Basic use and instance of Sniffer Pro

Basic use and instance of Sniffer Pro

Running Environment and Installation
Sniffer Pro can run on any machine on the LAN. For practice purposes, it is best to use the hub for network connection and in a subnet, in this way, packets transmitted to each machine on the hub can be captured.
The installation is very simple. After setup, you can confirm it all the way. You need to select your Nic for the first running.
It is best to run in Win2000 and there is a problem with running the network flow statement in win2003.
Common functions
1. dashboard (Network Flow Statement)
Click the icon ① In Figure 1. Three tables are displayed. The first table displays the network usage (utilization ), the second table shows the number of packets that pass through the network per second (packets), and the third table shows the network error rate per second (errors ). The network usage can be intuitively observed through these three tables. The red part shows the upper limit set according to network requirements.
Select the option indicated by ② In Figure 1 to display a more detailed graph of Network-related data as shown in figure 2. The meaning of each subitem does not need to be repeated. The following describes several common units used to test the network speed.
In TCP/IP, data is divided into several packages for transmission. The packet size is related to the operating system and network bandwidth, it is usually 64, 128, 256, 512, 1024, and 1460. The unit of the packet is byte.
Many beginners do not understand kbps, kb, Mbps, and other units. B and B represent bytes and bits, respectively. 1 bit is 0 or 1. 1 byte = 8 bits.
1 Mbps (megabits per second), that is, 1x1024/8 = KB/sec (byte/second). Our commonly used ADSL downlink 512k refers to k bits per second (Kb ), that is, 512/8 = 64 K bytes per second (KB)

Figure 1
Figure 2
2. Host table (host List)
3. Click the icon ① In Figure 3 to display the interface shown in the figure. Select the IP Option ② In the figure, the interface displays the addresses of all online hosts and Internet servers connected to the Internet. At this time, I want to see the Internet access of 192.168.113.88, click the address shown in ③ To see Figure 4. Figure 3
 
Figure 4 clearly shows the connection address of the machine. Click other icons in the left column to display the data related to the connection status of the machine. Figure 4
3. Detail (protocol list)
Click the "detail" icon shown in Figure 5. The figure shows the Protocol distribution across the network. You can clearly see which machine runs the protocols. Note: click in Figure 3. If you click in figure 4, the machine is displayed. Figure 5
4. Bar (Traffic List)
Click the bar icon shown in Figure 6. The figure shows the top 10 servers in the network. The display mode is a bar chart. Figure 7 shows the same content as Figure 6, but the display mode is a pie chart. Figure 6 Figure 7
5. Matrix (network connection)
Click the icon pointed by the arrow in figure 8. The connection across the network is displayed. the Green Line in the figure indicates a network connection in progress, and the blue line indicates a connection in the past. Place the cursor online to check the connection. Right-click the shortcut menu and select zoom. Figure 8
Packet Capture instance
1. Capture all data packets of a machine
9. In this example, all data packets of the machine 192.168.113.208 are to be captured, and ① Select this machine. Click the icon marked by ② to display the figure 10 interface. When the telescope icon indicated by the arrow in Figure 10 turns red, the data has been captured. Click this icon to display the figure 11 interface, select the decode option indicated by the arrow to view all the captured packages. Figure 9 Figure 10 Figure 11
2. Capture the Telnet Password
In this example, Telnet from 192.168.113.208 to 192.168.113.50 and use sniff pro to capture the user name and password.
Step 1: set rules
As shown in 12, select defind filter in the capture menu. On the page shown in Figure 13, select the address item in Figure 13 and enter the IP addresses of the two machines in station1 and 2 respectively, 14. Select the advanced option, select IP/tcp/telnet, set packet size to equal 55, and packet type to normal .. Figure 12 figure 13 Figure 14
Step 2: capture packets
Press F10 to go to the figure 15 page and start packet capture. Figure 15
Step 3: run the Telnet command
In this example, telnet to a Linux machine with the telnet service enabled.
Telnet 192.168.113.50
Login: Test
Password:
Step 4: view the result
When the telescope icon pointed by the arrow in Figure 16 turns red, it indicates that the data has been captured. Click this icon to display the figure 17 interface. Select the decode option pointed by the arrow to see all the captured packets. We can clearly see that the user name is "test" and the password is 123456.
Figure 16
Figure 17
Explanation:
Although the password is captured, you may not understand the packet size set to 55. Online Data Transmission divides the data into several packets for transmission, the size of different packets varies according to the Protocol. As shown in Figure 18, when the client telnet to the server, only one byte of data is transferred at a time. Because the header length of the Protocol is certain, therefore, the Telnet packet size = DLC (14 bytes) + IP (20 bytes) + TCP (20 bytes) + data (one byte) = 55 bytes, in this way, you can set packet size to 55 to get the user name and password. Otherwise, you will get many irrelevant packages.

Figure 18
3. Capture the FTP Password
In this example, FTP from 192.168.113.208 to 192.168.113.50, and use sniff pro to capture the user name and password.
Step 1: set rules
12. Select defind filter in the capture menu. On the page displayed in Figure 19, select address in Figure 19, enter the IP addresses of the two machines in station1 and 2, and select advanced, select IP/tcp/FTP, set packet size to in between 63-71, and packet type to normal. 20. Select the data pattern item and click the Add pattern button pointed by the arrow. The page in Figure 21 is displayed. Set the offset to 2f according to the figure, and enter 18 in the square. The name can start at will. Click "add not" in 22 after confirmation, and then click "add pattern" to add the second rule. Set the rule as shown in Figure 23, as shown in 24 after confirmation.
Figure 19
Figure 20
Figure 21
Figure 22
Figure 23
Figure 24
Step 2: capture packets
Press F10 to go to the figure 15 page and start packet capture.
Step 3: run the FTP command
In this example, FTP is used on a Linux machine with the FTP service enabled.
D:/> FTP 192.168.113.50
Connected to 192.168.113.50.
220 test1 FTP Server (version wu-2.6.1 (1) Wed Aug 9 05:54:50 EDT 2000) ready.
User (192.168.113.50 :( none): Test
331 Password required for test.
Password:
Step 4: view the result
When the telescope icon pointed by the arrow in Figure 16 turns red, it indicates that the data has been captured. Click this icon to display the figure 25 interface. Select the decode option pointed by the arrow to see all the captured packets. We can clearly see that the user name is "test" and the password is 123456789.
Figure 25
Explanation:
Although the password is captured, you may not understand it. In Figure 19, the packet size is set to 63-71 based on the user name and password package size, figure 25 shows that the data packet length of the password is 70 bytes. The protocol header length is 14 + 20 + 20 = 54, which is the same as the Telnet header length. The FTP data length is 16. The keyword pass occupies 4 bytes, the Space occupies 1 byte, the password occupies 9 bytes, And the OD 0a (carriage return) occupies 2 bytes, package length = 54 + 16 = 70. If the user name and password are long, the value of packet size will also increase accordingly.
The settings in data pattern are set based on the specific rules in the user name and password. To better illustrate this problem, select defind filter in the capture menu when the figure 15 is open, 20. Select the data pattern item, click the Add pattern button pointed by the arrow, and the page shown in Figure 26 appears. Select 1 in the figure and click Set Data in 2. Offset, square, and name are filled with corresponding values.
The same is true in Figure 27.
These rules are set based on the corresponding characteristics of the packet you want to capture. These require an in-depth understanding of the TCP/IP protocol, from Figure 28, we can see that all the data transmitted on the Internet is a bit stream, and the operating system changes the bit stream to binary. software such as Sniffer converts the binary data into hexadecimal data, then assign the corresponding meaning to these numbers. 18 In the figure indicates that the flag in TCP is 18. Offset refers to the position of a data packet, and the value is filled in the square.
Figure 26
Figure 27
Figure 28
4. Capture the HTTP Password
Step 1: set rules
Set rules according to rules 29 and 30. The setting method is the same as above.
Figure 29
Figure 30
Step 2: capture packets
Press F10 to start packet capture.
Step 3: AccessWww.ccidnet.comWebsite
Step 4: view the result
When the telescope icon indicated by the arrow in Figure 16 turns red, it indicates that the data has been captured. Click this icon to display the figure 31 interface. Select the decode option pointed by the arrow to see all the captured packets. Find the package containing the post keyword in the summary, you can clearly see that the username is qiangkn997, the password is ?, This is my real password! Of course, I cannot tell you, but you are welcome to send a letter for communication.
Figure 31
Postscript
The example in this article is an in-network experiment. If you capture the data of the entire network machine, set the station in Figure 13 to any <-> Any as a learning study. Do not do anything bad! If you want to make good use of sniff pro, you must have a solid basic network knowledge, especially the TCP/IP protocol knowledge. In fact, sniff pro itself is also a good tool to learn this knowledge.

From http://www.ittopic.com/Article/wl/assist/200610/20061027000806.html