Date: Wed, 11 Dec 1996 01:14:52 -0800 From: obrien@NUXI.com (David E. O'Brien) To: msmith@atrad.adelaide.edu.au (Michael Smith) Cc: security@freebsd.org Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) Message-ID: <Mutt.19961211011452.obrien@relay.nuxi.com> In-Reply-To: <199612110634.RAA22676@genesis.atrad.adelaide.edu.au>; from Michael Smith on Dec 11, 1996 17:04:36 %2B1030 References: <199612110627.XAA00240@obie.softweyr.com> <199612110634.RAA22676@genesis.atrad.adelaide.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Except for Solaris's snoop. The output is *SO* much nicer than tcpdumps.
If you ever get a chance try snoop -v or snoop -V.
--
-- David (obrien@cs.ucdavis.edu)
[-- Attachment #2 --]
Script started on Wed Dec 11 00:39:32 1996
bash# snoop -V
Using device /dev/le (promiscuous mode)
________________________________
aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu ETHER Type=0800 (IP), size = 60 bytes
aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu IP D=128.120.56.192 S=128.120.56.61 LEN=40, ID=51149
aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu TCP D=39134 S=6000 Ack=2798708427 Seq=31948436 Len=0 Win=16384
aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu XWIN R port=39134
________________________________
nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu ETHER Type=0800 (IP), size = 60 bytes
nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu IP D=128.120.56.192 S=128.120.56.38 LEN=40, ID=16356
nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu TCP D=513 S=1023 Ack=1393951994 Seq=1295258267 Len=0 Win=17520
nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu RLOGIN C port=1023
________________________________
request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu ETHER Type=0800 (IP), size = 60 bytes
request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu IP D=128.120.56.38 S=128.120.253.120 LEN=40, ID=1096
request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu TCP D=23 S=63512 Ack=1260057294 Seq=2501769323 Len=0 Win=1671
request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu TELNET C port=63512
________________________________
keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu ETHER Type=0800 (IP), size = 138 bytes
keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu IP D=128.120.56.73 S=128.120.56.3 LEN=124, ID=16397
keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu UDP D=1022 S=2049 LEN=104
keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu RPC R (#9) XID=2205151569 Success
keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu NFS R GETATTR2 OK
________________________________
keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu ETHER Type=0800 (IP), size = 98 bytes
keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu IP D=128.120.56.217 S=128.120.56.3 LEN=84, ID=14040
keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu UDP D=111 S=743 LEN=64
keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu RPC C XID=849579017 PROG=100000 (PMAP) VERS=2 PROC=3
keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu PORTMAP C GETPORT prog=100024 (STATMON2) vers=1 proto=TCP
________________________________
? -> (multicast) ETHER Type=002D (LLC/802.3), size = 68 bytes
________________________________
bash#
bash# exit
script done on Wed Dec 11 00:40:17 1996
[-- Attachment #3 --]
Script started on Wed Dec 11 00:38:23 1996
bash# snoop -v
Using device /dev/le (promiscuous mode)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 0:38:26.67
ETHER: Packet size = 60 bytes
ETHER: Destination = 8:0:20:7b:25:a3, Sun
ETHER: Source = 0:0:c0:0:82:8, Western Digital
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x10
IP: xxx. .... = 0 (precedence)
IP: ...1 .... = low delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 15960
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 64 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 8a91
IP: Source address = 128.120.56.38, nuxi.cs.ucdavis.edu
IP: Destination address = 128.120.56.192, kongur.cs.ucdavis.edu
IP: No options
IP:
TCP: ----- TCP Header -----
TCP:
TCP: Source port = 1023
TCP: Destination port = 513 (RLOGIN)
TCP: Sequence number = 1295258215
TCP: Acknowledgement number = 1393851764
TCP: Data offset = 20 bytes
TCP: Flags = 0x10
TCP: ..0. .... = No urgent pointer
TCP: ...1 .... = Acknowledgement
TCP: .... 0... = No push
TCP: .... .0.. = No reset
TCP: .... ..0. = No Syn
TCP: .... ...0 = No Fin
TCP: Window = 17520
TCP: Checksum = 0xc369
TCP: Urgent pointer = 0
TCP: No options
TCP:
RLOGIN: ----- RLOGIN: -----
RLOGIN:
RLOGIN: ""
RLOGIN:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 3 arrived at 0:38:26.84
ETHER: Packet size = 60 bytes
ETHER: Destination = 0:0:c0:0:82:8, Western Digital
ETHER: Source = 0:0:c:4:8e:3a, Cisco
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 840
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 252 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 84f8
IP: Source address = 128.120.253.120, request-e.ucdavis.edu
IP: Destination address = 128.120.56.38, nuxi.cs.ucdavis.edu
IP: No options
IP:
TCP: ----- TCP Header -----
TCP:
TCP: Source port = 63512
TCP: Destination port = 23 (TELNET)
TCP: Sequence number = 2501769266
TCP: Acknowledgement number = 1259957050
TCP: Data offset = 20 bytes
TCP: Flags = 0x10
TCP: ..0. .... = No urgent pointer
TCP: ...1 .... = Acknowledgement
TCP: .... 0... = No push
TCP: .... .0.. = No reset
TCP: .... ..0. = No Syn
TCP: .... ...0 = No Fin
TCP: Window = 1950
TCP: Checksum = 0x35d3
TCP: Urgent pointer = 0
TCP: No options
TCP:
TELNET: ----- TELNET: -----
TELNET:
TELNET: ""
TELNET:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 7 arrived at 0:38:27.26
ETHER: Packet size = 60 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:0:c:4:8e:3a, Cisco
ETHER: Ethertype = 0806 (ARP)
ETHER:
ARP: ----- ARP/RARP Frame -----
ARP:
ARP: Hardware type = 1
ARP: Protocol type = 0800 (IP)
ARP: Length of hardware address = 6 bytes
ARP: Length of protocol address = 4 bytes
ARP: Opcode 1 (ARP Request)
ARP: Sender's hardware address = 0:0:c:4:8e:3a
ARP: Sender's protocol address = 128.120.66.254, 128.120.66.254
ARP: Target hardware address = ?
ARP: Target protocol address = 128.120.56.119, rags.cs.ucdavis.edu
ARP:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 8 arrived at 0:38:27.32
ETHER: Packet size = 154 bytes
ETHER: Destination = 8:0:20:9:23:fb, Sun
ETHER: Source = 8:0:20:7b:25:a3, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 140 bytes
IP: Identification = 36159
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 7bb4
IP: Source address = 128.120.56.192, kongur.cs.ucdavis.edu
IP: Destination address = 128.120.56.188, toadflax.cs.ucdavis.edu
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 1022
UDP: Destination port = 2049 (Sun RPC)
UDP: Length = 120
UDP: Checksum = 22F3
UDP:
RPC: ----- SUN RPC Header -----
RPC:
RPC: Transaction id = 1228459687
RPC: Type = 0 (Call)
RPC: RPC version = 2
RPC: Program = 100003 (NFS), version = 2, procedure = 1
RPC: Credentials: Flavor = 1 (Unix), len = 40 bytes
RPC: Time = 11-Dec-96 08:38:26
RPC: Hostname = kongur
RPC: Uid = 1765, Gid = 10
RPC: Groups = 10 1 14
RPC: Verifier : Flavor = 0 (None), len = 0 bytes
RPC:
NFS: ----- Sun NFS -----
NFS:
NFS: Proc = 1 (Get file attributes)
NFS: File handle = 0000030000000001000A000000000002
NFS: 6B24F4BF000A0000000000026B24F4BF
NFS:
^C
bash# exit
script done on Wed Dec 11 00:39:22 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19961211011452.obrien>