Мониторинг сети стандартными средствами(вторая часть)

Чтобы сохранить информацию, для дальнейшего анализа , запишем результаты сетевого обмена с хостом tmp в файл test.

root@bca # snoop -o test tmp

Одновременно на сервере tmp открываем ftp – сессию на сервер bca.

alexs@tmp:~$ ftp bca
Connected to bca.
220 bca FTP server ready.
Name (bca:alexs): alexs
331 Password required for alexs.
Password:
230 User alexs logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
2003Reburn_1.1.zip
Desktop
Documents
Dt
Mail
apache
auto_home
auto_master
dt
new
passwd
profile-EIS
statf
suexec.disabled
unrar
226 Transfer complete.
234 bytes received in 0.0013 seconds (182.59 Kbytes/s)
ftp> quit
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 656 bytes in 1 transfers.
221-Thank you for using the FTP service on bca.
221 Goodbye.
alexs@tmp:~$

После этого на сервере bca останавливаем snoop нажатием Ctrl+C

root@bca # snoop -o test tmp
Using device /dev/dmfe0 (promiscuous mode)
43 ^C

Видим что нам удалось отсканировать 43 пакета в данном сеансе. Теперь у нас есть бинарный файл test. Будем с ним работать. Просмотрим содержимое.

root@bca# snoop -i test -t r
1 0.00000 tmp -> bca FTP C port=33806
2 0.00036 bca -> tmp FTP R port=33806
3 0.00056 tmp -> bca FTP C port=33806
4 0.06950 bca -> tmp FTP R port=33806 220 bca FTP
5 0.06975 tmp -> bca FTP C port=33806
6 2.49241 tmp -> bca FTP C port=33806 USER alexs\r\n
7 2.49275 bca -> tmp FTP R port=33806
8 2.49502 bca -> tmp FTP R port=33806 331 Password require
9 2.49515 tmp -> bca FTP C port=33806
10 7.17183 tmp -> bca FTP C port=33806 PASS if8iln51\r\n
11 7.17220 bca -> tmp FTP R port=33806
12 7.23622 bca -> tmp FTP R port=33806 230 User alexs logge
13 7.23644 tmp -> bca FTP C port=33806 SYST\r\n
14 7.23734 bca -> tmp FTP R port=33806 215 UNIX Type: L8 Ve
15 7.23745 tmp -> bca FTP C port=33806 TYPE I\r\n
16 7.23776 bca -> tmp FTP R port=33806 200 Type set to I.\r\n
17 7.28712 tmp -> bca FTP C port=33806
18 9.15480 tmp -> bca FTP C port=33806 PORT 192,168,168,254
19 9.15545 bca -> tmp FTP R port=33806 200 PORT command suc
20 9.15569 tmp -> bca FTP C port=33806 TYPE A\r\n
21 9.15596 bca -> tmp FTP R port=33806 200 Type set to A.\r\n
22 9.15608 tmp -> bca FTP C port=33806 NLST\r\n
23 9.15729 bca -> tmp FTP-DATA R port=33807
24 9.15739 tmp -> bca FTP-DATA C port=33807
25 9.15760 bca -> tmp FTP-DATA R port=33807
26 9.15800 bca -> tmp FTP R port=33806 150 Opening ASCII mo
27 9.15913 bca -> tmp FTP-DATA R port=33807 2003Reburn_1.1.zip\r\n
28 9.15925 tmp -> bca FTP-DATA C port=33807
29 9.15941 bca -> tmp FTP-DATA R port=33807
30 9.15950 tmp -> bca FTP-DATA C port=33807
31 9.15958 tmp -> bca FTP-DATA C port=33807
32 9.15988 bca -> tmp FTP-DATA R port=33807
33 9.20690 tmp -> bca FTP C port=33806
34 9.20711 bca -> tmp FTP R port=33806 226 Transfer complet
35 9.20741 tmp -> bca FTP C port=33806 TYPE I\r\n
36 9.20769 bca -> tmp FTP R port=33806 200 Type set to I.\r\n
37 9.26687 tmp -> bca FTP C port=33806
38 12.23664 tmp -> bca FTP C port=33806 QUIT\r\n
39 12.23722 bca -> tmp FTP R port=33806 221-You have transfe
40 12.24622 bca -> tmp FTP R port=33806 221-Total traffic fo
41 12.24634 tmp -> bca FTP C port=33806
42 12.24654 tmp -> bca FTP C port=33806
43 12.24674 bca -> tmp FTP R port=33806

Из приведенного листинга можно подчерпнуть много полезной информации. Например видим пароль пользователя в открытом виде (пакет № 10). Вот так вот узнаются чужие пароли(один из способов).
Более подробную информацию о пакете можно получить следующим образом

root@bca# snoop -i test -v -p10
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 10 arrived at 12:16:47.33218
ETHER: Packet size = 81 bytes
ETHER: Destination = 0:3:ba:5b:a1:79,
ETHER: Source = 0:e0:81:58:ef:ae,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 67 bytes
IP: Identification = 44806
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 64 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = b892
IP: Source address = 192.168.168.254, tmp
IP: Destination address = 192.168.168.204, bca
IP: No options
IP:
TCP: ----- TCP Header -----
TCP:
TCP: Source port = 33806
TCP: Destination port = 21 (FTP)
TCP: Sequence number = 595556607
TCP: Acknowledgement number = 3554824532
TCP: Data offset = 32 bytes
TCP: Flags = 0x18
TCP: 0... .... = No ECN congestion window reduced
TCP: .0.. .... = No ECN echo
TCP: ..0. .... = No urgent pointer
TCP: ...1 .... = Acknowledgement
TCP: .... 1... = Push
TCP: .... .0.. = No reset
TCP: .... ..0. = No Syn
TCP: .... ...0 = No Fin
TCP: Window = 50137
TCP: Checksum = 0x821b
TCP: Urgent pointer = 0
TCP: Options: (12 bytes)
TCP: - No operation
TCP: - No operation
TCP: - TS Val = 173201036, TS Echo = 319476353
TCP:
FTP: ----- FTP: -----
FTP:
FTP: "PASS if8iln51\r\n"
FTP:

Snoop полезная утилита, аналогичная tcpdump в Linux. Например есть интересная опция для просмотра пакетов, которые идут через туннель

#snoop -v ip-in-ip

Дополнительную информацию(ключи и опции) можно посмотреть man -s 1M snoop

Продолжение следует