morrison@thucydides.cs.uiuc.edu (06/08/90)
Here is something that I have wanted for a long time, but never found. Finally I got so fed up, I wrote it myself. Here is an abridged version of the software discription document. At present, it is unavailable via E-mail. But if someone places it on a E-mail archive site and lets me know, I will pass that information on to interested parties. If this is a MAJOR problem for you, let me know, and if there is sufficient interest, I will post the software to comp.binaries.ibm.pc. Vance -------------------------------------------------------------------------- A Trivial Ethernet Analyzer Vance Morrison Very often a network administrator has to debug networking problems given only the raw symptoms of the problem (my program hangs). Trying to debug given such sparse information is difficult at best and impossible at worst. Often the ability to 'snoop' on the network and watch the packet dialog is VERY helpful. Basically I have written a program called 'analyzer' that watches packets go by on the network and prints them out in a human readable form. At present, this program only understands TCP/IP protocols (and not all of them), and for security reasons analyzer only prints what it understands. Thus at least at present, analyzer will not help with DECNET, XNS, ETHERTALK traffic. WHAT YOU NEED In addition to the analyzer.exe executable (available from accuvax.nwu.edu (129.105.49.1) in pub/pcroute/analyzer), you will also need a PC with a network card, as well as the clarkson packet driver for that card. The clarkson packet driver is a piece of software that allows analyzer.exe (as well as other programs) to access the network card in a device independent way. A driver exists for most of the common networking cards, and is available (among other places) sun.soe.clarkson.edu (128.153.12.3) in the directory 'pub/packet-drivers'. Note that some packet drivers do not support 'promiscuous' mode (in particular I know the ni5010 does not). In that case analyzer.exe will work, but will not be of much use (since it will only see packets destined for the itself and the broadcast address). I do know that the wd8003e driver DOES work. SHORTCOMINGS Admittedly, analyzer is not a very flexible program. The philosophy here is that something is a LOT better than nothing, and once you have the output as ASCII output it can be filtered and beautified to your hearts content. For example, if you have a batch editor (like sed), you can do a global search an substitute to replace ethernet addresses with a more mnemonic one. Also, I did NOT what to spend a lot of time on this, analyzer in its present form is about 3 days work. SECURITY ISSUES In an ideal network, it shouldn't matter that a program like analyzer exists. However, life is not ideal, and passwords and other sensitive data are routinely sent in unencrypted form across nets. I have therefore gone to a little trouble to make analyzer 'safe'. It only prints out parts of packets that should not contain sensitive data. While this is not foolproof, I believe is does open any security loophole any wider than it already is (which is actually pretty wide). EXTENSIONS Usually I provide the source code to my work so that if anyone wants to make extensions they can do it themselves (and not bother me). In the case of analyzer, this would be particularly nice since analyzer does not print (in any form) what it does not know, and analyzer is a pretty ignorant program (:-). Unfortunately releasing source would be a security problem, since it would be VERY easy to modify analyzer to do mischief. Thus I propose a compromise. If analyzer does not print output packets that you want to see, simply write some C code that takes a pointer to that packet and prints it out. I have included the file 'ip.c' in the distribution to give you an example of how to do it. If you send this file to me, I will look it over for security holes, compile it, and send you an executable. This arrangement is less than perfect, but it will give you an option if you wish to exercise it. COPYRIGHT Please notice the copyright. This is shareware. You are allowed to use this software on a trial basis for one month. If after that time you find analyzer and wish to keep using it, send a $10 registration fee to the address below. See the analyzer.doc file for details.