strange ethereal question

Gerald Combs gerald at ethereal.com
Tue Jun 10 22:06:07 CDT 2003 

On Tue, 10 Jun 2003, Frank Wiles wrote:

>     I have a bit of a strange situation.  I have a Cisco router that is
>     sending me a complete copy of a certain MAC addresses' IP traffic. 
>     The traffic is encapsulated in a UDP packet and sent to a specific
>     port on one of my servers. 

Could you be a bit more specific about how and what type of data is being
delivered from the router to your machine?  E.g. is it ACL logging info
(and therefore Syslog)?  Is it NetFlow?  RMON?  One of the many forms of
tunneling?  Some other feature or protocol I'm missing?

Also, is the encapsulated data in its original binary form (and if so, are
any layers stripped off?), or is it some sort of hexadecimal or text
representation?

>     My ultimate goal is to be able to isolate the HTTP traffic and pull
>     out all sites and URLs visited by this host. I was told that
>     ethereal was probably my best bet at not having to write code to
>     decode the HTTP packets. 
> 
>     The problem is, ethereal only sees it as a bunch of UDP packets. I
>     tried redirecting the raw stream to ethereal's STDIN, but it only
>     wants libpcap formatted files via pipes or files. 
> 
>     I keep running into the fact that my little Perl UDP server running
>     on port 3000 isn't a real network device. 
> 
>     Any ideas on how I can fake ethereal into taking the raw stream,
>     fake the stream into a device, or output the stream in libpcap
>     format? 

It depends.  If data being delivered to port 3000 contains raw, binary
encapsulated data you could strip of the header up to the encapsulated
data and dump it out to libpcap format using the Net::Pcap module.  You
could also dump it out to hex-formatted text and use Ethereals text2pcap
utility to convert it.  If you're daring you could add support for the
encapsulation to Ethereal.  Instructions are in doc/README.developer in
the source distribution.

If the data contains hexadecimal-formatted data you would need to parse it
and use one of the above methods to dump the data.

If it's NetFlow data, you can have Ethereal recognize it by going to
Edit->Preferences->Protocols->CFLOW and entering port 3000.  You're out of
luck on URL parsing, however, since NetFlow data doesn't deliver the
contents of TCP packets, just bits of header data.

>     Any help would be appreciated. 
> 
>     P.S. In case you are wondering, this is not a malicious exercise. 
>          I'm sniffing my own server's traffic, not someone else's. 

Lots of different products do this sort of thing.  No reason you shouldn't
be able to.

More information about the Kclug mailing list