174 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications Your next stop viewing this decode within the Details pane is to now mini- mize the IP header so we can examine the TCP header. In Figure 4.12, we have expanded the TCP header the same way that we expanded the IP header before. We also minimized the IP header so it is now out of sight. The TCP header is broken down into a series of fields that we can examine with Sniffer Pro.You can now view the very inner details of the TCP header. In TCP, you use port numbers to identify and create socket connections with upper- layer protocols. Since HTTP is used, the source port is 80.This header will be broken down just like the IP header. Let’s take a look at the details of Figure 4.12: ■ Source port The source port is port 80, which is used for HTTP. www.syngress.com Figure 4.11 Viewing the IP Header IHLVersion Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum Source Address Destination Address Options + Padding Data Figure 4.12 Viewing the TCP Header 219_sniffer_04.qxd 6/28/02 11:51 AM Page 174 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 175 ■ Destination port The port used for the destination is 3689 (above the well-known range). ■ Sequence number The sequence number (and the next expected sequence number) are used for sequencing control. ■ Acknowledgment number Since the ACK bit is set (as shown a few fields lower, where acknowledgment is set to 1), the acknowledgment number field holds the number of the next sequence number that the sender of this data is expecting to receive. ■ Offset The data offset is set at 20 bytes, which helps indicate where data begins. ■ Flags The flags equal 10. ■ U The urgent pointer (URG) is set to 0, or No. ■ A The acknowledgment (ACK) is set to 1, or Yes. ■ P The push function (PSH) is set to 0, or No. ■ R The reset for the connection (RST) is set to 0, or No. ■ S The synchronize sequence numbers (SYN) is set to 0, or No. ■ F The no more data from the sender (FIN) setting is set to 0, or No. ■ Window The windows are equal to 7425. ■ Checksum The checksum is equal to 94Feh and is correct. ■ Options + Padding There are currently no options set. ■ Data There are 1436 bytes of data. This just keeps getting more interesting as we go deeper, and we haven’t even gotten to the full payload yet. Sniffer Pro is a priceless tool that you can use to dig into the details of data, as we are doing here. Remember, we are still looking at only a single frame of data! Even if you don’t understand everything you are looking at (the amount of information about protocol decodes is immense), you can at least get the capture, and you can then research information online or in RFCs so that you can find out more about the specific protocols you are decoding.As you can see, until now we have merely been showing you how to use the Sniffer Pro Analysis Decide panes (Summary, Details, and Hex) to read the data you capture.You will continue to use this skill through the rest of this book and for the rest of your career as a SCP analyzing networks and protocols. www.syngress.com 219_sniffer_04.qxd 6/28/02 11:51 AM Page 175 176 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications Let’s continue with the Details pane and finish analyzing the HTTP frame we’ve captured and analyzed. In Figure 4.13, you can see that I have minimized the DLC, IP, and TCP headers, so we can look at the HTTP portion of the capture. You can see that the HTTP portion of the capture is showing the Web page we accessed and what the Web server returned to our workstation.Within the capture, you can see that HTML tags and URLs have been returned to the requester.As we mentioned from the beginning when we looked in the IP header, the source was the Web server and the destination was the workstation requesting the Web page to view within a browser. Now the reason that you see HTML in the capture should make sense. The Hex Pane The Hex pane is by far the most revealing, but at the same time, it is a hard-to- read pane.The Hex pane looks like an information dump of pure hexadecimal code. It is that, but here we examine a better way for you to understand what you are looking at so you can make sense of what you see for analysis purposes. We know data in transmission is based on the Base 2 system of binary.We also know that we can translate binary into hexadecimal as well as decimal and octal formats.When you see data in the Hex pane, you are seeing the raw data www.syngress.com Figure 4.13 Viewing the HTTP Protocol in the Details Pane 219_sniffer_04.qxd 6/28/02 11:51 AM Page 176 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 177 that is in transit. In Figure 4.14, as you look on the right side of the pane, you will see the raw data, in the form of URLs, HTML, and whatever else was caught in transit. NOTE By default, the Hex pane shows you data in ASCII format. You can change this form to EBCDIC (IBM) encoding if you desire by simply right- clicking within the Hex pane and changing the option to EBCDIC. You have now run a capture, took a single frame, and analyzed it within the Sniffer Pro Decode tab using the Summary, Details, and Hex panes. From here throughout the rest of the book, we will of course look at more protocols and issues, but you should now know the fundamentals of using Sniffer Pro to run a basic capture and analysis. Let’s look at where you would best leverage your Sniffer Pro to capture this data. Sniffer Pro Analyzer Placement The Sniffer Pro application running on your laptop or PC needs to be in a posi- tion to capture data. Running it arbitrarily anywhere on a segment is a hit-or-miss method. In other words, if you run it just anywhere, you are allowing Sniffer Pro to promiscuously grab packets from a segment, but if you are nowhere near a client-to-server communication, for example, you could miss sought-after com- munications altogether.The point here is that you might have wanted to intercept the traffic from that client to that specific server, as you can see in Figure 4.15. www.syngress.com Figure 4.14 Viewing an HTTP Capture in the Hex Pane 219_sniffer_04.qxd 6/28/02 11:51 AM Page 177 178 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications It should be obvious to you from looking at the diagram that you need to place Sniffer Pro in a position where it can intercept that specific conversation between the hosts.We also discuss in this chapter how to span ports on a switch, but for now, just look at the placement factor. If the client 10.0.0.120 wants to communicate with server 10.0.0.10, it’s obvious that the Sniffer Pro application will most likely have nothing to do with capturing that conversation. www.syngress.com Figure 4.15 Incorrect Placement of Sniffer Pro to Capture Specific Communications Sniffer Pro Switch 1 Switch 2 Switch 3 Client 10.0.0.120 Server 10.0.0.10 Positioning the Sniffer Pro for Capture Before you place the Sniffer Pro analyzer on your network, you have a great deal to think about and plan. You need to read this entire book to fully understand all the elements involved. You must thoroughly under- stand that using the Sniffer Pro product correctly takes a great deal of networking technologies and protocol analysis understanding. Designing & Planning… 219_sniffer_04.qxd 6/28/02 11:51 AM Page 178 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 179 In Figure 4.16, note that we have “hubbed out” on the switch to capture the communications from the client to the server.We have yet to learn how to build a filter (the topic of Chapter 8), but you can run a general capture (as you did in the first section of this chapter) to at least get the data. There are also ways to span or mirror a port on a switch to capture traffic, which we discuss later in this chapter. Spanning is the simplest way to capture data in a hurry. In Chapter 2, we discussed creating a technicians toolkit, which contained a small hub for just this purpose. Sniffer Pro Advanced Configuration Now that you have learned about positioning, let’s look at a scenario in which you might be in a position to span a group of ports over to a single port for anal- ysis.You previously learned how to perform a capture, and now you know where to put Sniffer Pro, but what about if your analysis requires plugging into a switch? A switch is not like a hub; an active hub regenerates and broadcasts all data received out all available ports. A switch, however, functions on Layer 2 of the OSI (the hub on Layer 1), and the switch uses memory to build a table to www.syngress.com Figure 4.16 Correct Placement of Sniffer Pro to Capture Specific Communications Sniffer Pro Switch 1 Switch 2 Switch 3 Client 10.0.0.120 Server 10.0.0.10 HUB 219_sniffer_04.qxd 6/28/02 11:51 AM Page 179 180 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications memorize the MAC addresses associated with the ports on the switch.This eliminates the need to broadcast every port as the hub did to find its intended recipient. When you want to use port spanning (or mirroring, as it’s called in Nortel or Bay equipment), all you need to do is follow the guidelines in this section.The whole reason for port spanning is that with a switch, the destination is most likely a single port. How are you going to capture traffic on a switch with traffic not duplicated to another port to which you attach Sniffer Pro? You can hub out, as shown in Figure 4.16, but if you use the spanning method, you need to know how to configure the switch.Why not just hub out all the time? If you have your devices (servers, ports) hardcoded at 100Mbps and full duplex, plugging them into a 10BaseT hub is simply not going to work.To span ports, you need to con- figure the switch to duplicate the traffic from a port you want to monitor to a port you are connected to with Sniffer Pro. Switched Port Analyzer A switched port analyzer (span) session is a configuration of a destination port with a grouping of source ports, configured with parameters that specify the monitored network traffic. In this section, we show you the fundamentals of con- figuring a span session with a SET-based IOS on a Catalyst 4000 series switch. You can use Cisco’s Web site to learn how to configure for spanning any other switch in Cisco’s huge inventory.We discuss this topic here so that you get an idea and an understanding of how to apply this methodology to just about any switch, with the correct documentation. In addition, note that you can span a VLAN. NOTE Spanning sessions do not interfere with the normal operation of switches, but you always want to check the documentation of the exact switch you are configuring as well as periodically check the device’s logs. You won’t affect the switch, but you will increase the amount of traffic on a specific destination port, so make sure your properly configured Sniffer Pro workstation is the destination port. You learned how to prop- erly configure Sniffer Pro for basic operation in Chapter 2. www.syngress.com 219_sniffer_04.qxd 6/28/02 11:51 AM Page 180 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 181 How to Set Port Spanning To configure spanning, you need to first properly place your Sniffer Pro worksta- tion or laptop. Plug into a free switch port and make sure you write down the number of the port you are plugged into. For Cisco, you need to know the blade module and the port number, so if you are plugged into the second modules of Fast Ethernet ports and you are in the tenth port, you are in the 2/10 port. Furthermore, note the traffic you want to span. Let’s say it’s a server located on the third blade module and it’s plugged into the second port.The server is located in the 3/2 port. Now do the following: 1. Connect to and log into the switch you want to configure. 2. Type enable (you must be in enable mode to configure spanning) and log in.You will now be at the Switch1 (enable) prompt. 3. You can now type Switch1 (enable) set span 3/2 2/10.This enables spanning so that traffic from the server goes to the port where Sniffer Pro is located.The switch, in turn, confirms the span with a message: “Overwrote Port 2/10 to monitor transmit/receive traffic of Port 3/2— Incoming Packets disabled. Learning enabled.” 4. To obtain statistics, you can now type the following at the switch prompt: Switch1 (enable) show span. You are now port spanning. It’s that easy. Remember, though, this is the Details pane for a single switch and there are slight differences as you move up in code levels as well as differences among operating systems (IOS) on the Cisco line of switches. Now let’s look at the VLAN configuration. How to Set Port Spanning for a VLAN To span a VLAN, you can do the following. If you do not know which VLANs you have and what ports are associated with them, you need to find out the VLANs on the switch before you do anything. Find this information using com- mands such as show VLAN. Once you have the VLAN information you need (we use VLAN 100 for this exercise with the same switch port for Sniffer Pro) and you have read the documentation specific to your version of switch IOS code, you can do the following: 1. Connect to and log into the switch you want to configure. 2. Type enable (you must be in enable mode to configure spanning) and log in.You will now be at the Switch1 (enable) prompt. www.syngress.com 219_sniffer_04.qxd 6/28/02 11:51 AM Page 181 182 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications 3. You can now type Switch1 (enable) set span 100 2/10.This enables spanning so that traffic from the VLAN goes to the port where Sniffer Pro is located.The switch, in turn, confirms the span with a message: “Overwrote Port 2/10 to monitor transmit/receive traffic of VLAN 100—Incoming Packets disabled. Learning enabled.” 4. To get statistics, you can now type the following at the switch prompt: Switch1 (enable) show span. W ARNING Be extremely careful not to create STP loops on the network when con- figuring the span destination port on a VLAN. The span destination port might not participate in that VLAN, so make sure that you carefully read the documentation on the switch you are configuring when you work with and span VLANs. In sum, port spanning is fairly simple if you have some Cisco skill.We recom- mend that you never work on a switch if you’re not authorized to do so, and be very careful, because most of these switch changes write to memory immediately without the need to save the changes to the configuration.This warning should be enough to give you an idea that although you now understand the theory and the commands are simple, a mistake made on a core switch will have very ugly results. Exercise great caution if you don’t know what to do. www.syngress.com Port Mirroring on a Nortel/Bay Switch Cisco spanning is the same theory for Nortel/Bay mirroring. It’s the same idea, just with two different names. At times, you might find yourself in a position where you need to mirror ports on a Nortel/Bay switch. If that’s the case, it’s as easy as configuring it on the Cisco switch. If you need to mirror a set of ports on a Nortel or Bay switch, you need to know the version of code and the model of switch you are working with. Configuring & Implementing… Continued 219_sniffer_04.qxd 6/28/02 11:51 AM Page 182 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 183 Timestamping Procedures The Sniffer Pro Analyzer “timestamps” each packet that it captures in its buffer. Three basic timestamps are used in analysis: ■ Relative ■ Delta (also known as interpacket) ■ Absolute All three timestamps are useful to help find problems on your network. In some instances, using timestamps is critical to resolving network issues such as slow response times from a host to another host. Timestamp Columns and Timestamping We covered timestamps in Chapter 3, giving you a brief overview of what the Sniffer Pro can do. In this chapter, we look at why you really need to look at those timestamps for troubleshooting.The material in Chapter 3 might have been www.syngress.com Here we show you the configuration for the most common series of Baystack switch-based operating systems and hardware: the Baystack 450-24T. Log into the switch, if prompted, and you should be at the main menu. From the main menu, select the Switch Configuration menu option. Halfway down on the next menu, you will see a menu option called Port Mirroring Configuration. When you select that menu option, a new configuration page opens. Look at the bottom of the page; you will see that Monitoring Mode is disabled. Once you configure it, this mode will be enabled. Your first section to configure is the pattern. In the first field, you can set (using the Spacebar) any variation of mirroring with the options provided. Select an option that suits your needs, such as any address to a specific port. Then you can continue down to configure the ports and addresses you specifically want to be source and destination. The pro- cess is completely menu driven, so it’s pretty simple to implement. Press Enter, and you will be asked if you are done. You can reply Yes to finish your configuration. Be aware that if you are not going to Telnet into the switch, you need to console into the switch. Nortel/Bay switches use console cables that are proprietary to the switch and model; a Cisco con- sole cable will not work. 219_sniffer_04.qxd 6/28/02 11:51 AM Page 183 [...]... the Sniffer Pro console.To open ART, go to the toolbar on top of the Sniffer Pro Analyzer and select the ART icon, or open the Monitor menu and select Application Response Time Either action opens a new dialog box, as shown in Figure 4. 42 Figure 4. 42 Viewing Application Response Time www .syngress. com 205 219 _sniffer_ 04. qxd 206 6/28/02 11:51 AM Page 206 Chapter 4 • Configuring Sniffer Pro to Monitor Network. ..219 _sniffer_ 04. qxd 1 84 6/28/02 11:51 AM Page 1 84 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications enough to aid you in becoming an SCP, but this chapter gives you more substance to use in production.The term used for Sniffer Pro placing a timestamp on a packet is called timestamping A view of timestamps in the Summary pane appears in Figure 4. 17 Figure 4. 17 Viewing the... www .syngress. com 219 _sniffer_ 04. qxd 6/28/02 11:51 AM Page 207 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 If you select protocols to view other than HTTP, you can select them on both the TCP and UDP ranges, as shown in Figure 4. 43, within the Display Protocols tab If you select new protocols to monitor, Sniffer Pro forces you to close ART and the program reopens it automatically.You... open, as shown in Figure 4. 44 Figure 4. 44 Viewing ART with More Protocols Selected for Monitoring Figure 4. 44 shows that we have used the Telnet protocol to attach to a device Since attaching to the device involved using an application protocol set such as Telnet, ART picked it up and gave me a general reading on how well it performed.You can use this same method for any of the protocols listed in the... chart, as shown in Figure 4. 45 By clicking the corresponding toolbar icon, you can set your view in bar chart-based mode Figure 4. 45 Viewing the Server Response Time Bar Chart www .syngress. com 207 219 _sniffer_ 04. qxd 208 6/28/02 11:51 AM Page 208 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications Adding Custom Protocols to ART At times you might want to add more protocols for ART to monitor... Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 The RIP Options Tab RIP is a distance vector protocol that the Sniffer Pro Expert monitors and analyzes for you.The RIP Options tab, shown in Figure 4. 40, is actually fairly easy to configure On the bottom of the dialog box, you see an autodetect option Use this option so you don’t need to hardcode anything into the Sniffer Pro Expert The Sniffer. .. Table 4. 1, you can see the mappings to memorize Table 4. 1 OSI to Sniffer Pro Expert System Mappings Expert System Layers OSI Model Layers Service Application Session Connection Application and presentation Application and presentation Session Transport Continued www .syngress. com 219 _sniffer_ 04. qxd 6/28/02 11:51 AM Page 187 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 Table 4. 1 Continued... the Properties button, you open the ART options, as shown in Figure 4. 43 When you select the Properties button, you open the ART Options dialog box In this dialog box, you can choose from among four tabs to customize the ART capture window.The most important tab is the Display Protocols tab shown in Figure 4. 43 Figure 4. 43 Viewing the ART Options via the Properties Button www .syngress. com 219 _sniffer_ 04. qxd... Protocols tab, shown in Figure 4. 46 You can now add the protocol and port set you would like ART to monitor for you (TCP and UDP) Figure 4. 46 Adding a Protocol to the Protocols TCP Tab 4 Close the application and reopen it (as Sniffer Pro instructs you to do) 5 When you reopen ART, choose the Properties button to open ART options.You will not find Chargen on the Display Protocols tab for either TCP and... Table 4. 2 Table 4. 2 Expert Option Severity Levels Severity Level Severity Rating Critical Major Minor Warning Informational Disabled Most severe Not as severe as Critical, but problematic Where most options are set To be warned of problems Least severe Disables the option www .syngress. com 219 _sniffer_ 04. qxd 6/28/02 11:51 AM Page 201 Configuring Sniffer Pro to Monitor Network Applications • Chapter 4 NOTE . superseded.The www .syngress. com Figure 4. 24 Viewing DLC Layer Statistics with the Sniffer Pro Expert 219 _sniffer_ 04. qxd 6/28/02 11:51 AM Page 191 192 Chapter 4 • Configuring Sniffer Pro to Monitor Network. in Figure 4. 15. www .syngress. com Figure 4. 14 Viewing an HTTP Capture in the Hex Pane 219 _sniffer_ 04. qxd 6/28/02 11:51 AM Page 177 178 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications It. your career as a SCP analyzing networks and protocols. www .syngress. com 219 _sniffer_ 04. qxd 6/28/02 11:51 AM Page 175 176 Chapter 4 • Configuring Sniffer Pro to Monitor Network Applications Let’s continue