10-08-2009
Analyze packets with snoop
Is there anywhere we can get details about what we should expect to see and not to see in some packets captured with "snoop" during troubleshooting a problem? I know we can capture packes for a failed transaction and compare them with packets for a successful trasaction.Is that the only way to pinpoint a problem?
It's one thing to be able to capture the data. But, how can we really analyze and pinpoint what the problem is, using the data captured?
Any help will be really appreciated.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
How do I use snoop command to capture multicast packets in the network? (1 Reply)
Discussion started by: caden312
1 Replies
2. UNIX for Dummies Questions & Answers
is there a snoop equivalent in other flavors of unix? HPUX, SCO or linux.
TIA
Peter (2 Replies)
Discussion started by: pbonilla
2 Replies
3. Solaris
Hello! It is my first post in this forum :).
I`m facing a strange issue. I am using a Solaris 8 as OS, and using the ipnat (ipf) to NAT an incoming port to another, as following:
Host SUN with Solaris 8/NAT WEB Page
(A.B.C.D:80) ---> |A.B.C.D:80 ->... (0 Replies)
Discussion started by: mf_lattanzi
0 Replies
4. Shell Programming and Scripting
I have a file which contains records in the format of
2006-08-25 12:06:13|ABC|93
2006-08-25 12:45:55|ABC|203
2006-08-25 01:48:19|DEF|156
2006-08-25 01:49:09|ABC|12798
2006-08-25 02:49:59|GHL|4109
2006-08-25 03:50:50|DEF|234
where the format is "arrive time"|"message type"|"processing... (3 Replies)
Discussion started by: mpang_
3 Replies
5. Solaris
Hi.
I'm trying to capture traffic with the snoop command using the net expression but I fail when a I've to specify a subnet
ex: 10.201.64/18
Did you know the correct syntax?
I've tried with
snoop -ta -x0 net 10.201.64.0 255.255.192.0
but doesn't match.
Thnx (4 Replies)
Discussion started by: kurtolo
4 Replies
6. Shell Programming and Scripting
Hi,
I want to write a script that checks an interface with the snoop command, if there is no traffic in 10 minutes on port 123 from the ip add 10.*.*.* it should send a e-mail.but i don't know how to start writing this script does anybody have an idea or an sample script that i can modifi.
... (2 Replies)
Discussion started by: tafil
2 Replies
7. UNIX for Advanced & Expert Users
Hi,
Can anyone please tell me a ftp site where I can download the solaris snoop package? I need to download the package so I can use the command in a Linux environment instead of using tcpdump. Need practice with snoop.
Thanks for your help. (3 Replies)
Discussion started by: Pouchie1
3 Replies
8. Cybersecurity
A series on The H about analyzing potentially malicious code flying around on the net. Pretty well written, and a nice read for those interested in how exploits work:
CSI:Internet - Alarm at the pizza service
CSI:Internet - The image of death
CSI:Internet - PDF timebomb
CSI:Internet -... (0 Replies)
Discussion started by: pludi
0 Replies
9. UNIX for Dummies Questions & Answers
What command should I use to analyze file hashing of fixed flat files.
How much work does it take for multiple flat files. (3 Replies)
Discussion started by: jbjoat
3 Replies
10. Solaris
Hi,
Is there any tool is available for analyzing Oracle X86 snapshot output.
Thanks in advance. (1 Reply)
Discussion started by: sunnybee
1 Replies
LEARN ABOUT FREEBSD
ipresend
IPRESEND(1) General Commands Manual IPRESEND(1)
NAME
ipresend - resend IP packets out to network
SYNOPSIS
ipresend [ -EHPRSTX ] [ -d <device> ] [ -g <gateway> ] [ -m <MTU> ] [ -r <filename> ]
DESCRIPTION
ipresend was designed to allow packets to be resent, once captured, back out onto the network for use in testing. ipresend supports a num-
ber of different file formats as input, including saved snoop/tcpdump binary data.
OPTIONS
-d <interface>
Set the interface name to be the name supplied. This is useful with the -P, -S, -T and -E options, where it is not otherwise possi-
ble to associate a packet with an interface. Normal "text packets" can override this setting.
-g <gateway>
Specify the hostname of the gateway through which to route packets. This is required whenever the destination host isn't directly
attached to the same network as the host from which you're sending.
-m <MTU>
Specify the MTU to be used when sending out packets. This option allows you to set a fake MTU, allowing the simulation of network
interfaces with small MTU's without setting them so.
-r <filename>
Specify the filename from which to take input. Default is stdin.
-E The input file is to be text output from etherfind. The text formats which are currently supported are those which result from the
following etherfind option combinations:
etherfind -n
etherfind -n -t
-H The input file is to be hex digits, representing the binary makeup of the packet. No length correction is made, if an incorrect
length is put in the IP header.
-P The input file specified by -i is a binary file produced using libpcap (i.e., tcpdump version 3). Packets are read from this file
as being input (for rule purposes).
-R When sending packets out, send them out "raw" (the way they came in). The only real significance here is that it will expect the
link layer (i.e. ethernet) headers to be prepended to the IP packet being output.
-S The input file is to be in "snoop" format (see RFC 1761). Packets are read from this file and used as input from any interface.
This is perhaps the most useful input type, currently.
-T The input file is to be text output from tcpdump. The text formats which are currently supported are those which result from the
following tcpdump option combinations:
tcpdump -n
tcpdump -nq
tcpdump -nqt
tcpdump -nqtt
tcpdump -nqte
-X The input file is composed of text descriptions of IP packets.
SEE ALSO
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
DIAGNOSTICS
Needs to be run as root.
BUGS
Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing.
If you find any, please send email to me at darrenr@pobox.com
IPRESEND(1)