From owner-freebsd-security Wed Dec 11 01:14:42 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA28220 for security-outgoing; Wed, 11 Dec 1996 01:14:42 -0800 (PST) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA28215 for ; Wed, 11 Dec 1996 01:14:38 -0800 (PST) Received: (from obrien@localhost) by relay.nuxi.com (8.7.5/8.6.12) id BAA07878; Wed, 11 Dec 1996 01:14:53 -0800 (PST) Message-ID: Date: Wed, 11 Dec 1996 01:14:52 -0800 From: obrien@NUXI.com (David E. O'Brien) To: msmith@atrad.adelaide.edu.au (Michael Smith) Cc: security@freebsd.org Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) References: <199612110627.XAA00240@obie.softweyr.com> <199612110634.RAA22676@genesis.atrad.adelaide.edu.au> X-Mailer: Mutt 0.53 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=m0nHx4uhPaACIWKo X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 In-Reply-To: <199612110634.RAA22676@genesis.atrad.adelaide.edu.au>; from Michael Smith on Dec 11, 1996 17:04:36 +1030 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk --m0nHx4uhPaACIWKo > Tcpdump does all this and lots more; the filter language is pretty powerful. > > The fact that it knows how to interpret lots of protocols and that you > can extend it (courtesy of the source and an easy internal interface) > puts it over anyuthing else I've seen yet. Except for Solaris's snoop. The output is *SO* much nicer than tcpdumps. If you ever get a chance try snoop -v or snoop -V. -- -- David (obrien@cs.ucdavis.edu) --m0nHx4uhPaACIWKo Content-Description: snoop -V Content-Disposition: attachment; filename=V Script started on Wed Dec 11 00:39:32 1996 bash# snoop -V Using device /dev/le (promiscuous mode) ________________________________ aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu ETHER Type=0800 (IP), size = 60 bytes aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu IP D=128.120.56.192 S=128.120.56.61 LEN=40, ID=51149 aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu TCP D=39134 S=6000 Ack=2798708427 Seq=31948436 Len=0 Win=16384 aphrodite.cs.ucdavis.edu -> kongur.cs.ucdavis.edu XWIN R port=39134 ________________________________ nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu ETHER Type=0800 (IP), size = 60 bytes nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu IP D=128.120.56.192 S=128.120.56.38 LEN=40, ID=16356 nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu TCP D=513 S=1023 Ack=1393951994 Seq=1295258267 Len=0 Win=17520 nuxi.cs.ucdavis.edu -> kongur.cs.ucdavis.edu RLOGIN C port=1023 ________________________________ request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu ETHER Type=0800 (IP), size = 60 bytes request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu IP D=128.120.56.38 S=128.120.253.120 LEN=40, ID=1096 request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu TCP D=23 S=63512 Ack=1260057294 Seq=2501769323 Len=0 Win=1671 request-e.ucdavis.edu -> nuxi.cs.ucdavis.edu TELNET C port=63512 ________________________________ keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu ETHER Type=0800 (IP), size = 138 bytes keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu IP D=128.120.56.73 S=128.120.56.3 LEN=124, ID=16397 keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu UDP D=1022 S=2049 LEN=104 keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu RPC R (#9) XID=2205151569 Success keep3.cs.ucdavis.edu -> kanab.cs.ucdavis.edu NFS R GETATTR2 OK ________________________________ keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu ETHER Type=0800 (IP), size = 98 bytes keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu IP D=128.120.56.217 S=128.120.56.3 LEN=84, ID=14040 keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu UDP D=111 S=743 LEN=64 keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu RPC C XID=849579017 PROG=100000 (PMAP) VERS=2 PROC=3 keep3.cs.ucdavis.edu -> lhotse.cs.ucdavis.edu PORTMAP C GETPORT prog=100024 (STATMON2) vers=1 proto=TCP ________________________________ ? -> (multicast) ETHER Type=002D (LLC/802.3), size = 68 bytes ________________________________ bash# bash# exit script done on Wed Dec 11 00:40:17 1996 --m0nHx4uhPaACIWKo Content-Description: snoop -v Content-Disposition: attachment; filename=v Script started on Wed Dec 11 00:38:23 1996 bash# snoop -v Using device /dev/le (promiscuous mode) ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 0:38:26.67 ETHER: Packet size = 60 bytes ETHER: Destination = 8:0:20:7b:25:a3, Sun ETHER: Source = 0:0:c0:0:82:8, Western Digital ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x10 IP: xxx. .... = 0 (precedence) IP: ...1 .... = low delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 40 bytes IP: Identification = 15960 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 8a91 IP: Source address = 128.120.56.38, nuxi.cs.ucdavis.edu IP: Destination address = 128.120.56.192, kongur.cs.ucdavis.edu IP: No options IP: TCP: ----- TCP Header ----- TCP: TCP: Source port = 1023 TCP: Destination port = 513 (RLOGIN) TCP: Sequence number = 1295258215 TCP: Acknowledgement number = 1393851764 TCP: Data offset = 20 bytes TCP: Flags = 0x10 TCP: ..0. .... = No urgent pointer TCP: ...1 .... = Acknowledgement TCP: .... 0... = No push TCP: .... .0.. = No reset TCP: .... ..0. = No Syn TCP: .... ...0 = No Fin TCP: Window = 17520 TCP: Checksum = 0xc369 TCP: Urgent pointer = 0 TCP: No options TCP: RLOGIN: ----- RLOGIN: ----- RLOGIN: RLOGIN: "" RLOGIN: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 3 arrived at 0:38:26.84 ETHER: Packet size = 60 bytes ETHER: Destination = 0:0:c0:0:82:8, Western Digital ETHER: Source = 0:0:c:4:8e:3a, Cisco ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 40 bytes IP: Identification = 840 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 252 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 84f8 IP: Source address = 128.120.253.120, request-e.ucdavis.edu IP: Destination address = 128.120.56.38, nuxi.cs.ucdavis.edu IP: No options IP: TCP: ----- TCP Header ----- TCP: TCP: Source port = 63512 TCP: Destination port = 23 (TELNET) TCP: Sequence number = 2501769266 TCP: Acknowledgement number = 1259957050 TCP: Data offset = 20 bytes TCP: Flags = 0x10 TCP: ..0. .... = No urgent pointer TCP: ...1 .... = Acknowledgement TCP: .... 0... = No push TCP: .... .0.. = No reset TCP: .... ..0. = No Syn TCP: .... ...0 = No Fin TCP: Window = 1950 TCP: Checksum = 0x35d3 TCP: Urgent pointer = 0 TCP: No options TCP: TELNET: ----- TELNET: ----- TELNET: TELNET: "" TELNET: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 7 arrived at 0:38:27.26 ETHER: Packet size = 60 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:0:c:4:8e:3a, Cisco ETHER: Ethertype = 0806 (ARP) ETHER: ARP: ----- ARP/RARP Frame ----- ARP: ARP: Hardware type = 1 ARP: Protocol type = 0800 (IP) ARP: Length of hardware address = 6 bytes ARP: Length of protocol address = 4 bytes ARP: Opcode 1 (ARP Request) ARP: Sender's hardware address = 0:0:c:4:8e:3a ARP: Sender's protocol address = 128.120.66.254, 128.120.66.254 ARP: Target hardware address = ? ARP: Target protocol address = 128.120.56.119, rags.cs.ucdavis.edu ARP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 8 arrived at 0:38:27.32 ETHER: Packet size = 154 bytes ETHER: Destination = 8:0:20:9:23:fb, Sun ETHER: Source = 8:0:20:7b:25:a3, Sun ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 140 bytes IP: Identification = 36159 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 255 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = 7bb4 IP: Source address = 128.120.56.192, kongur.cs.ucdavis.edu IP: Destination address = 128.120.56.188, toadflax.cs.ucdavis.edu IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 1022 UDP: Destination port = 2049 (Sun RPC) UDP: Length = 120 UDP: Checksum = 22F3 UDP: RPC: ----- SUN RPC Header ----- RPC: RPC: Transaction id = 1228459687 RPC: Type = 0 (Call) RPC: RPC version = 2 RPC: Program = 100003 (NFS), version = 2, procedure = 1 RPC: Credentials: Flavor = 1 (Unix), len = 40 bytes RPC: Time = 11-Dec-96 08:38:26 RPC: Hostname = kongur RPC: Uid = 1765, Gid = 10 RPC: Groups = 10 1 14 RPC: Verifier : Flavor = 0 (None), len = 0 bytes RPC: NFS: ----- Sun NFS ----- NFS: NFS: Proc = 1 (Get file attributes) NFS: File handle = 0000030000000001000A000000000002 NFS: 6B24F4BF000A0000000000026B24F4BF NFS: ^C bash# exit script done on Wed Dec 11 00:39:22 1996 --m0nHx4uhPaACIWKo--