strange ethereal question

Frank Wiles frank at wiles.org
Thu Jun 12 16:15:52 CDT 2003 

 .------[ Gerald Combs wrote (2003/06/10 at 17:05:56) ]------
 | 
 |  On Tue, 10 Jun 2003, Frank Wiles wrote:
 |  
 |  >     I have a bit of a strange situation.  I have a Cisco router that is
 |  >     sending me a complete copy of a certain MAC addresses' IP traffic. 
 |  >     The traffic is encapsulated in a UDP packet and sent to a specific
 |  >     port on one of my servers. 
 |  
 |  Could you be a bit more specific about how and what type of data is being
 |  delivered from the router to your machine?  E.g. is it ACL logging info
 |  (and therefore Syslog)?  Is it NetFlow?  RMON?  One of the many forms of
 |  tunneling?  Some other feature or protocol I'm missing?
 |  
 |  Also, is the encapsulated data in its original binary form (and if so, are
 |  any layers stripped off?), or is it some sort of hexadecimal or text
 |  representation?

    As it turns out it is the raw TCP/IP packet encapsulated in a UDP
    packet with 4 bytes of some type of tracking info on the front of
    it. 

 |  >     My ultimate goal is to be able to isolate the HTTP traffic and pull
 |  >     out all sites and URLs visited by this host. I was told that
 |  >     ethereal was probably my best bet at not having to write code to
 |  >     decode the HTTP packets. 
 |  > 
 |  >     The problem is, ethereal only sees it as a bunch of UDP packets. I
 |  >     tried redirecting the raw stream to ethereal's STDIN, but it only
 |  >     wants libpcap formatted files via pipes or files. 
 |  > 
 |  >     I keep running into the fact that my little Perl UDP server running
 |  >     on port 3000 isn't a real network device. 
 |  > 
 |  >     Any ideas on how I can fake ethereal into taking the raw stream,
 |  >     fake the stream into a device, or output the stream in libpcap
 |  >     format? 
 |  
 |  It depends.  If data being delivered to port 3000 contains raw, binary
 |  encapsulated data you could strip of the header up to the encapsulated
 |  data and dump it out to libpcap format using the Net::Pcap module.  You
 |  could also dump it out to hex-formatted text and use Ethereals text2pcap
 |  utility to convert it.  If you're daring you could add support for the
 |  encapsulation to Ethereal.  Instructions are in doc/README.developer in
 |  the source distribution.
 |  
 |  If the data contains hexadecimal-formatted data you would need to parse it
 |  and use one of the above methods to dump the data.
 |  
 |  If it's NetFlow data, you can have Ethereal recognize it by going to
 |  Edit->Preferences->Protocols->CFLOW and entering port 3000.  You're out of
 |  luck on URL parsing, however, since NetFlow data doesn't deliver the
 |  contents of TCP packets, just bits of header data.

    I looked into using Net::Pcap, but it appeared to only take input
    form a network device and didn't appear to allow me to just hand it
    a packet for encoding into pcap format. I'll look into saving it out
    as hex formatted text. 

    Thanks for you help on this. 

 ---------------------------------
   Frank Wiles <frank at wiles.org>
   http://frank.wiles.org
 ---------------------------------

More information about the Kclug mailing list