Data Network Resource
       Earn on the Web

DOS Sniffer


Introduction


This is a quick guide to using the DOS sniffer (assumption is version 4.4). This product is no longer available or supported by Network Associates, however if you still have a DOS sniffer with say a FDDI card in it that you need to use in a hurry, then this document should be useful.

Menu


When the DOS sniffer boots up you are normally presented with an opening screen which includes options for the NICs installed e.g. FDDI or Ethernet analyzer. These options are called suites. When you select one of these options such as FDDI Analyzer, you are presented with a screen that shows your MAC address, you then press any key and you will see a three-pane screen. The first pane is the title pane and the other two screens display the options and commands that you can issue. You can use the arrow keys to move right to other option screens depending on which option is highlighted in the previous screen. The second pane initially has the following menu structure on a blue background: 

Traffic generator	<-
Capture filters
Trigger
Schedule		<-
Capture			<-
Display			<-
Files
Options
Exit			<-

One of these items will be highlighted in light grey and red text and a description of each option appears at the bottom of the blue screen. You move around using the arrow keys. The arrow sign on the right indicates which are executable commands from that pane, pressing return will execute that command. On the left you will ticks and crosses for some of the items. This indicates which items are selected. Selection and deselection is achieved by using the space bar. To change values you highlight the item and press Enter. The 'Esc' key takes you back to the previous screen. Along the bottom of the screen you will boxes that are numbered from 1 to 10. These describe what each of the function keys do and vary from pane to pane. For instance, initially you have:

  • F1 - Help
  • F10 - New Capture

General Functions


Previous captures files can be loaded from the 'Files' menu. This menu also allows you to save captures, make directories, set the path for saving files and to delete files. As well captured data files, you can save and load Sniffer 'Setups'.

You have the option of saving the files in compressed format which reduces the file size to about a quarter of the size. DOS sniffer files can be loaded into the Windows-based Sniffer however you cannot set filters to select frames for display, therefore you need to hone down the capture to the specific frames when you want to view the capture in a windows-based sniffer!

The 'Options' pane varies between suites. You can determine the language and whether you want audible clicks. Also, you can determine how you want protocol specific detail to be displayed e.g. for FDDI you can decide whether you want the MAC addresses displayed in LLC format (canonical - LSB first) or MAC format (non-canonical - MSB first). You can also determine whether the sniffer is to be an active participant in SMT on the FDDI ring or not.

Generating Traffic


If Traffic generator is highlighted then the next pane gives you the option to set 'Single frame mode' or 'Buffer mode'. The 'Single frame mode' gives the following pane: 

To <all stations>	<-
Size = 1000		<-
Delay = 10.00		<-
Frames = INFINITE	<-
Data = 00000000...	<-

When you highlight any of these options, you can change the values by pressing 'Enter'.

Capturing Traffic


The 'Capture filters' option gives the following pane: 

Known stns only
Unknown stns only

	Destination class
	Station address
	Protocol
	Pattern match

Good frames
Error frames

The 'Destination class' allows you to determine whether you capture Broadcast frames, Specific frames or both. The 'Station address' is where you determine the stations that you are capturing data from. This gives the following two panes: 

Match 1		<- | From <any station><-
Match 2		<- | To   <any station><-
Match 3		<- |
Match 4		<- | Reverse direction
Others             |
                   | >Include these
                   |  Exclude these

The default is match 'any station' for destination and source i.e. capture all traffic, however if you press 'Enter' on this you are given a list of all the MAC addresses that the sniffer has seen and you can select one of these for each match criteria to narrow down your capture. Be aware that this list is that generated from the last displayed trace. If you have loaded a new trace then you need to display this new trace before modifying the filter otherwise you will be trying to use a MAC address from the old list!

The 'Protocol' item gives the following pane: 

Void/Claim frames
Other MAC frames
SMT frames
SNAP SAP
BPDU SAP
NetBIOS (IBM) SAP
SNA SAP
RPL SAP
IBMNM SAP
IPX SAP
ISO CLNP SAP
Netware SAP
XNS SAP
IP SAP
LLC (VINES) SAP
X.25 SAP
Other SAP

By default, these Service Access Points are all selected but you can deselect some using the space bar if you wish.

The 'Pattern match' screen gives the following two panes: 

                     | >Frame-relative
                     |  Data-relative
                     |
                     | >Match
                     |  Don't match
                     |  Either offset
       Match 1    <- |
      AND            |  Pattern = XXXX... <-
    > OR             |  Offset = 000      <-
       Match 2    <- | >AND
 AND                 |  OR
>OR                  |  Pattern = XXXX... <-
       Match 3    <- |  Offset = 000      <-
      AND            |
    > OR             | >Hexadecimal
       Match 4    <- |  Character
                     |  Binary

This way you can be very specific as to the byte sequences that are captured.

The 'Trigger' item gives the following pane: 

Oversized frames
Error frames

External trigger
Pattern trigger

Stop capture
Disk snapshot
Trigger position

The 'External trigger' allows you to connect a modem and start a capture remotely by dialling in to the sniffer. The 'Pattern trigger' presents you with the 'Pattern match' screen shown earlier for capturing traffic in the event of observing a specified byte sequence.

Rather than save at the trigger you can stop the capture at the trigger, you can also determine how to save the capture using 'Disk snapshot' i.e. how large the files are, whether to overwrite existing files and compress them etc. The 'Trigger position' determines where the trigger should sit in the captured trace.

The 'Capture' option gives the following panes: 

Buffer = 5360K EXP<- |
Frame size           |  32 bytes
                     |  64 bytes
Screen format        |  128 bytes
From <FDDI>       <- |  256 bytes
                     |  512 bytes
                     | >Whole frame

The capture 'Buffer' and the 'Frame size' can be configured here plus the screen format of the display whilst the capture is being performed. Options for the display include whether you want to see frame or byte counts, a linear or log bar scale and packet counts. When you press 'Enter' for Capture you are presented with the capture screen which shows the MAC addresses in two panes and how many of each conversation you have captured, plus you will see the buffer utilisation increase as a percentage and the size of the capture in Kilobytes.

Displaying The Capture


When a trace is loaded, you have many ways in which you can alter the display to suit what it is you are analysing. The 'Display' pane that you are presented with is as follows: 

Frame editing
Manage names
Filters

Summary
Detail
Hex
Two viewports
Name width = 15   <-

Print             <-
Protocol forcing

The 'Frame editing' allows you to edit frames in hex (e.g. for saving and using for traffic generation and testing). You can add, modify and save OUI names using the 'Manage names' option.

Using the 'Filters' option allows you to select which frames you wish to be displayed. The 'Filters' pane looks like the following: 

Address level     | DLC
Destination class | IP
Station address   | IPX
Protocol          | ISO
Pattern match     | DRP
Selected frames   | VINES
                  | ATALK
Good frames       | X25_LCN
Error frames      | X25_Call
                  | SNA
                  | XNS

This shows the 'Address level' pane as well and it is here that you can select which protocols to display.

As with the capture filter you define the 'Station address' and the 'Pattern match' to suit. You can also select which 'Protocol' to view where there is a very long list of protocols to choose.

The 'Summary' pane looks like: 

All layers
DLC addresses
Two-station format

Flags
Absolute time
Delta time
Relative time
Bytes
Cumulative bytes
NW utilization

Here you can select and deselect the information that is displayed in the Summary view.

When examining a capture you often need to look at more than just the summary. Selecting the 'Detail' and 'Hex' options gives you much more specific information on each packet.

Other miscellaneous options within the 'Display' pane include determining 'Print' options, whether to have two window 'viewports' and 'Protocol forcing'.

When you load a capture, you have an extra function button F3 available for 'Data Display'. Pressing F3 takes you to the display screen where the Summary, Detail and Hex views are displayed if selected. You have some more function keys available and these are as follows:

  • F2 - Set Mark
  • F5 - Menus
  • F6 - Display Options
  • F7 - Previous Frame
  • F8 - Next Frame
  • F9 - Select Frame

To move between the views use the 'Tab' key and an additional function key F4 presents itself which allows you to 'zoom in' and 'zoom out' on that particular view i.e. the view zooms to take up the whole screen rather than just a section.

Home

Valid HTML 4.01 Transitional

Disclaimer



Earn on the Web    


All rights reserved. All trademarks, logos, and copyrights are property of their respective owners.