Gary A
join:2008-03-02
Odessa, FL
 ·Embarq
 ·Verizon FIOS
|  IP Sniffer User Information
I just downloaded the free IP Sniffer program from this web site - »www.snapfiles.com/get/ipsniffer.html
Right off the bat I knew I was in trouble. I am used to downloading programs that are self-installing EXE files. This was a ZIP file, so I opened it looking for the typical SETUP.EXE file. Not there. There was a README.TXT file but it was no help.
I extracted the contents of the ZIP file and went ahead and ran the most obvious executable file - IPTOOLS.EXE. Poof, the program launched and I started playing around with it, even captured some packets, but I still need help. There is no user guide, that I can find using Google.
I need a crash course in IP protocol 101, and/or a good user guide. Has anyone used this program and know where I can find this kind of info?
I'll get into the problem I am try to troubleshoot later.
Thanks for any help. |
|
Graycode
join:2006-04-17
 ·net2phone
| said by Gary A  :I need a crash course in IP protocol 101, and/or a good user guide. Courtesy of NetWatchMan : »Packet Sniffing 101 |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to Gary A
said by Gary A :I need a crash course in IP protocol 101, and/or a good user guide. Has anyone used this program and know where I can find this kind of info? I haven't used that program, so can't speak to its particulars. I use Ethereal Wireshark and Packetyzer for my admittedly basic reaearch.
However, in addition to Lawrence Baldwin's tutorial as posted by Graycode , See
»www.chrissanders.org/?p=47
and
»www.redbooks.ibm.com/redbooks/pd···3376.pdf
All this should get you started as a budding packet rat...
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
whizkid3
Premium,MVM
join:2002-02-21
Queens, NY
·Earthlink Cable Mo..
| reply to Graycode
Wow! Six year old post - does that bring back memories. (Read some old posts of mine.) |
|
Gary A
join:2008-03-02
Odessa, FL
·Embarq
·Verizon FIOS
1 edit | reply to Gary A
Thanks for the replies. I'll start looking through those, probably tomorrow.
Let me ask one basic question. I started this investigation because the security log in my router is logging outbound "Blocked - NAT out failed" errors. The detail says "First packet in connection is not a SYN packet."
First of all, I am having no operational problems with my Verizon FiOS internet connection. Web pages load fine, my tested speed is right on (10/2Mbps), no problems, so this is just a question of my curiosity about these outbound errors. Like, is there a problem application program.
So, I look in the router and see an error. It gives me the timestamp, and the source & destination IP addresses. I was expecting to be able to take this information, go over to the sniffer and find the matching packet with the same or close timestamp and source & destination IP addresses, but there is no matching packet.
Shouldn't I be able to do that? If not, why not? Is there a better product to use than IP Sniffer? I got it because it was free. Maybe I got what I paid for!?!  |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| I suggest posting in »/forum/vzdirect
My guess is a flaky router or application ...
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
Gary A
join:2008-03-02
Odessa, FL
·Embarq
·Verizon FIOS
1 edit | I already posted it in VZ Direct. After asking me about my virus/spyware program, this is what they said: "I did speak with our Tier II Actiontec Support, and they state if your computers have been scanned for spyware and viruses, and your internet connection is working fine, there is nothing to worry about. They also state that these errors can occur if you try to communicate with a website/server and receive no response back."
I also Googled the exact error and found at least a dozen similar questions on the DSLR and other forums. None had any conclusive answers. So, its something that seems common with Actiontec routers, but no one has a good reason why or how to fix it or how to determine what hardware/software is causing it.
This is why I am trying the sniffer approach myself. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| Based on that response, I'd guess the Actiontec is erroneously reporting orphaned packets being sent to slow or nonresponsive destinations as new outgoing connection requests.
If this is the case, you'd have to convince Actiontec that something is broken that's worth fixing.
A careful study of your packet captures before and during an incident should help identify the issue.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
Gary A
join:2008-03-02
Odessa, FL
·Embarq
·Verizon FIOS
| said by EGeezer :A careful study of your packet captures before and during an incident should help identify the issue. This is exactly what I am hoping to accomplish. But obviously, I First need an education in IP packets & protocols as I stated earlier.
I have a couple things I need to do this morning and after that I'll start reading the links provided to help me understand what I am looking at. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | I like your style  |
|
Gary A
join:2008-03-02
Odessa, FL
·Embarq
·Verizon FIOS
1 edit | Wouldn't you know it - I started the IP sniffer program a little after 7:30am and so far, no errors in the router security log!! 
Its like having a car with a squeak or rattle. You make an appointment, bring the car in, and TA-DA, its quiet as a church mouse. Grrrrrrr!!
EDIT: Its now 6:10PM and still no errors. I'm starting to feel stupid! |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | It never fails when you're watching - or logging!  |
|
Gary A
join:2008-03-02
Odessa, FL
·Embarq
·Verizon FIOS
1 edit | I will continue to monitor the router security log and keep the sniffer running, but I did make one change that may have had a bigger impact than I thought.
Back in 2001, when I was still running PCs with Win98 and a dialup ISP, I installed a program called AtomTime98 to keep the PC clock in sync with the atomic clock time server in Boulder, CO. Here is their web site - »www.atomtime.com/
Win98 didn't have the ability to sync clocks like WinXP does. Of course, WinXP defaults to syncing the clock once a week, unless you want to tweak the Registry. With AtomTime, I can select different intervals.
Anyway, as I upgraded to newer PCs, I just kept reinstalling this same program because I had already paid for it.
I noticed that a significant portion of the router security log errors were either to destination port 13 (daytime) and/or to a NIST time server IP address. So, I became suspicious of this program and stopped it for several hours today. No router security log errors.
So, I went to the AtomTime web site and bought (sigh  ) 2 licenses for their latest (WinXP & Vista compatible) version. Spent a whole $14. 
I installed it on both PCs a few hours ago and still no errors. Of course, I have the sniffer in capture mode, too. I think the router knows when I am monitoring it. 
Either I stumbled onto an old application program that may have really had a LAN interface problem that I never saw when I was running dialup, or... the router is just messin' with me.
Stay tuned... the monitoring continues... |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
2 edits | said by Gary A :I noticed that a significant portion of the router security log errors were either to destination port 13 (daytime) and/or to a NIST time server IP address. So, I became suspicious of this program and stopped it for several hours today. No router security log errors. So, I went to the AtomTime web site and bought (sigh ) 2 licenses for their latest (WinXP & Vista compatible) version. Spent a whole $14.
You could also use Robin Kier's Neutron or, if you want more gizmos, Dimension 4. if the application continues to give problems. Both are free donationware.
EDIT - Your discoveries also are consistent with my little guess about orphaned packets. If the time server is unresponsive, slow or off line and the application doesn't switch to the next available server, there'd be some out-of sequence packets..
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
Gary A
join:2008-03-02
Odessa, FL
·Embarq
·Verizon FIOS
1 edit | reply to EGeezer
said by EGeezer :I haven't used that program, so can't speak to its particulars. I use Ethereal Wireshark and Packetyzer for my admittedly basic reaearch. What more can you tell me about Wireshark & Packetyzer? In reading some of the links provided, I saw where Wireshark sorta took over where Ethereal left off and that Packetyzer somehow works with Ethereal - does that also mean Packetyzer works with Wireshark?
I'm just looking for a high level understanding of the 2 programs and their interaction with each other. Would they be easier for me to use than IP Sniffer?!? Of course, if you haven't used IP Sniffer, then you wouldn't be able to make a comparison, but what is your opinion of the ease of use for the other 2 programs? IP Sniffer came with zero instructions or help. It obviously assumed the user already had a lot of knowledge.
Thanks!
EDIT: So far, with the "new" AtomTimePro running, still no errors in the router log. Hmmmm? |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| Packetyzer is a nice little application, but hasn't been updated for some time. It appears to be a downlevel version of Ethereal with some additional functions written in.
Wireshark, the "updated" ethereal is what I'm using when I need to do some inspection. It has what I need to do my work.
The Chris Saunders link (see my post above) uses ethereal/wireshark as the representative application for his packet analysis tutorial.
My experience is that some of those packet monitors don't play well when installed together, so I'd uninstall any other apps that use WINPCAP before installing Wireshark or Packetyzer. Also make sure your WINPCAP driver is the level used by the application you're installing. You may have to uninstall and reinstall that.
BTW sounds like you found the offending program.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
| reply to Gary A
Do be careful using wireshark (or any packet analyzer). It's best to not just set it and leave it running forever. You are essentially accepting all packets when you do that. It's a great product, don't get me wrong, but there have been vulnerabilities in the past:
»www.ciac.org/ciac/bulletins/s-103.shtml
»www.securityfocus.com/bid/19690
Be sure to use the latest version. Collect enough data to record issues, then put the human software to work on the data. Nice work discovering your problem. I hope you decide to stay around here and share what you learn. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
3 edits | reply to Gary A
Wireshark is Ethereal; it's just a name change.
(The Ethereal developers moved, and found they owned the rights to the code but not the rights to the name).
Wireshark/Ethereal is to a certain extent 'the standard tool', at least in freeware. I don't know that it'll give you a lot of help with understanding the protocols; all these tools tend to assume you already know what you're looking at, and their job is just to capture and interpret. |
|
Gary A
join:2008-03-02
Odessa, FL
·Embarq
·Verizon FIOS
| reply to Gary A
Well, its 2:30PM EDT, and my router security log is still empty of errors. (Note: I've been away from the PC for several hours, so programs have just been idling and I haven't even powered up my wireless laptop).
Actually, I zeroed in on the AtomTime98 application without the need or use of any sniffer. When I took a close look at the errors in the router and saw "port 13" and the destination IP addresses that whois told me belonged to NIST, the light bulb went on.
The information from you guys has been great! Thanks for sharing your experience. I still have a bunch of questions, so I guess I'll dole them out a few at a time.
1. I saw that Wireshark is a renamed Ethereal. What confuses me is its relationship with Packetyzer. On the Paglo web site »www.paglo.com/opensource/packetyzer is a statement that says, "Packetyzer provides a Windows user interface for the Ethereal packet capture and dissection library." The statement (and others on the web site) makes me think that in order to run Packetyzer, I first have to install Ethereal, now known as Wireshark. But reading your replies, it doesn't sound like that is the case. Do I need both programs? Does Packetyzer need Wireshark installed in order to operate? If not, then what does the statement on their web site mean? What are they trying to tell me?
2. Sniffer filters. With Verizon FiOS, I have the triple play - internet/TV/phone. The TV set top boxes (STB) are internet devices and each has an IP address. They show up in the Actiontec router's device list right along with my PCs. If you have FiOS TV, you have to have the Actiontec router. In looking at the IP Sniffer capture, it is cluttered with STB chatter that I don't need to see. So I looked at the filter options and thought, "huh?" I was expecting to find a way to filter OUT the STB chatter. A logic statement like "do not capture any packets either to or from IP address X.X.X.X." But, if I am reading it correctly, it seems to operate as a filter IN (inclusive), not a filter OUT (exclusive). Any help on how the filter works? Any examples you've used that you can offer?
Thanks again! |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | Try this - it has samples, etc -
»wiki.wireshark.org/CaptureFilters
EDIT - when I installed Packetyzer, it installed Ethereal and WINPCAP. Don't know if you can break out the downlevel Ethereal program and use with a current version of Wireshark. |
|
