SNOOP: The Executable

ABSTRACT

Computer networks are becoming more and more a necessity as demands for world-wide transmission of data increase. Exploiting the use of network interfaces supported by packet drivers allows data to be transmitted from one side of the world to the other almost instantaneously. By placing data inside a wrapping of source and destination addresses, type specifications, and other delimiters, packets are formed. It is this encapsulation of data into packets that allows such fast, reliable transmission to occur.

Due to this increase in network load, network and system administrators must optimize their networks to possibly reduce traffic on particular routes. Network administrators may also be interested in the type of traffic (TCP packets as opposed to UDP or ICMP packets or Telnet as opposed to FTP) traveling over a particular network segment. To assist an administrator, a software package capable of recognizing and stripping away these layer encapsulating datagrams is often used. Based around a packet driver, these "packet sniffers", as they are often called, can be highly configurable in terms of filtering information, timestamping, and more. It is the focus of this MS-DOS executable, SNOOP.EXE, to assist the administrator in discovering information about the types of data sent via their networks.

TABLE OF CONTENTS

1. ABSTRACT
2. TABLE OF CONTENTS
3. USING SNOOP.EXE
   • INTRODUCTION
   • COMMAND LINE OPTIONS
   • COMMAND SCRIPTS
4. UNDERSTANDING THE OUTPUT
5. BACKGROUND
   • ETHERNET HEADER
   • IP HEADER
   • TCP HEADER
6. REFERENCES
7. NOTES
8. THE CODE

USING SNOOP.EXE

The following contains information regarding the use of SNOOP.EXE.

INTRODUCTION

Executing SNOOP.EXE begins by verifying that you have a packet driver properly installed on your IBM compatible personal computer. Next, either execute this program on the floppy by typing:
a:SNOOP.EXE

if your floppy drive is drive a (or b: if it is drive b). Or, you may copy SNOOP.EXE to your harddrive (generally drive c):

copy a:snoop.exe c:

There is no copy protection scheme with this program, and it may be copied and freely distributed as you wish. Change directories to the location where you have copied the executable file. At the command prompt, simply type:

SNOOP

If there is any network traffic, decoded packets will scroll by on the screen. The program ends when the escape key is pressed.

There are many command line arguments and options that can also be used. Type:

SNOOP -h

and the entire list of options will appear; or, you can read the next section of this user's guide for a more in-depth explanation of these arguments.

COMMAND LINE OPTIONS

In general, SNOOP's command line format is as follows:
SNOOP {option(s)} {filename(s)}

As of this release, only filtering on the ethernet address or type, the IP address or type, and the TCP type is allowed. All options begin with either a "-" or a "/" character. Valid options are:

-c (Telnet character output mode)

-eb={ethernet both (source(alias),destination(alias))}
-ed={ethernet destination address(alias)}
-ee={ethernet either address(alias)}
-eh={ethernet host table entry(alias)}
-es={ethernet source address(alias)}
-et={ethernet type}

-h (help)
-? (help)

-ib={IP both (source(alias),destination(alias))}
-id={IP destination address(alias)}
-ie={IP either address(alias)}
-ih={IP host table entry(alias)}
-is={IP source address(alias)}
-it={IP type}

-l={log file}

-tt={TCP type}

-v (verbose script output)

TELNET ASCII CHARACTERS
The "-c" option looks at the ASCII character in position 20 of the TCP datagram. Unfortunately, not all ASCII characters are supported with this option. In particular, only digits and letters are displayed. This option should be used in conjunction with the "-tt=TELNET" option in order to filter out all inappropriate packets. This may be extended in the future to also support characters in FTP or other TCP packets.

ETHERNET FILTERING
The ethernet options all begin with "-e". The ethernet addresses must be 6 hexadecimal digits (00-FF, case insensitive), separated by colons, ":". Ethernet types are case insensitive words. Currently supported for filtering are IP, ARP, and RARP.

The "-eb" option specifies both the source and destination ethernet addresses (plus corresponding aliases), comma separated, and filters all packets except those with matching addresses. Example:

-eb=00:00:0f:0a:80:cc(alias1),00:00:0e:90:ac:ff(alias2)

This will filter all packets except those originating from 00:00:0f:0a:80:cc and destined for 00:00:0e:90:ac:ff. It will also replace the ethernet addresses with their corresponding alias in the output.

The "-ed" option specifies the destination address (plus alias). Example:

-ed=00:00:0e:90:ac:ff(alias2)

All packets will be filtered except those destined for 00:00:0e:90:ac:ff and the ethernet address will be replaced with alias2 in the output.

The "-ee" option specifies an ethernet address (plus alias) and includes it as either the source or the destination address. Example:

-ee=00:00:0f:0a:80:cc(alias1)

All packets will be filtered out except those originating from or destined to the address 00:00:0f:0a:80:cc, and the ethernet address will be replaced by alias1 in the output.

The "-eh" option specifies an ethernet address and alias. It replaces any occurrence of the address with the alias in the output. This has no effect on filtering. Example:

-eh=00:00:0f:0a:80:cc(alias1)

The output will display alias1 where the address would appear in the output.

The "-es" option specifies a source address (plus alias) to include. Example:

-es=00:00:0f:0a:80:cc(alias1)

All packets will be filtered out except those originating from the address 00:00:0f:0a:80:cc, and again, alias1 will replace the ethernet address.

The "-et" option specifies the type of packet determined at the ethernet level. The type is logically "AND"ed with any addresses also specified. If the type is the only command line argument, it will filter out every packet except those containing the correct type. Example:

-et=IP

All packets will be filtered out except those with ethernet type equal to IP.

HELP

The "-h" option (also denoted by "-?") is the help command. It displays all these options in an on-line quick reference.

INTERNET PROTOCOL
The IP options are similar to the ethernet options and can also select filtering on address or type. All IP options begin with "-i". The addresses must be 4 decimal values (0-255) separated by periods, ".". In addition, IP addresses can have wildcards in them, "*". The wildcards are good only for individual classes, A, B, C, or D, and must be the only symbol replacing a decimal value. A class A filter is based on the first decimal value in the address. For instance, 128.* finds 128.123.34.5 and 128.154.45.2. A class B filter is specified by two decimal values; 128.123.*.* finds 128.123.34.5 and 128.123.3.58. Class C filters using three decimal values to specify network: 128.123.34.* finds 128.123.34.5 and 128.123.34.3. Class D is an individual machine and consequently has no wildcard with it. Execution of the program with no IP filtering is equivalent to putting a wildcard for all four values (-is=*), and therefore, -is=* is not supported. If you have chosen class A filtering, "128.*", this can also be written as 128.*.*.* or 128.*.*. However, note that filtering on 128.*.34.5 yields the same result as filtering on 128.*. Because asterisks must be between dot boundaries, 128.12*.*.* will result in an error.

As with ethernet filtering output, aliases are supported, but only with fully specified machines (class D). In other words, using wildcards with aliases for a single address is not allowed.

IP types are case-insensitive words. Currently supported are ICMP, UDP, TCP, and MUX.

The "-ib" option specifies both the source and destination IP addresses (plus corresponding alias if no wildcards), comma separated, and filters out all packets except those with matching source and destination addresses. Example:

-ib=128.123.34.5(alias3),165.123.114.7(alias4)

This will filter all packets except those originating from 128.123.34.5 and destined for 165.123.114.7. It will also replace their IP address with the corresponding alias in the output. Example 2:

-ib=128.123.*.*,165.*

This will filter out all packets except those originating from the class B network 128.123.0.0 and those packets destined for the class A network 165.0.0.0.

The "-id" option specifies the destination IP addresses (plus corresponding alias if no wildcards) and filters all packets except those with matching addresses. Example:

-id=165.123.114.7(alias4)

This will filter out all packets except those destined for 165.123.114.7 and replace them with alias4 in the output.

The "-ie" option specifies either the source or destination IP addresses (plus corresponding alias if no wildcards) and filters all packets except those with matching addresses. Example:

-ie=128.123.34.5(alias3)

This will accept all packets originating from or destined for 128.123.34.5 and replace them with alias3 in the output.

The "-ih" option takes in an IP address plus corresponding alias (no wildcards allowed) and replaces all addresses in the output with the corresponding alias. This is commonly used in conjunction with wildcard specified addresses to result in more easily readable output. Example:

-ih=165.123.114.7(alias4)

This will replace all 165.123.114.7 addresses with alias4 in the output.

The "-is" option specifies a source IP address (plus corresponding alias if no wildcards) as the input. Example:

-is=128.123.34.5(alias3)

This will filter out all packets except those coming from the address 128.123.34.5 and will replace the address with alias3 in the output.

The "-it" option specifies the IP type as the input. Like the ethernet type, if the IP type is the only command line option, it will filter out all packets except those containing the correct type. If it is specified with an address, then the type will be logically "AND"ed with the addresses. Example:

-it=TCP

This will filter out all packets except those containing the type TCP. Example 2:

-it=TCP -is=128.123.34.5

This will filter out all packets except those containing both 128.123.34.5 in the source address and TCP as the type.

LOG FILES

In addition to viewing the packets on the screen, the packets may instead be saved to a file. Using the "-l" option will save all the output to the filename specified. Example:

-l=output.log

The file, output.log, will contain all the output obtained.

TCP
One of the layers below IP is TCP. The "-tt" option specifies the particular type contained within the TCP field. This type may either be a case insensitive name, such as Telnet or FTP, or it can be the port number, such as 23 for Telnet or 25 for mail. Example:
-tt=Telnet
-tt=23

This will find all Telnet packets that go by. The following types are supported by this option: ECHO, NETSTAT, CHARGEN, FTP_DATA, FTP, SSH, TELNET, SMTP, TIME, NAMESERVER, WHOIS ,BOOTPS, BOOTPC, GOPHER, FINGER, WWW, KERBEROS, RTELNET, POP_2, POP_3, SUNRPC, NNTP, NTP, NETBIOS_NS, NETBIOS_DGM, NETBIOS_SSN, XDMCP, NEXTSTEP, IRC, IPX, EXEC, LOGIN, SHELL, PRINTER, UUCP, KLOGIN, LSHELL, KERBEROS_ADM, KERBEROS4, KERBEROS_MASTER, KRB_PROP, KRBUPDATE, KPASSWD, KPOP, KNETD, EKLOGIN, CFINGER.

VERBOSE

Verbose mode echoes all commands and comments in script files. The "-v" option must come before the script file. Example:

SNOOP -v script.opt

This file, script.opt, will have all its comments and commands echoed to the screen (or log file if the -l option is also implemented). Note: this only works for script files. If a -v is put inside a script file, it will only echo the commands from any script file(s) contained within. It will not display command line arguments nor commands within the script file from which it is being called.

COMMAND SCRIPTS

As shown above, SNOOP.EXE can be executed in the following manner:
SNOOP {option(s)} {filename(s)}

The filename(s) are script files that can contain all the option(s). The script files can be called from the command line with or without other commands; or, they can be called from within other script files. If the file is listed without an extension, ".opt" will be added. If an extension is included, it be used instead.

Inside a script file, every line, including the first and the last, can be used for commands. There is no special header of footer required. However, two important points to note are:

1. only one command can be placed per line; and,
2. there can be no blank lines in the file.

These commands appear exactly like the options already discussed above.

The script file also contains two different kinds of comments. The number sign, "#", denotes verbose comments while the semi-colon, ";", signifies mute comments. The verbose comments are echoed to the screen as well as, if specified, the log file; however, they must appear on their own line in the file. The silent comments are only echoed with use of the "-v" option.

An example script file, called script.opt is:

	# script.opt: Filters out all but verdi.nmsu.edu
	; just look for telnet packets going to verdi.nmsu.edu
	-id=128.123.34.5			; tells IP destination
	-et=IP					; Telnet is of type IP
	-it=TCP					; Telnet is of type TCP
	-tt=TELNET				; Type Telnet
	-v
	host					; opens host.opt

In addition to this file, the host.opt must also be created:

	# host.opt: contains labels for IP addresses
	-ih=128.123.34.5(verdi.nmsu.edu)	; sets label for verdi
	-ih=128.123.34.3(dante.nmsu.edu)	; Sets label for dante
	-ih=128.123.3.58(www.polylith.com)		; Sets label for acca

To make use of this command script, simply type:
snoop script

The script.opt file will be executed, which will, in turn, call the host.opt file.

UNDERSTANDING THE OUTPUT

Output from SNOOP.EXE tends to appear in the following format. Below is a log file taken during ICMP (ping) traffic as well as a Telnet session between two machines.

First is a description of the packet driver installed in the machine in use, including name, functionality (extended is required in order for snoop to function properly), and interrupt vector. Following this section are the important sections of the received and unfiltered headers. This makes up the majority of the output, which continues until the escape key is depressed.

Execution initiated 08:10:13.80 on 12/13/1996.

Packet driver:	         Name -  3c509
		Functionality -  basic extended 
		      Version -  10		 Class -  1
		       Number -  0		  Type -  94
		    Interrupt -  0x60

Receiving packets...
At 08:10:14.35 on 12/13/1996 packet received:
  Ether: len   98  src 00:00:0F:00:E4:CC  dst 00:00:6E:31:E8:4B  type IP
  IP:    len   84  src  10.  0.  0.  4    dst  10. 12. 34.  3    type ICMP

At 08:10:14.35 on 12/13/1996 packet received:
  Ether: len   98  src 00:00:6E:31:E8:4B  dst 00:00:0F:00:E4:CC  type IP
  IP:    len   84  src  10. 12. 34.  3    dst  10.  0.  0.  4    type ICMP

At 08:10:16.44 on 12/13/1996 packet received:
  Ether: len   98  src 00:00:6E:31:E8:4B  dst 00:00:0F:00:E4:CC  type IP
  IP:    len   84  src  10. 12. 34.  3    dst  10.  0.  0.  4    type ICMP

At 08:10:16.83 on 12/13/1996 packet received:
  Ether: len   60  src 00:00:0F:00:E4:CC  dst 00:00:6E:31:E8:4B  type IP
  IP:    len   42  src  10.  0.  0.  4    dst  10. 12. 34.  3    type TCP
  TCP:             src 2598               dst TELNET           

At 08:10:16.88 on 12/13/1996 packet received:
  Ether: len   60  src 00:00:6E:31:E8:4B  dst 00:00:0F:00:E4:CC  type IP
  IP:    len   44  src  10. 12. 34.  3    dst  10.  0.  0.  4    type TCP
  TCP:             src TELNET             dst 2598             

At 08:10:17.43 on 12/13/1996 packet received:
  Ether: len   98  src 00:00:0F:00:E4:CC  dst 00:00:6E:31:E8:4B  type IP
  IP:    len   84  src  10.  0.  0.  4    dst  10. 12. 34.  3    type ICMP

At 08:10:17.48 on 12/13/1996 packet received:
  Ether: len   98  src 00:00:6E:31:E8:4B  dst 00:00:0F:00:E4:CC  type IP
  IP:    len   84  src  10. 12. 34.  3    dst  10.  0.  0.  4    type ICMP

Releasing receiver handle (578).

Packet statistics:  Reported -           7                 Lost -           0
        Discarded (filtered) -           0     Received (total) -           7

Note that each layer capable of decoding (ethernet, then, if possible, IP, and again, if possible, TCP) appears in the output. Since Telnet is supported, all three layers mentioned appear along with the appropriate type and source and destination ports, whereas the ICMP (ping) packets are not fully expanded upon.

After the escape key is pressed, packet statistics appear. The number of reported packets along with the number of discarded, lost, and total (received and lost) packets are displayed. Packets may be lost during long periods of activity during which SNOOP cannot keep up with. Discarded packets are those that are not displayed because they are not of the filter specification. This two line statistic panel is updated in real-time during logging to a file to allow the user to observe the bursts of traffic (and amount of logging) taking place.

BACKGROUND

The TCP/IP computer networking standard is implemented on a "stack" through which data may travel up or down. For instance, at the top of the stack may be an application, such as Telnet. When a user types data at the keyboard during a telnet session, Telnet takes this data, puts it in an instruction or command form "datagram" and passes it on to the network stack layer below it. In the case of Telnet, TCP (Transmission Control Protocol) is most commonly the "transport" layer, responsible for ensuring delivery and getting the datagrams (keystrokes) that the user types to their destination in the right order. TCP then hands off the new datagram, now prefixed by a header containing various pieces of information, to the "network" layer, usually IP (Internet Protocol - hence, the TCP/IP standard). IP prefixes this TCP datagram with addressing and other information. Of importance are source and destination IP addresses. IP hands off this even larger datagram to the data link/physical layer of the stack, commonly implemented by an ethernet card and ethernet cable. An ethernet header is added, and the new datagram is sent serially over the ethernet. In the case of 10-base2 (thin RG series coax), this is a bus protocol which can be shared by multiple computers.

If another machine notices that its ethernet address appears in the very first part of the datagram, it temporarily stores the entire datagram, then strips off the header placed at the beginning of the datagram by the source computer. It then sends the datagram back up the protocol stack, each stack layer stripping off its respective header placed there by the source. Finally, the datagram reaches the application layer (in this case, Telnet), which does as it pleases with the incoming data.

The entire premise for this project is to demonstrate and utilize the reverse-encoding (or decoding) done by a protocol stack while placing the ethernet card (the data link/physical layer) in a "permiscuous" mode, in which it accepts all passerby packets and allows that they be decoded. Because 10-base2 is a 10Mbit standard, during full saturation of the network, packets will likely be lost, even with the fastest of computers, simply due to the amount of time required to display, filter, or otherwise massage the incoming data.

The packet standard utilized in this project comes directly from Internet RFCs (Request For Comment) papers. The header information from each of the major layers (ethernet, IP, TCP) are shown below and can be found in the appropriate include file (ether.h, ip.h, tcp.h) within the project source.

ETHERNET HEADER

The header for an ethernet packet is as follows:

IP HEADER
The header for an IP packet is as follows:

This layer, like the ethernet layer, also has a source and destination address, a checksum, a length, and the data contained within.

TCP HEADER
The header for a TCP packet is as follows:

The port numbers are based on standard internet services and may be decoded accordingly.

REFERENCES

1. PC/TCP Packet Driver Specifications, Revision 1.09, FTP Software, Inc. September 14, 1989.

NOTES

• Although the assembly code specifications were all derived from [1], updates have been made to network cards since 1989. There might be better ways to gain access to the cards. Trying searching through FTP Software's Search Engine for update/enhancement documents.

• Packet Drivers may be downloaded from: ftp://oak.oakland.edu/pub/simtelnet/msdos/pktdrvr/

• This code was built/compiled using Borland Turbo Assembler version 2.0 and Borland C version 2.0.

THE CODE

• The executable: snoop.exe

• The source code:
  • snoop.zip
  • snoop.tar.gz