It’s easy to intercept data communication inside linux/unix environment since there are so many tools to help us. We have tcpdump, wireshark, ettercap, dsniff, and still many others. But, can you imagine how to sniff data flows trough router? If our router are Juniper family, then we are lucky enough because Juniper has internal command which works like tcpdump on unix/linux system. For example, we can use this following command to sniff traffic on Juniper interface ge-0/0/0.0
monitor traffic interface ge-1/0/0.0 detail no-resolve
monitor traffic interface ge-1/0/0.0 detail no-resolve print-ascii print-hex
These two commands will work in Juniper like tcpdump in linux/unix below:
tcpdump -nev -i ge-1/0/0.0
tcpdump -nev -X -i ge-1/0/0.0
But remember, ge-1/0/0.0 interface is not known in linux/unix so that’s why you have to change this with Network Interface Card (NIC) in linux/unix. Then, how if our router is not Juniper family? Here, i’ll write my experience in sniffing inside Cisco router which’s known as the most popular router over the world.
Say that you want to know, what traffic flows inside sub interface fa0/1.513 which connected to Automatic Teller Machine known Bank. You must create access-list to log all traffic on fa0/1.513.
access list 110 permit tcp any gt 0 any gt 0 log
access list 110 permit udp any gt 0 any gt 0 log
access list 110 permit icmp any any log
access list 110 permit ip any any log
Implement this access-list to sub interface fa0/1.513 then see result by monitoring log created by access-list.
interface fa0/1.513
ip access-group 110 in
CTRL+Z
terminal monitor
If there’s no failure, you must see the result:
Jul 11 02:30:45.810 WIB: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 40.168.13.2(4034) -> 46.20.10.1(1124), 37 packets
Jul 11 02:30:45.810 WIB: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 40.168.13.6(1521) -> 46.20.10.1(1124), 37 packets
Jul 11 02:32:45.835 WIB: %SEC-6-IPACCESSLOGDP: list 110 permitted icmp 40.168.13.6 -> 10.44.69.52 (0/0), 1 packet
You may want to know much more about traffic destined to 46.20.10.1. You want to know about information carried by this traffic. So, you have to create another access-list rule.
access-lists 111 permit tcp any host 46.20.10.1
access-lists 111 permit udp any host 46.20.10.1
access-lists 111 permit icmp any host 46.20.10.1
You can use ‘debug’ command with hiden options ‘dump’ to print all information destined to 46.20.10.1 and monitoring debug result.
debug ip packet 111 dump
terminal monitor
Result is in hexal format:
Jul 11 09:19:41.854 JAKARTA: IP: tableid=71, s=40.164.1.14 (GigabitEthernet0/1.319), d=46.20.10.1 (GigabitEthernet0/2.33), routed via FIB
Jul 11 09:19:41.854 JAKARTA: IP: s=40.164.1.14 (GigabitEthernet0/1.319), d=46.20.10.1 (GigabitEthernet0/2.33), g=118.98.3.121, len 40, forward
0E002C80: 0012 7FAF2D1B .../-.
0E002C90: 001B2131 6E5C0800 45000028 D71B4000 ..!1n\..E..(W.@.
0E002CA0: 7F06C2ED 28A4010E 2E140A01 06660463 ..Bm($.......f.c
0E002CB0: 2E25CC06 030DE2FF 5010FA95 68760000 .%L...b.P.z.hv..
0E002CC0:
Jul 11 09:19:43.830 JAKARTA: IP: tableid=71, s=40.164.1.14 (GigabitEthernet0/1.319), d=46.20.10.1 (GigabitEthernet0/2.33), routed via FIB
Jul 11 09:19:43.830 JAKARTA: IP: s=40.164.1.14 (GigabitEthernet0/1.319), d=46.20.10.1 (GigabitEthernet0/2.33), g=118.98.3.121, len 154, forward
0E50C5A0: 0012 7FAF2D1B .../-.
0E50C5B0: 001B2131 6E5C0800 4500009A D71C4000 ..!1n\..E...W.@.
0E50C5C0: 7F06C27A 28A4010E 2E140A01 06660463 ..Bz($.......f.c
0E50C5D0: 2E25CC06 030DE2FF 5018FA95 A5220000 .%L...b.P.z.%"..
0E50C5E0: 00703131 1C303030 1C1C1C31 381C3B35 .p11.000...18.;5
0E50C5F0: 32363432 32323336 30323036 3835383D 264222360206858=
0E50C600: 31323130 31323137 31343F1C 1C434220 1210121714?..CB
0E50C610: 20202020 411C3030 30303030 30303030 A.0000000000
0E50C620: 30301C36 3F353E3F 3E3D3B3F 37343E30 00.6?5>?>=;?74>0
0E50C630: 3A32371C 1C1C311C 32363834 33313030 :27...1.26843100
0E50C640: 30303030 30303031 30303030 30303030 00
Raw cisco dump above can easily be re-written to be hexal in ASCII using this perl script created by Tassos or this simple tool called dump2pcap (rawpcap). You may want to know more information about how to convert hexal information which is displayed by debug command to PCAP file by reading this CCIE in 3 months article. Once PCAP file has been written, you can read them using wireshark.
IPSECS Admin is
Email this author | All posts by IPSECS Admin | Subscribe to Entries (RSS)