture packets to a snoop capture file? Most of the time, you will capture the data to a file. In real-time mode the data flies across you screen to fast to read. Its only real benefit is to give you a quick feel of what traffic is moving on your network. To do some serious analysis, you will want to capture your network traffic to a file so you can take your time.

To capture data to a file, the command is
#snoop –o filename

This saves all the data in binary format to filename. To see data real-time, exclude the command "-o filename". Otherwise, all command syntax is the same for snoop.

The first thing we need to do is determine how many packets to capture. If no number is determined, snoop will continue to gather packets until you CRTL-C or run out of resources. To set the number, use the command.

#snoop –o filename –c 1000 .

Snoop will capture 1000 packets in about 60 seconds on a standard 10Mbps network.

Next, we want to determine what level of detail we need. Snoop comes in three flavors, summary (default), verbose summary (-V), and verbose mode (-v). Summary gives us the least information, only the highest protocol level, layer 5,6 or 7 , and packet source/destination. Below is a single packet in summary mode. This is the 27th packet captured, it shows a Telnet connection between squirrel and my school account. 0.01743 is the time between packet 26 and 27.

27 0.01743 squirrel -> ICARUS.CC.UIC.EDU TELNET C port=45330

Verbose summary (-V) gives us all the layers of the OSI model, (layers 2,3,4, and 5, 6 or 7) but in summarized fashion, one line for each layer. Below we see an example, packet 27 again. Notice it gives us layer 2 (ETHER), layer 3 (IP), layer 4 (TCP), and layer 7 (Telnet). Note how it also gives Syn and Seq (sequence number). There is no Ack (Acknowledge number) so this is the first packet for this Telnet session.

27 0.01743 squirrel -> ICARUS.CC.UIC.EDU ETHER Type=0800 (IP), size = 58 bytes
27 0.01743 squirrel -> ICARUS.CC.UIC.EDU IP D=128.248.121.53 S=208.194.41.20 LEN=44, ID=6082
27 0.01743 squirrel -> ICARUS.CC.UIC.EDU TCP D=23 S=45330 Syn Seq=678057692 Len=0 Win=8760
27 0.01743 squirrel -> ICARUS.CC.UIC.EDU TELNET C port=45330

Verbose gives us all the gory details of each packet, all the way to the bit level on the OSI model. Below is a packet 27 in verbose mode. Here we see detailed information of each layer, layer 2 (Ethernet), layer 3 (IP), and layer 4 (TCP) header. See RFC 894 (Ether), 791 (IP), and 793 (TCP) for specific header information.

ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 27 arrived at 10:40:36.07
ETHER: Packet size = 58 bytes
ETHER: Destination = 8:0:20:8d:fc:d2, Sun
ETHER: Source = 8:0:20:c:df:aa, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 44 bytes
IP: Identification = 6082
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 7005
IP: Source address = 208.194.41.20, squirrel
IP: Destination address = 128.248.121.53, ICARUS.CC.UIC.EDU
IP: No options
IP:
TCP: ----- TCP Header -----
TCP:
TCP: Source port = 45330
TCP: Destination port = 23 (TELNET)
TCP: Sequence number = 678057692
TCP: Acknowledgement number = 0
TCP: Data offset = 24 bytes
TCP: Flags = 0x02
TCP: ..0. .... = No urgent pointer
TCP: ...0 .... = No acknowledgement
TCP: .... 0... = No push
TCP: .... .0.. = No reset
TCP: .... ..1. = Syn
TCP: .... ...0 = No Fin
TCP: Window = 8760
TCP: Checksum = 0x517a
TCP: Urgent pointer = 0
TCP: Options: (4 bytes)
TCP: - Maximum segment size = 1460 bytes
TCP:
TELNET: ----- TELNET: -----
TELNET:
TELNET: ""
TELNET:

No one level of detail is "better" then the other. It depends on what type of information you are looking for. Keep in mind however that snoop can be resource intensive. In verbose mode, snoop may overwhelm the system, forcing it to drop packets depending on your network traffic. In some cases, you may have to use a dedicated server for snoop, depending on your verbose level and number of packets gathered. To capture 1000 packets in verbose summary mode:

#snoop –V –o filename –c 1000

To read a capture file, use –i filename. If you captured packets in verbose mode, you can read a capture file in summary, verbose summary, or verbose mode. I recommend you scan through the capture file in summary mode, identify what packets are interesting, then view specific packets in verbose mode. To look at a specific packet, use –ppacket#. Below is an example of looking at packets 10-32 and packet 56 in verbose mode.

snoop –i filename –v –p10-32,56

Now lets leverage the true power of snoop. Snoop has a variety of filtering tools, allowing us to focus on the type of packets we capture, be it source, destination, protocol layer, etc. Here we will cover some of the most commonly used options. However, for complete information, be sure to do a man on snoop(1).

First, we can select what systems, by either MAC (layer 2) or IP or host name, (layer 3) will be snooped. This limits what packets are captured at the interface. If you have just one node you want to snoop, include its IP address. If there are several, use the expression "and" or "or" between the nodes. You can focus the expression even more with the qualifier "from" or "to" which match the source or destination address. The "!" or "not" performs a logical NOT operation. Last, the expression "net" captures all packets that belong to a specific network. The command below captures all packets coming from zeus, going to 8:0:20:f1:b3:51, or packets belonging to the network 192.168.3.0, except 192.168.3.58. Note, the host name zeus must be resolvable, be it /etc/hosts or DNS.

snoop –o filename from zeus or to 8:0:20:f1:b3:51or net 192.168.3.0 not 192.168.3.58

Just as we can qualify specific hosts or networks at layer 2 or 3, we can limit packets captured at layers 4, 5, 6, and 7. At layer 4, we can qualify "tcp", "udp", or "icmp" (actually RFC 792 states icmp is a layer 3 protocol, but I have placed it here to reflect snoop’s man page). For layers 5,6 and 7 use the qualifiers "port" and "rpc" (based on the /etc/services and /etc/rpc files). The command below captures all DNS or NFS packets

snoop –o filename –V port domain or rpc nfs

Snoop and Security

Now that we have covered the flexibility of snoop, lets apply it to your network security. With snoop, you silently sit on the network and capture data. Unlike active measures, such as network discovery using ICMP, snoop does not alert anyone to its presence. This allows you to analyze the security of your network, without notifying anyone. Also, snoop can run over a long period of time, compared to active measures that run in a single point of time. If a server is down for several minutes while you are pinging the network, you will miss it. Snoop will pick up these servers, as long as they eventually send or receive traffic.

Snoop does two critical things for security, it tells you who is on your network, and what they are doing. You need to first identify what your security concern is, then configure snoop to find that information.

Often, a security concern is having a node or gateway on your network that you do not know about. This node could be an innocent dial-up server, or a gateway a hacker set-up. I know of a company where an unknown Internet connection was recently identified with a sniffer. Active measures will tell you who is on the network, only if the machine is on. But what if a node is on only at night, or has been configured not to ICMP_REPLY, then what? Using the qualifiers we covered above, snoop could capture information on your network. With a perl or shell script, you could parse this information, identifying unknown nodes on your network.

Another security issue is what is going on your network. You may be concerned about specific websites or downloads. Perhaps you are concerned that users are downloading the latest hacker attacks. You can snoop your network, looking for FTP downloads from known websites. I know of a recent incident where an employee was identified of this during a routine network analysis.

Perhaps you have several critical servers that have been hit with denial of service attacks, such as land.c or ping of death. You can qualify snoop to look for land.c by capturing packets with source and destination the same. For ping of death, look for icmp packets with extremely large lengths.

So far we have discussed what snoop can do, now we will cover what snoop cannot do. Unlike active measures, snoop, like most sniffers, cannot operate in a switched environment. Snoop only records packets that cross the designated interface. Switches block and forward IP packets based on their MAC , layer 2, address. If you have a switch, snoop will capture only the packets in its collision domain.

Where you snoop is just as important as what you snoop. If you want to monitor all the traffic on your network, place your sniffer on the Internet router segment. This way your are capturing all Internet traffic, you are no limited to specific collision domains.

This limitation of snoop can also be used to your advantage. A common tactic of hackers is to compromise a system and implement. Once compromised, the sniffer picks up user names and passwords. Several months ago, the SANS Institute was compromised by this same method. A prime target for this are systems on your DMZ, or the network segment between your Internet router and Firewall. Often companies place unsecured systems outside the firewall, such as webservers. However, once compromised, these systems make excellent platforms for capturing user names and passwords. To protect your network, place these systems behind a switch. If compromised, they are still isolated in their collision domain, thus protecting you from sniffing (note, if possible, you may want to hardcode the MAC address on the switch to specific ports).

Snoop is an extremely powerful and flexible tool. Its uses are as varied as its qualifiers. The ideas and concepts covered in this article are only an introduction to its capabilities.

Figure A
OSI 7 Layer Model
The OSI model (Open Systems Interconnection model) was developed in 1974 by the International Standards Organization) The seven layer model is an international standard that allows systems to communicate with each other as if they were the same system. Each layer has a specific purpose independent of each other. A packet starts at the applications layer, works it way down the stack, and is then sent to the other system. The other system receives the packet at the first layer, then sends it back up the stack. Not all layers, specifically 5 and 6, may be utilized.

Layer 7 Application (SMTP, TELNET)
Defines the network applications.

Layer 6 Presentation (Encryption)
Data translation (format of the data)

Layer 5 Session
Establishes, maintains, and disconnects a communications link between two stations on a network

Layer 4 Transport (TCP, UDP)
Provides for end-to-end transmission of data

Layer 3 Network (IP, IPX, AppleTalk)
Controls forwarding of packets between stations.

Layer 2 Data Link (Ethernet, Token Ring)
Physical layer addressing , synchronizes transmission and handles frame-level error control and recovery

Layer 1 Physical (UTP, Fiber)
Method used to transmit data (media, voltage, etc)
 

Author’s bio
Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net .
 
 
 

Whitepapers / Publications