Sniffer (on): Tracing data in 01 packets

SNMP programming is being studied recently for more effective network management. Recently, the focus is on five basic SNMP operations (see RFC1157 documentation, that is, get-request get-next-request get-response set-request trap), but it is not intuitive to read only the description in the book. It is better to see the actual operation, the Sniffer software can provide us with good information in this regard. Next I will introduce the five basic operations of SNMP in combination with the operations of the Sniffer Pro software.

Speaking of Sniffer Pro, you may have heard of it, for example, using Sniffer Pro to view network faults or using Sniffer Pro to steal user data, but I believe you will find that Sniffer Pro is not as easy to use as a web player. Why? In fact, we are still not familiar with network protocols, and gradually become less interested in Sniffer Pro. However, as I learned more recently, I gradually changed my mindset. Sniffer Pro should be a tool for us to learn about network protocols, we can learn and familiarize ourselves with network protocols by learning the use of Sniffer Pro. The following is my learning experience over the past few years.

I. network topology: Network Management Learning Environment

Required for this networking Device Is a CISCO3550 switch and a PC. The switch supports the SNMP protocol and runs the Sniffer Pro and MIB browser programs on the PC. The Park extension is as follows:

　　

　　

Device	IP address
CISCO3550 switch	10.66.0.1
PC	10.66.1.118

The software settings are as follows:

(1) vswitch settings

Snmp-server community public RO-enables the SNMP protocol, but only sets the read-only attribute.

Snmp-server packetsize 484-the size of the response PDU cannot exceed 484 bytes

Snmp-server enable traps snmp authentication warmstart linkdown linkup coldstart warmstart

-Send 5 standard-defined traps

Snmp-server host 10.66.1.188 public-destination host for sending traps

The related procedures on PC are as follows:

Sniffer Program I choose Sniffer Pro, MIB Browser program I choose MG-SOFT MIB Browser, these two programs are very Classic Program.

Ii. Initial settings of Sniffer Pro

Sniffer Pro needs to capture packets, but too much information is captured. How can we start to filter when capturing? Set the following parameters: "capture"-"define filter"-"Address"-"Address type", and "location 1" to "10.66.1.188 ", enter "10.66.0.1" in "Location 2" and click "OK. 1.

　　

Figure 1

This is much simpler. We will define the filter so that we can freely use the Sniffer Pro software.

Iii. Usage of MIB Browser: capture internal information of packets

Open the MIB Browser program, enter 10.66.0.1 in "Remote SNMP agent", and then enter the MIB Tree-iso-org-dod-internet-mgmt-mib-2-system, which contains sysDescr, sysObjectID, sysUpTime, then open the Sniffer program, open capture, then go to the MIB Browser program, select sysDescr, right-click and select "Get". "1: sysDescr.0 (octet string) will appear on the right of the interface) cisco Internetwork Operating System Software IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1 (14) EA1a, release software (fc1) Copyright (c) 1986-2003 by cisco Systems, Inc. compiled Tue 02-Sep-03 by country ino ", 2 shows

　　

Figure 2

Then you can enter the Sniffer program and click "capture"-"Stop and display"

The analysis result is as follows:

　　

Figure 3

The following are packets:

30 82 01 0a 02 01 00 04 06 70 75 62 6c 69 63 a2 81 fc 02 02 01 dd 02 01 00 01 00 30 81 ef 30 81 ec 06 08 2b 06 01 02 01 01 01 00 04 81 df 43 69 73 63 6f 20 49 6e 74 65 72 6e 65 74 77 6f 72 6b 20 4f 70 65 72 61 74 69 6e 67 20 53 79 73 74 65 6d 20 53 6f 66 74 61 72 65 20 0d 0a 49 4f 53 20 28 74 6d 29 20 43 33 35 30 20 20 53 6f 66 74 77 61 72 65 20 28 33 35 35 30 2d 49 35 51 33 4c 32 2d 4d 29 2c 20 56 65 72 73 69 6f 6e 20 31 32 2e 31 28 31 34 29 45 41 31 61 2c 20 52 45 4c 45 41 53 45 20 53 4f 46 54 57 41 52 45 20 28 66 63 31 29 0d 0a 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 31 39 38 36 2d 32 30 30 33 20 62 79 20 63 69 73 63 6f 20 53 79 73 74 65 6d 73 2c 20 49 6e 63 2e 0d 0a 43 6f 6d 70 69 6c 65 64 20 54 75 65 20 30 32 2d 53 65 70 2d 30 33 20 30 34 3a 30 38 20 62 79 20 61 6e 74 6f 6e 69 6e 6f

The entire message is an ASN.1 sequence structure. According to the TLV encoding (that is, the type (Tag), size (Length), and Value) of the transmitted data, the explanation is as follows:

30: Transmission mark of the Message

01 0a: the number of bytes of the subsequent data. The value is 266 in decimal format. Manual statistics on the number of bytes that follow are not convenient. In fact, you only need to select all the subsequent bytes and use the WORD count statistics function to make statistics.

02 01 00: version of the 1st component of the Message, and the BER of the integer 0 (Basic Encoding Rules: Basic Encoding Rules) Encoding

04 06 70 75 62 6c 69 63: community, 2nd component of the Message, the BER encoding of the string type value "public". We can use a table to make this structure clearer.

　　

Hexadecimal number (ASCII code)	Character Value
70	P
75	U
62	B
6c	L
69	I
6c	C

1

4. Check the read-only password in the 01 combination.

Here, we know that the network protocol is a step closer, that is, the combinations of those 0101 can really bring us some real information. Here we tell us the read-only Community (that is, the read-only password) is public.

All the remaining bytes are the PDUS (the 3rd component of the Message, Get response) of the BER encoding.

Transmission flag of the a2 Sequence Structure (Getreponse-PDU)

The size of fc data in bytes is 252 in decimal format (WORD is used for statistics, but it is not bad at all ).

02 02 01 dd Getreponse-PDU request-id, 1st in decimal format

02 01 00 error-status, 2nd component of Getreponse-PDU, BER code of integer 0

02 01 00 error-status, 3rd component of Getreponse-PDU, BER code of integer 0

All the remaining bytes are the BER encoding of the 4th component variable-bindings of Getreponse-PDU.

30: Transmission flag of the series type (VARBINDLIST)

Ef Data Length, decimal: 239

06 08 2b 06 01 02 01 01 01 00: 1st component names, BER encoding of object identifier 1.3.6.1.2.1.1.1.0

The following long string

04 81 df 43 69 73 63 6f 20 49 6e 74 65 72 6e 65 74 77 6f 72 6b 20 4f 70 72 61 74 69 6e 67 20 53 79 73 74 65 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 49 4f 53 20 28 74 6d 29 20 43 33 35 30 20 53 6f 66 74 77 61 72 65 20 28 43 33 35 35 30 2d 49 35 51 33 4c 32 2d 4d 29 2c 20 56 65 72 73 69 6f 6e 20 31 32 2e 31 28 31 34 29 45 41 31 61 2c 20 52 45 4c 45 41 53 45 20 53 4f 46 54 57 41 52 20 28 66 63 31 29 0d 0a 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 31 39 38 36 2d 32 30 33 20 62 79 20 63 69 73 63 6f 20 53 79 73 74 65 6d 73 2c 20 49 6e 63 2e 0d 0a 43 6f 6d 70 69 6c 65 64 20 54 75 65 20 30 32 2d 53 65 70 2d 30 33 20 30 34 3a 30 38 20 62 79 20 61 6e 74 6f 6e 69 6e 6f

Is the BER code of the second component value, that is, "Cisco Internetwork Operating System Software IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1 (14) EA1a, release software (fc1) copyright (c) 1986-2003 by cisco Systems, Inc. compiled Tue 02-Sep-03 by antonino "character encoding.

Now, the introduction is over. The above is my experience in Sniffer software and SNMP protocol for your reference.