Snooping a subnetted network
Is it possible to snoop only subnets within a network using the net
option?
I have 4 subnets with 29 bit masks on a class C network. I have the
networks defined in /etc/networks and their masks defined in /etc/
netmasks.
etc/networks
Subnet1 192.168.0.0
Subnet2 192.168.0.8
Subnet3 192.168.0.16
etc/netmasks
192.168.0.0 255.255.255.248
192.168.0.8 255.255.255.248
192.168.0.16 255.255.255.248
If i try "snoop -d qfe1 net Subnet1", I get all packets in the class C
network.
If i try "snoop -d qfe1 net Subnet2", I get nothing.
Is this even possible to do?
Re: Snooping a subnetted network
On Wed, 24 Sep 2008 13:19:45 -0700 (PDT),
[email]ejlackey@yahoo.com[/email] <ejlackey@yahoo.com> wrote:[color=blue]
> I have 4 subnets with 29 bit masks on a class C network. I have the
> networks defined in /etc/networks and their masks defined in /etc/
> netmasks.[/color]
Are these actual networks, or did you just invent new networks out
of whole cloth? I can't tell from this, so you'll have to elaborate.
[color=blue]
> If i try "snoop -d qfe1 net Subnet1", I get all packets in the class C
> network.
> If i try "snoop -d qfe1 net Subnet2", I get nothing.
>
> Is this even possible to do?[/color]
How does the device you execute those commands on get that traffic?
--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
Re: Snooping a subnetted network
[email]ejlackey@yahoo.com[/email] writes:[color=blue]
> Is it possible to snoop only subnets within a network using the net
> option?
>
> I have 4 subnets with 29 bit masks on a class C network. I have the
> networks defined in /etc/networks and their masks defined in /etc/
> netmasks.[/color]
You didn't say, but I'm assuming you're using some flavor of Solaris.
This is an ancient problem in snoop. It respects only the 8-bit
boundaries in the 'networks' database, and doesn't understand CIDR.
You can work around this by using comparisons on the actual words in
the packet:
snoop 'ip[12:4]&0xfffffff8 = 0xc0a80008 or ip[16:4]&0xfffffff8 = 0xc0a80008'
That will work for Subnet2:
[color=blue]
> Subnet2 192.168.0.8[/color]
The other ways to solve this problem are to file a bug (if you have a
support contract, talk to your local support rep; if not then go to
[url]http://bugs.opensolaris.org/[/url]), and/or get involved with OpenSolaris
and fix it yourself. ;-}
--
James Carlson, Solaris Networking <james.d.carlson@sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
Re: Snooping a subnetted network
On Sep 24, 4:19*pm, ejlac...@yahoo.com wrote:[color=blue]
> Is it possible to snoop only subnets within a network using the net
> option?
>
> I have 4 subnets with 29 bit masks on a class C network. *I have the
> networks defined in /etc/networks and their masks defined in /etc/
> netmasks.
>
> etc/networks
> Subnet1 192.168.0.0
> Subnet2 192.168.0.8
> Subnet3 192.168.0.16
>
> etc/netmasks
> 192.168.0.0 255.255.255.248
> 192.168.0.8 255.255.255.248
> 192.168.0.16 255.255.255.248
>
> If i try "snoop -d qfe1 net Subnet1", I get all packets in the class C
> network.
> If i try "snoop -d qfe1 net Subnet2", I get nothing.
>
> Is this even possible to do?[/color]
Can you give us an ifconfig -a?
I'm assuming you aren't running multiple interfaces(virtual or
physical) with an IP on each of these subnets.
You can only sniff the subnet you have an ip/interface on.
If you setup:
qfe1 on 192.168.0.1
qfe1:1 on 192.168.0.9
qfe1:2 on 192.168.0.17
THEN get the network guy to add the same physical port to all three
VLANS, then you could do it. But I doubt he will want to do that (and
it isn't suggested).
Re: Snooping a subnetted network
These networks exist but not accessible directly from the Solaris box
network interface. The listening interfaces are just dumb listeners,
and they connect to hubs where the target traffic resides.
I'll try James' method of using comparisons and see where I get.
Thanks for the reponses.
