morrison@thucydides.cs.uiuc.edu (06/08/90)
Here is something that I have wanted for a long time, but never found.
Finally I got so fed up, I wrote it myself. Here is an abridged version
of the software discription document.
At present, it is unavailable via E-mail. But if someone places it
on a E-mail archive site and lets me know, I will pass that information
on to interested parties. If this is a MAJOR problem for you, let me
know, and if there is sufficient interest, I will post the software to
comp.binaries.ibm.pc.
Vance
--------------------------------------------------------------------------
A Trivial Ethernet Analyzer
Vance Morrison
Very often a network administrator has to debug networking problems
given only the raw symptoms of the problem (my program hangs). Trying
to debug given such sparse information is difficult at best and impossible
at worst. Often the ability to 'snoop' on the network and watch the
packet dialog is VERY helpful. Basically I have written a program
called 'analyzer' that watches packets go by on the network and prints
them out in a human readable form. At present, this program only
understands TCP/IP protocols (and not all of them), and for security
reasons analyzer only prints what it understands. Thus at least at
present, analyzer will not help with DECNET, XNS, ETHERTALK traffic.
WHAT YOU NEED
In addition to the analyzer.exe executable (available from
accuvax.nwu.edu (129.105.49.1) in pub/pcroute/analyzer), you will also
need a PC with a network card, as well as the clarkson packet driver for
that card. The clarkson packet driver is a piece of software that allows
analyzer.exe (as well as other programs) to access the network card in
a device independent way. A driver exists for most of the common networking
cards, and is available (among other places) sun.soe.clarkson.edu
(128.153.12.3) in the directory 'pub/packet-drivers'. Note that some
packet drivers do not support 'promiscuous' mode (in particular I know the
ni5010 does not). In that case analyzer.exe will work, but will not be
of much use (since it will only see packets destined for the itself and
the broadcast address). I do know that the wd8003e driver DOES work.
SHORTCOMINGS
Admittedly, analyzer is not a very flexible program. The philosophy here
is that something is a LOT better than nothing, and once you have the
output as ASCII output it can be filtered and beautified to your hearts
content. For example, if you have a batch editor (like sed), you can
do a global search an substitute to replace ethernet addresses with a
more mnemonic one. Also, I did NOT what to spend a lot of time on this,
analyzer in its present form is about 3 days work.
SECURITY ISSUES
In an ideal network, it shouldn't matter that a program like analyzer
exists. However, life is not ideal, and passwords and other sensitive
data are routinely sent in unencrypted form across nets. I have therefore
gone to a little trouble to make analyzer 'safe'. It only prints out
parts of packets that should not contain sensitive data. While this is
not foolproof, I believe is does open any security loophole any wider
than it already is (which is actually pretty wide).
EXTENSIONS
Usually I provide the source code to my work so that if anyone wants
to make extensions they can do it themselves (and not bother me). In
the case of analyzer, this would be particularly nice since analyzer
does not print (in any form) what it does not know, and analyzer is
a pretty ignorant program (:-). Unfortunately releasing source would
be a security problem, since it would be VERY easy to modify analyzer
to do mischief. Thus I propose a compromise. If analyzer does not
print output packets that you want to see, simply write some C code
that takes a pointer to that packet and prints it out. I have included
the file 'ip.c' in the distribution to give you an example of how to
do it. If you send this file to me, I will look it over for security
holes, compile it, and send you an executable. This arrangement is
less than perfect, but it will give you an option if you wish to exercise
it.
COPYRIGHT
Please notice the copyright. This is shareware. You are allowed to
use this software on a trial basis for one month. If after that time
you find analyzer and wish to keep using it, send a $10 registration
fee to the address below. See the analyzer.doc file for details.