Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.

Unbrowse scripting guide released

 

We just released the Unbrowse SNMP Scripting Guide and Code Samples.

You can access it  here 

Completely Free !

The entire scripting interface falls under the “Free Features” category. So, you can develop and run your scripts even after the “Power Features” trial period has expired.

Why script ?

While you can do a lot of things using the Unbrowse SNMP user interface, there are occasions where you want that little extra control. For example, you may want to leverage the passive trap receiver to write trap data to a MySql database as they appear, or to provide fast SNMP OID to Name lookups to your in-house application, or to import hundreds of router information from an external source such as Cisco Works DCR format. See sample code (VBScript)

Using this interface, you can write simple programs in VBScript or Ruby to twist Unbrowse SNMP to your needs.

Feedback

We have documented only the most important methods and properties of the scripting objects. If you need something you cant find, please contact us via email or our forum.

 

[tags] SNMP Scripting, Traps, MIB Browser [/tags]

Dealing with SPAN port duplicate packets

Port mirroring or port spanning is a technique by which you can get a copy of packets from one or more switch ports sent to a network analyzer. Port spanning has become the most common mechanism to capture packets since the death of the ethernet hub.

The following picture shows packets from ports 1,2,3 being spanned to port 6. We have attached Unsniff Network Analyzer to port 6.

spantheme.jpg

Duplicate packets

You can span packets into or out of a switch port. However, typically you want a copy of both. The problem is when both the ingress and egress ports are spanned, this may result in duplicate packets being seen by the network analyzer. The timestamps are different but the packet contents are the same. See here and here for more details of why this happens.

Note : You may even see more than two copies when switching broadcast, multicast, or frames with unknown unicast addreses.

Using Unsniff to eliminate duplicate packets

It goes without saying that these duplicates are a major headache. Unsniff has excellent support for culling duplicate packets. Unsniff can not only ignore duplicates but also triplicates or more.

Here is how you use the feature.

  • Select “Tools->Customize->Advanced
  • Scroll down to the “Advanced Capture” section
  • Set the “Filter duplicate frames” to “True” as shown below

dedup.JPG

  • Duplicate filter mode : Controls how far back in time Unsniff checks for a duplicate. It also controls whether the headers (IP/Ethernet/etc) are used or whether a full packet is used to detect a duplicate. For most cases use “Normal”, for lightly loaded switches use “Quick”, use “Deep” for best results but it will slow down Unsniff.

Now you can start capturing packets from SPAN ports, duplicates are automatically culled and life is good again !

[tags] Cisco, Port SPAN, Unsniff, duplicate packets, network analyzer, sniffer [/tags]

Smart snmpwalk tool

Along with SNMPv3 security features,Unbrowse R 1.5 also includes a new tool for performing SNMP walks. We call it the “Raw SNMP Walker”.

This is a free feature (i.e. it will continue to work after the 30 day trial period). To continue using other Power Features you need to purchase a license.

rawwalk.JPG

 

What it does

  1. Allows you to enter strings and OIDs as part of the subtree index
  2. Allows you to enter partial indexes (eg, only specify the first index for a table that has two indexes)
  3. Color code the output
  4. Remember last walked object (a time saver)
  5. Full OID to name translation
  6. Translate all enumerated values
  7. Handle all the IMPLIED and non IMPLIED index clauses behind the scenes. You just have to compile in the MIBs or import prebuilt MIB Packages from our site.

To start

  1. Press Ctrl+W (or select Tools->Raw SNMP Walker)
  2. Select an agent from the drop down
  3. Enter oid to start walking (enter strings as strings, oids as names)
  4. Press Start
  5. Select the output (Ctrl+A), copy / paste to notepad or wordpad (if you want to retain the color coded output)

 

 

Accepted formats

  1. Full OID : .1.3.6.1.2.1.2.2.1
  2. Name :  usmUserTable
  3. Name Index : myObject.7.7.astringindex.anotherstring
  4. OID Index : vacmViewTreeFamilyTable.MyView.usmMIBObjects
  5. Quoted String : myTable.8.”mysting.with.dots”.status
  6. Quoted OID : myTable.8.”.1.3.6.1.4″.status

Hope this tool saves time and effort for you. Send us your comments.

[tags] snmp, mib browser, snmpwalk, mibs[/tags]