How to use NetXRay (sniffer utility)

NetXRay, a software developed by Cinco Networks for advanced packet checking, is powerful. IP Address Query tool

　　Main function: Monitor network status, provide data for optimizing network performance: Long time capture, analyze network performance according to statistic numerical value.

Packet capture and decoding in the Network for fault analysis: Set capture rules as precisely as possible to facilitate accurate analysis

NetXRay is a commonly used sniffer, but also a powerful software, he has a common sniffing function, and easy to use. Now let's take a look at his specific usage and steps:

　　1, Overall contour

Because NetXRay is an English version, it is a headache for a friend who hates E-wen, so it is necessary to understand the general basket-frame first: The NetXRay main interface:

The menu bar has six options for files (file), capture (Capture), packages (packet), Tools, Windows (window), and help.

Most of the features are assembled in the toolbar, which is open, save (save), print (print), Cancel printing (Abort Printing), back to the first Packet, previous package (Previous), and the next package ( Next), the last package (Packet), the Instrument board (Dashboard), the Capture Board (Capture panel), the package generator (Packet generator), the Display host table (host table), and so on.

Most of the NetXRay features can be implemented with buttons in the toolbar.

　　2, set the target

Click: Capture Filter Setting in the Capture menu, clicking Profilems Select New, enter the following dialog (Figure 2), enter a in new profile name, select OK with default for template, Then choose Done, type A in new profile name, select OK for the template with default, and do it.

Sets the message that filters all destination IP is xxx.xxx.xxx.xxx, pointing to any input: Xxx.xxx.xxx.xxx now can start to grasp the bag, and use IE login you just entered the IP, will find the NetXRay window in the pointer in the move, wait until he prompts you to filter to the package, you can stop grasping the bag.

Select a target IP is xxx.xxx.xxx message, select the Packetàedit Display filte in the menu bar, select "Data pattern", select "Add pattern", to the TCP layer to select the 8080 target port, using the mouse to select " Set data ", enter" TCP "in name. Click OK, OK, and then select "Apply Display Filter" in packet. After using the proxy rule filtering will only filter the target IP is xxx.xxx.xxx.xxx, the target port is 8080 of the message.

　　3, set conditions (port)

Set the target, first face to set the conditions of sniffing: Select: Filter Settingàdata pattern, for example: Filter through the BBS (port 2323) IP packet, first select the first line, with toggle and/or adjusted to or, the following figure (Figure 3) Select Edit pattern, set in the pop-up dialog box: Packet 2 Hex (hexadecimal), filling 09 13 from the top, (because decimal 2323 corresponds to hexadecimal 0x0913), while IP packets use network byte order, high byte at low address. Named Beginbbs, click OK, again select Edit Pattern,packet 2 Hex from the Head Start filling 09 13 named Endbbs, click OK. The outermost or below has two leaves, corresponding to two pattern respectively.

　　4, the beginning of the actual combat

NetXRay So-called advanced protocol filtering is actually port filtering, using the method described above to specify the source port, the target port is filtered 0x00 0x17 (23), you can achieve and specify the same effect as Telnet filtering. Because Telnet is 23 ports, if you want to capture a nonstandard telnet communication, you must specify port filtering yourself.

If you are analyzing the Telnet protocol and restoring the screen display, you only need to catch the echo data from server to client, because the password does not echo, this filtering rule can not grasp the password plaintext. Use NetXRay to capture from client to server package, specify filter pass keyword.

Set the method below to specify the IP filtering rules, captureàcapture filter Setting ... Set to any <--> any to capture passwords to the maximum possible. Then add a filtering mode, Packet 4 Hex 0x50 41 53 53, and then add a filter mode, Packet 4 Hex 0x70 61 73.73. Both are or modes because this keyword is not sensitive in the case of network transmissions. The rest is waiting for the password.

Note that you do not have to specify a filter specific advanced protocol, directly specify the filter IP protocol family can be, in this way ftp/pop3 password is easy to see clearly.