[doHTML]
Network Administration and Mac os X - Packet Sniffing
Why Sniff a Network?
There are lots of reasons to sniff a network (both good and bad). Among the good reasons are finding out about what's going on. Looking at why things slow down and who is doing what and when. As well as more often than not and using the most bandwith (yep the isp bill is up $475 bucks this month what the heck is happening to the bandwith use?).
Only last week we were looking at a new printer but the driver for this thing was making a lot of noise on the network. With that knowledge we decided only to install that driver on an as need basis instead of installing it on every machine in the company.(thus avoiding a lot of unneeded network traffic)
In addition to the above it’s just good to know and have some bench mark of what your network is doing. If you are asked to be an administrator it’s good to have some basic benchmark of something simple like how many packets a second flow thru different parts of the network on average.
For example the network I administer has 1 section that will have hundreds of packets a second flowing thru it most of the time 9 to 5. The link from our local network to the net will have maybe 100 - 400 packets a second or more and sometimes only a few. And any machine that’s just sitting on the end of our Cisco switch will be picking up about 15-60 packets a minute often less. Just that knowledge alone is a valuable trouble shooting tool.
Also knowing what the make up of protocols on your network is also a good thing. By observing your network environment you can be aware of change and act accordingly. It is also invaluable if you ever get to a level of developing your own network applications or if your having trouble with servers communicating with each other (running mysql comes to mind hear)
What you should already know and what you will need.
You should be familiar with the command line level of mac os X (ie working with the terminal). If you don’t know what I’m talking about have a look at
“Learning the Terminal in Jaguar”
Also
http://www.macdevcenter.com/ a great place to start learning about the command line and a great source of free information (and I can recommend a number of the books that they flog as well!). You should also know a little about TCP/IP and it will help a lot if you have an adsl or cable connection to the internet (some of the things you are going to down load are large). Most of this information applies to mac os X .3 up
You will need 2 computers or a simple network if you and a buddy are interested in this stuff it could be a good excuse to hang out and geek out with some of the things discussed.
Simple Types of Network for sniffing
The most basic network is 2 computers connected with an ethernet cable or an ethernet crossover cable (it’s good to have both!). Depending on how old your mac is you can probably get by with an ethernet cable, if you are using something pre imac (or heavens forbid a pc!) you will probably need the cross over cable. These can be brought for a few bucks from any good computer and or electronic shop.
The next level up is using a simple or dumb hub with 2 or more machines attached. If you are purchasing a hub just for networking experiments, make sure it is a dumb hub. Many modern network devices are in fact switches (or sometimes routing switches) which won’t give you all the network information. A 4 to 8 port dumb hub should not cost any more than about $100 Australian (I got mine 4 years ago for about $75)
Network Topology & where to sniff
See this separate page for some information about building
href="http://www.appletalk.com.au/articles/packetsniffing/hubsrouters.php">a basic network for sniffing.
Some Mac os X Packet sniffers
Because Mac os X at it’s core runs on Unix (which was the source and development platform for much of the internet) there are now a large number of good quality packet sniffer’s for mac os X both command line and GUI (graphical user interface) and web based.
FrameSeer
If you want to get started sniffing packets and want a gui a good place to start is FrameSeer that you can down load from
http://www.lgosys.com/ Frameseer is a GUI front end to tcpdump and it also has a very informative help section (well worth the down load just for that alone) and the included help can also be of use if you want to later work directly with tcpdump.
The limitations on this are that it’s a demo and only lets you capture a few packets at a time, and with the full version it will eventualy bging your machine to a crawl if you try to do a large captures.
Packet header information in FrameSeer
FrameSeer traffic via protocle / network usage
tcpdump
Tcpdump is a comand line packet sniffer which is part of the bsd install of mac osX and is probably installed already on your mac os X machine!
If you are connected via ethernet to some sort of a network, try the following command in the terminal.
[/doHTML]
- sudo tcpdump -vvv
- Enter your password
- Do something that will cause network use (ie surf the web or ping an ip address) congratulations you are now sniffing the network!
[doHTML]
Tcpdump has an interesting filter system for example try "
sudo tcpdump port 80".
This will sniff only for traffic on tcp/ip port 80 (Typically web traffic).
When you have finished sniffing either quit the terminal application or hit the control and c key to exit the tcpdump process.
If your comfortable working with the terminal and want to know more about tcpdump check out
http://www.tcpdump.org/
ntop
style="font-weight: bold;">
ntop is a great product it’s free ware but unfortunately it’s a difficult thing to install. It has a web and command line interface and can produce a very good picture of what’s going on and thru your network (it looks at traffic flows and machine info and turns this information into graphs) and this information can be viewed via any web browser!
My experience with Ntop is that ...
the ntop version 2.1.1 dmg installs fine and runs no trouble at all.
ntop version 2.2 dmg also installs but will not run on mac os X.3.4 But! if you install version 2.1.1 and upgrade it will work! (sort of buggy though) If anyone has an easy way to get ntop version 3 running please drop me a line!
The following are just a sample of the sort of information ntop can generate.
click for bigger image
Henwen / Snort
Snort is a network attack detection program based around a packet sniffer it is command line based but Henwen is a mac os X GUI front end for it that makes config and tuning a lot easier.
You can down load Henwen from
http://seiryu.home.comcast.net/
Drag and drop install is great but on a noisy network it can be a sensitive thing to set up But it is an effective, useful and powerful tool if you want to put the time in to configure it.
If you want to get down to the command line level with Henwen - snort engine check out
http://www.snort.org/
ethereal
style="font-weight: bold;">
Ethereal is probably the best GUI interfaced packet sniffer available and it’s free industrial strength and very powerful but it is a bit of a task to get up and running. (we will cover it’s install in some detail)
Installing ethereal
To install Ethereal you will need to install Apples Developer Software , apple’s X11 and FINK and the excellent Fink Commander.
Apples Developer Software
This may have come with your panther install, if not you can down load it from the apple developer site. You will have to sign up for a developer membership but there is a free version of this that lets you down load the tools.
see http://developer.apple.com/
Apples X11 Software
To find out what this is see http://www.apple.com/macosx/features/x11/ again it is part of disk 3 of your panther installer cd’s.
Fink
To quote directly from the Fink web site
“The Fink project wants to bring the full world of Unix Open Source software to Darwin and Mac OS X. We modify Unix software so that it compiles and runs on Mac OS X ("port" it) and make it available for download as a coherent distribution.”
A good place to learn more about fink is http://homepage.mac.com/sao1/fink/index.html
http://fink.sourceforge.net/
FinkComander
http://fink.sourceforge.net/download...php?phpLang=en
The process is as follows
Install Apples Developer Software this is about a 300 Mg down load or you can use the CD that may have com with your mac. The reason to install this is that the developer CD contains compilers that Fink will use on occasion.
Install apples X11 - available free from apples web site or it may have been included in your system disk’s (usually disk 3 with Panther)
Install Fink
http://fink.sourceforge.net/
The installer for Fink comes with an amazing application called Fink Commander.
This configuration now gives you access to about 1500 different applications and librays that extend mac os X via X 11
Once you have Fink commander installed open fink commander and do a search on ethereal
You can install vai binary or install from source (this will take considerably longer as it has to compile as well) the process will take a while but it’s wellworth the wait when the process has completed
Try the following
[/doHTML]- Launch x11
- open an x11 terminal
- Then type: sudo /sw/bin/./ethereal
- Type your user password
[doHTML]
All your trouble should now be rewarded with the following:
Ethereal after instal and packet capture (click to enlarge)
My next article will cover the use of ethereal
Nevets_Anderson
