Month: December 2006

One of our favorite tech bloggers Richard Bejtlich has put up a new post about web traffic analysis using a new open source tool. This prompted me to write this post about using Unsniff Network Analyzer to perform similar analysis. I hope our users will find this article useful. Also see this article  for a detailed overview of HTTP analysis.

Unsniff allows you to :

• Extract content from HTTP flows. We call this feature “User Objects”. Examples of user objects are images, css, flash, video, etc.
• Put together separate flows into a web page. This is a powerful feature that allows you to reconstruct web pages completely. This way CSS styles are applied, and inline images and flash content appear in the reconstructed web pages. See picture below.
• Script for automating analysis. For example: If you want to automatically extract all images from a lengthy capture into individual JPEG files, you can write a VBScript or Ruby program to do that. The Unsniff Scripting API allows such macro operations. See here for samples.
• Support for HTTPS. If you are a system admin with access to the server certificate, you can perform the same type of analysis for HTTPS. This is quite valuable for debugging website problems at the server. This powerful feature is enabled by Unsniff’s top notch support for decrypting SSLv3 and TLS traffic.

Advantages of correlating flows into a single page.

A single webpage is rendered by the browser by putting together several individual HTTP responses (flows). Sometimes these object come from different hosts. For example, a CSS stylesheet, a flash SWF file, a set of JPEG files, and the master HTML document must all be combined to produce a webpage.

The sample webpages below have been reconstructed from a tcpdump.

Sample 1: Technorati website contains embedded images, complex stylesheet. http://technorati.com

Sample 2: Richards website with CSS and embedded images. http://www.bejtlich.net/

Notes about this feature.

1. Switch to the “User Objects” sheet to see the individual flows.  
2. Click on the HTML object to view reconstructed web page.
3. Click on the image to see it rendered.
4. Right click an item and select “View Data” to see raw contents (eg, HTML text, CSS text, Image bytes, Flash etc)
5. Capture live traffic or select “File -> Import -> From TCPDUMP” to select a pre-captured file in libpcap (Ethereal or Wireshark native) format.

– – – – –

Here are solutions to some common problems emailed to us by users of this feature.

Step 1 : Enable HTTP reconstruction

1. Go to menu “Plugins -> Customize” and enable the “Reconstruct HTTP Session” option.  This is not the default.
2. Also check if the “Extract User Objects” option is enabled. This is the default.

Step 2 : Windows Firewall Warning

If you are running a personal firewall you may get a warning about a port. You can ignore that warning, that port is used internally by the HTTP reconstruction software.

Any questions ? Please leave a comment here or use our forum.

[tags] tcpdump, sniffer, website analysis, http analysis, unsniff [/tags]

This is the first of a two part article about Unbrowse SNMP scripting.

It is not uncommon for network administrators to deal with hundreds of devices scattered over a large geographical area. The device details are usually stored in a network management system such as HP Openview or CiscoWorks (both trademarks of their respective organizations). This article explains how you can use scripting to import SNMP agents into the Unbrowse database.

Unbrowse SNMP is a MIB Browser and Trap Receiver that is intended to be used as a powerful troubleshooting and an all around utility. Unbrowse keeps track of agents (devices) and stores information such as IP addresses, community strings, timeouts, SNMP versions, V3 usernames, auth and priv passwords, and so forth. This allows the administrator to quickly manage devices without having to enter these details each time. This will work as long as the number of devices are few, when you are dealing with hundreds of devices it is not feasible to enter them manually into a tool like Unbrowse. Dont worry, help is at hand. You can write simple scripts in VBScript or Ruby to add devices automatically into Unbrowse.

Part 1 : The Automation objects

In this section, we will look at the methods and properties of the automation interface.

The Agent Manager object

This object is createable via the “UnbrowseSNMP.AgentManager” id. To create this object in

VBScriptSet Mgr = CreateObject("UnbrowseSNMP.AgentManager")Ruby

agentMgr = WIN32OLE.New("UnbrowseSNMP.AgentManager")

 

 

Name	Purpose
Init	Initialize the manager (not necessary to call this)
NewAgent	Create a new agent object. You can then set the properties of this object
AddToRepository	Parameter: an agent object. Add this agent to the database
RemoveFromRepository	Parameter: an agent object. Remove this agent
FindAgent	Find an agent by name. Returns the agent object or null

The SNMP Agent object

The following table show the supported properties on the object

Name	Purpose
IPAddress	The IP Address of the SNMP agent (can be an IPv6 address)
Name	Name of agent
Name	Purpose
SNMPVersion	Version used to communicate (0=v1, 1=v2c, 3=v3)
ReadComm	The community used for reading from agent (v2 only)
WriteComm	The community used for SET requests (v2 only)
SecurityName	The v3 USM user name
ContextName	The v3 context name
SecurityLevel	The type of v3 security (0 = noAuthNoPriv, 1 = authNoPriv, 2= authPriv)
AuthProtocol	v3 authentication protocol (0=MD5, 1=SHA)
PrivProtocol	v3 privacy protocol (0=DES, 1=AES)
Port	The UDP port to which requests are sent
Timeout	Timeout in milliseconds
Retries	Number of times to retry communication before declaring error

 

Thats all. You only have to now write scripts to manipulate these two objects. It is really easy. In the next part we will write a script in Ruby to import devices from a CiscoWorks DCR v3 file.

 

[tags] MIB Browser, SNMP Agent, VBScript SNMP, Unbrowse, CiscoWorks, DCRv3 format, Ruby SNMP [/tags]

What is a MIB Package ? 

A MIB Browser is only as brainy as the number of MIBs you have installed in it. Out of the box, Unbrowse SNMP comes only with a few standard MIBs such as RFC1213-MIB , IF-MIB and a dozen others. You then compile in whatever MIBs your particular network element (router, switch, server) requires.

If you dont want to hunt around and compile the MIBs yourself, you can install “MIB Packages”. A MIB Package is a special ZIP file that contains pre compiled MIBs along with the corresponding text MIB file. Unleash Networks creates these MIB packages by tracking the public MIBs of popular vendors.

See this page for more information

We have released the following SNMP MIB packages for popular vendors today (19-Dec-06). Grab them for free !

• All Cisco MIBs (updated) – A monster MIB package with all the latest public MIBs from Cisco Systems.  This contains 998 modules and over 65,000 objects ! The best way for you to get started with Cisco is to just download this MIB package and install it in Unbrowse SNMP. Instantly, Unbrowse will be able to decode all of Cisco Traps, you can do MIB browse Cisco switches and routers, etc. All of Cisco equipment including Altiga is included in this monster collection. The download is about 30MB, required disk space is 150MB, and it takes about 3-5 minutes to install. Download here
• Juniper JunOS MIBs (updated) – Contains all the mibs for JUNOS Software Enterprise MIBs for J-series, M-series, and T-series Platforms Release 8.1. These mibs for Release 8.1 were published on the Juniper Networks website on 6-Nov-06.
• Juniper ERX MIBs (updated) – Contains all the mibs for the Juniper Networks ERX E-Series Edge router version 7.3 release on 14-Nov-06
• Motorola Canopy Wireless MIBS ( new ! ) – Some of our users are working with the Motorola Canopy Wireless platform. This package contains SNMP mibs for Canopy Enterprise MIBS for CMM Micro, Subscriber Modules, Access Points and Back Haul Radios. Version 7.3.6. Note: We have included two modules for the CANOPY-SYS-MIB. Even though they have the same names – one of them is used for the 45 Mbps backhaul links and the other for 300 Mbps backhaul. Choose the one you want by Right-Clicking the module and selecting “Open SMI”.

We also released a new build of Unbrowse SNMP available at the downloads page. This release fixes some problems with (a) compiling certain MIBs with incorrect SNMPv1 TRAP TYPE objects, (b) errors with custom UDP ports, (c) other minor fixes.

[tags] Cisco MIBs, Cisco SNMP, Juniper SNMP, Canopy MIBS, Motorola Canopy Wireless, Enterprise MIBs, MIB browser packages [/tags]