Protocols
Unsniff supports over 48 protocols in Release 1.0 Beta. More
protocols are being continuously added, all customers will be able to
access new and updated protocols as and when they are available.
Unsniff Network Analyzers goals for protocol analysis are:
| Complete
decode |
Accurate decode as
per relevant standards or RFCs |
| Self
Documenting |
Clear bubble
help attached to all important fields |
| PDU |
Monitor entire PDUs as
first class entities
for BGP, LDAP, TLS, and other stream based protocols |
| User
Objects |
Extract "User
Objects" of importance.Voice from RTP/SIP/IAX2, Images/HTML from HTTP,
or Files from FTP/SMB
|
| Filtering |
Create
powerful display filters using point and click |
| Scripting
|
Automatically scriptable
using the Ruby / VBScript |
Protocols supported
802.11 , 802,1Q, ARP, BGP, BOOTP, DHCPv6, DNS, Ethernet,
FTP,
GSSAPI, H.225, H.235, H.245, H.323,
HTTP, IAX2, ICMP,
ICMPv6, IGMP, IP, IPCP, IPv6, LCP, LDAP, LLC, NetBIOS-DGM, NetBIOS-NS,
NetBIOS-SSN, OSPF, PAP, PPP, PPPoE, Q.931,RIP, RTCP, RTP, SDP, SIP,
SMB,
SNAP, SNMP,
SSL, STP,
TCP,
TELNET, TLS,
TPKT, UDP, X.509
Protocol Special Support
H.323
Suite
| Protocol
Versions |
Support for Q.931, H.225, H.225
RAS, H.235, H.245
Latest
versions of all protocols (see ITU-T
ASN.1 Database)
- H.225 - version 7 (2003)
- H.245 - version 12 (2005 )
- H.235 - version 9 (2005)
|
| PDU
Analysis |
H.225 and H.245 messages are PDU based. Unsniff
innovative PDU analysis allows you to look beyond mere link layer
packets and just see the H.323 messages. |
|
Descriptions
|
The PDUs have detailed descriptions attached to them
including important information like user name, signalling channel
information, disconnect reasons etc.
|
| Advanced |
Features like H.245 tunneling, H.225 FastStart are
supported |
| H.235
Security |
H.235 ClearTokens / CryptoTokens and other constructs
as defined in H.235 are fully supported for all messages. |
| Channel
Setup |
Automatically track H.245 signalling channels, and
RTP/RTCP Channels for each call |
| Extract
Calls |
If a call is setup successfully, Unsniff will extract
each leg of the call as a user object. You can then save these calls or
play back. |
| Call
Naming |
The calls are named according to the channel and
session numbers for easy identification |
| PER
Decoder |
Advanced ASN.1 PER (Packed Encoding Rules) decoder is
designed to deal with faulty packets effectively without overshooting
frame boundaries. Will be available for general use via the Unsniff
Developers API pack. |
|
One click playback
|
Right click on a call leg to playback conversation.
This
feature is only available for G.711 a-Law, G.711 mu-Law, GSM, and iLBC
codecs
|
IAX2
Click here for article "Analyzing
IAX2 (Asterisk) protocol with Unsniff"
| Track
Calls |
Stateful decode, will track all calls if the NEW message
is seen. Unsniff will print the codec used for each voice mini frame.
|
|
Extract Calls
|
All call legs are extracted and stored as User Objects.
You can then save or playback these user objects.
|
|
One click playback
|
Right click on a call leg to playback conversation.
This
feature is only available for G.711 a-Law, G.711 mu-Law, GSM, and iLBC
codecs
|
Ethernet
| Resolve
MAC addresses |
Lookup MAC addresses using the Unsniff
Name Cache. Match either the full MAC
address or partially.
|
|
Show Manufacturer name
|
Resolve the OUI part of the MAC address
using the built in database containing
thousands of manufacturers.
|
|
Supports 802.3 or Ethertype
|
Both 802.3 format and Ethertypes are
supported
|
|
Ethertype access points
|
Flexible access points for you to plugin your
own protocols
|
DNS
|
Extract hostnames automatically
|
Unsniff can automatically extract names of IP and IPv6
hosts by listening to DNS
messages. This allows you to convert
addresses to names without sending out
inverse DNS requests.
|
|
Self contained names
|
After you have resolved addresses to names,
the information is stored in the capture file.
This way you can open the capture file in
another computer and be able to see the
hostnames
|
NetBIOS - NS (Name Service)
|
Extract hostnames
automatically
|
Unsniff can automatically extract NetBIOS
names of hosts by listening to NB-NS
messages.
|
|
Self contained names
|
After you have resolved addresses to names,
the information is stored in the capture file.
This way you can open the capture file in
another computer and be able to see the
hostnames
|
PPP
|
Decompress Van-Jacobson
|
Van Jacobson compression is frequently used
on low-bandwidth links. Unsniff can
decompress VJ and continue to decode the
higher layer protocols.
|
IP
|
Reassemble IP fragments
|
IP fragmentation can happen in a network
when a larger MTU is used than what is
supported by the link layer. Unsniff can
reassemble IP fragments (even if out of order) and feed back into the
analysis process. When
reassembly is complete - the entire packet is
then handed over for decoding the upper layer
protocols.
|
|
Type of Service
|
Unsniff can show the TOS field in three
formats :
1. Plain
2. Diffserv code point
3. Precedence + TOS ( as per RFC 791)
|
FTP
|
Extract files transferred via FTP
|
Unsniff can extract files as user objects.
o Single files or multiple files
o ASCII and Binary
o Get and Put methods
|
|
Stateful packet decode
|
Each FTP packet is tagged with what file it is
associated with. This is useful in situations
where you see a flood of FTP packets but have
no-idea what file is being transferred.
|
SMB
|
Reassemble large SMBs
|
Large SMB messages are reassembled and
decoded.
|
|
Stateful decode of SMBs
|
All SMBs related to file operations are tagged
with the appropriate Ids (filenames, TreeID,
FID, etc).
|
|
Extract files transferred across network shares
|
Unsniff extracts files transferred as user
objects.
|
|
Open XML plugin
|
The XML specification for the SMB protocol
is open (see the installation folder smb.xml).
You can use this file :
o as a reference for writing other XML plugins
o modify some of the messages (if you have
access to better documentation of the SMB
protocol)
|
HTTP
Click here for article Analyzing HTTP
Streams using Unsniff
|
Extract content
|
Extracts all content transferred via HTTP as
user objects. These include.
- HTML
- Stylesheets
- Images (all formats)
- Audio, Video
- Flash
|
|
Reconstruct web pages completely
|
 Reconstructs
webpages completely. You can
see websites offline just as they appeared
while browsing. This takes advantage of the
full-featured reassembly support provided by Unsniff. Even
webpages transferred
via indefinite length, chunked, or compressed
are supported.
This feature is so powerful that some of our
testers are using Unsniff as an “offline web recorder
!”.
|
TCP
|
Full Featured Reassembly
|
The TCP plugin supplied with Unsniff is
capable of full featured reassembly. All
conditions such as retransmissions, out-of-order packets, duplicate
packets are handled
correctly.
|
|
Streams support for other
protocols
|
A number of protocols that are based on the
TCP stream layer can use the reassembly
features of the TCP stream.
|
|
Real time monitoring of multiple streams
|
You can monitor TCP states of multiple
streams simulatneously in real time. Just
switch to the “Streams Sheet” while a capture
is in progress. You can also see the last
segment that was seen on the stream.
|
|
Ladder Diagram
|
A unique ladder diagram is available that tries
to capture the latency of the stream.
|
|
Break into an established connection
|
Ideally Unsniff would like to see the initial 3-way SYN
handshake for TCP stream monitor.
You can also break into an established TCP
session and perform reassembly from a
suitable point thereon.
|
|
Flexible stream based monitoring
|
You can setup Unsniff to call your stream
based protocols -
o When atleast one byte of valid data is
available in either direction
o When a specified number of bytes are
available in either direction
o When the stream is closed normally or
capture is stopped
|
RTP
|
Extract voice conversation
|
Unsniff will extract voice in each direction as
user objects. For selected codecs (G.711 a-Law, G.711 u-Law, GSM) you
can right click
on a conversation and play back the
conversation from within Unsniff.
|
SIP
|
Dynamically setup RTP decoding
|
Listens to SDP payload of SIP messages and
prepares Unsniff to decode appropriate port
numbers as RTP.
|
|
Dyanamic payload types
|
Dynamic payload type mappings are extracted
from SIP messages. This information is used
by the RTP plugin to interpret voice packets.
|
|
Setup conversation names
|
Use SIP messages to construct a name for the
conversation. This is usually based on the
called and calling SIP phone number or URI.
|
SSLv3 / TLS
|
Stateful decode of SSL/TLS records
|
TLS records are shown in the PDU sheet as
they are seen by the TLS layer.
|
|
Decryption support
|
Unsniff can decrypt SSLv3/TLS1.0 sessions if
the correct key material is provided. The
cipher suites supported are:
- RC4_128_WITH_MD5
- RC4_128_EXPORT40_WITH_MD5
- RSA_WITH_AES_256_CBC_SHA
- RSA_EXPORT1024_WITH_RC4_56_SHA
- RSA_EXPORT1024_WITH_DES_CBC_SHA
- RSA_WITH_RC4_128_MD5
- RSA_WITH_RC4_128_SHA
|
|
Private Key Manager
|
You can associate TLS servers (host and port)
with a private key file in PKCS#8 format.
Unsniff manages these keys for you so you do
not have to enter them each time you run
Unsniff. The keys must be in unencrypted raw
or PEM format.
- Raw
PKCS#8 private key encoded in
Base64
- PCKS#8
key in PEM format
|
SNMP
* with the
optional snfplugs
plugin.
|
Versions
|
All SNMP versions v1,v2,v3
|
|
MIB compiler built in *
|
Powerful mib compiler for reading in your
own mib files
|
|
OID to name resolution *
|
Resolve OIDs to easy to object names
|
|
MIB database *
|
Unsniff features a high performance MIB
database optimized for rapid lookups. This
database ships with the most common standard
MIB modules. You can also add other MIB
files into this database.
|
|
Extra support for SNMPv3
|
Unsniff can identify common v3 exchanges
like engine discovery and error reporting.
|
|
OID Name Formats
|
You can resolve OIDs to Names in three
different formats
- Last
name only with index appended (eg.
sysObjectID.0 )
- Last
few names with index appended (eg. mib-2.system.sysObjectID.0)
- Full
name (eg.
.iso.org.dod.internet.mgmt.mib-2.system.sysObjectID.0)
|
| Decrypt
v3 PDUs |
Unsniff can decrypt SNMP
PDUs. This is of enormous help to Unsniff users who are using SNMP v3
in their network management applications.
1. Provide the USM user name and
Privacy
Passphrase
2. Unsniff automatically detects encrypted PDUs and
decrypts them
Supported ciphers
- MD5 Auth with CBC-DES
- SHA Auth with CBC-DES
- MD5 Auth with CFB-AES128
- SHA Auth with CFB-AES128
|
|
