Snooping a subnetted network - Unix

This is a discussion on Snooping a subnetted network - Unix ; Is it possible to snoop only subnets within a network using the net option? I have 4 subnets with 29 bit masks on a class C network. I have the networks defined in /etc/networks and their masks defined in /etc/ ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Snooping a subnetted network

  1. Snooping a subnetted network

    Is it possible to snoop only subnets within a network using the net
    option?

    I have 4 subnets with 29 bit masks on a class C network. I have the
    networks defined in /etc/networks and their masks defined in /etc/
    netmasks.

    etc/networks
    Subnet1 192.168.0.0
    Subnet2 192.168.0.8
    Subnet3 192.168.0.16

    etc/netmasks
    192.168.0.0 255.255.255.248
    192.168.0.8 255.255.255.248
    192.168.0.16 255.255.255.248

    If i try "snoop -d qfe1 net Subnet1", I get all packets in the class C
    network.
    If i try "snoop -d qfe1 net Subnet2", I get nothing.

    Is this even possible to do?

  2. Re: Snooping a subnetted network

    On Wed, 24 Sep 2008 13:19:45 -0700 (PDT),
    ejlackey@yahoo.com wrote:
    > I have 4 subnets with 29 bit masks on a class C network. I have the
    > networks defined in /etc/networks and their masks defined in /etc/
    > netmasks.


    Are these actual networks, or did you just invent new networks out
    of whole cloth? I can't tell from this, so you'll have to elaborate.


    > If i try "snoop -d qfe1 net Subnet1", I get all packets in the class C
    > network.
    > If i try "snoop -d qfe1 net Subnet2", I get nothing.
    >
    > Is this even possible to do?


    How does the device you execute those commands on get that traffic?


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .

  3. Re: Snooping a subnetted network

    ejlackey@yahoo.com writes:
    > Is it possible to snoop only subnets within a network using the net
    > option?
    >
    > I have 4 subnets with 29 bit masks on a class C network. I have the
    > networks defined in /etc/networks and their masks defined in /etc/
    > netmasks.


    You didn't say, but I'm assuming you're using some flavor of Solaris.

    This is an ancient problem in snoop. It respects only the 8-bit
    boundaries in the 'networks' database, and doesn't understand CIDR.

    You can work around this by using comparisons on the actual words in
    the packet:

    snoop 'ip[12:4]&0xfffffff8 = 0xc0a80008 or ip[16:4]&0xfffffff8 = 0xc0a80008'

    That will work for Subnet2:

    > Subnet2 192.168.0.8


    The other ways to solve this problem are to file a bug (if you have a
    support contract, talk to your local support rep; if not then go to
    http://bugs.opensolaris.org/), and/or get involved with OpenSolaris
    and fix it yourself. ;-}

    --
    James Carlson, Solaris Networking
    Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
    MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677

  4. Re: Snooping a subnetted network

    On Sep 24, 4:19*pm, ejlac...@yahoo.com wrote:
    > Is it possible to snoop only subnets within a network using the net
    > option?
    >
    > I have 4 subnets with 29 bit masks on a class C network. *I have the
    > networks defined in /etc/networks and their masks defined in /etc/
    > netmasks.
    >
    > etc/networks
    > Subnet1 192.168.0.0
    > Subnet2 192.168.0.8
    > Subnet3 192.168.0.16
    >
    > etc/netmasks
    > 192.168.0.0 255.255.255.248
    > 192.168.0.8 255.255.255.248
    > 192.168.0.16 255.255.255.248
    >
    > If i try "snoop -d qfe1 net Subnet1", I get all packets in the class C
    > network.
    > If i try "snoop -d qfe1 net Subnet2", I get nothing.
    >
    > Is this even possible to do?


    Can you give us an ifconfig -a?

    I'm assuming you aren't running multiple interfaces(virtual or
    physical) with an IP on each of these subnets.
    You can only sniff the subnet you have an ip/interface on.

    If you setup:
    qfe1 on 192.168.0.1
    qfe1:1 on 192.168.0.9
    qfe1:2 on 192.168.0.17

    THEN get the network guy to add the same physical port to all three
    VLANS, then you could do it. But I doubt he will want to do that (and
    it isn't suggested).

  5. Re: Snooping a subnetted network

    These networks exist but not accessible directly from the Solaris box
    network interface. The listening interfaces are just dumb listeners,
    and they connect to hubs where the target traffic resides.

    I'll try James' method of using comparisons and see where I get.

    Thanks for the reponses.

+ Reply to Thread