BLOG     |     FORUM
Protocols

Protocols

Unsniff supports over 48 protocols in Release 1.0 Beta. More protocols are being continuously added, all customers will be able to access new and updated protocols as and when they are available.

Unsniff Network Analyzers goals for protocol analysis are:
Complete decodeAccurate decode as per relevant standards or RFCs
Self DocumentingClear bubble help attached to all important fields
PDU Monitor entire PDUs as first class entities for BGP, LDAP, TLS, and other stream based protocols
User ObjectsExtract "User Objects" of importance.Voice from RTP/SIP/IAX2, Images/HTML from HTTP, or Files from FTP/SMB
FilteringCreate powerful display filters using point and click 
Scripting Automatically scriptable using the Ruby / VBScript

Protocols supported

802.11 , 802,1Q, ARP, BGP, BOOTP, DHCPv6, DNS, Ethernet, FTP, GSSAPI, H.225, H.235, H.245, H.323, HTTP, IAX2, ICMP, ICMPv6, IGMP, IP, IPCP, IPv6, LCP, LDAP, LLC, NetBIOS-DGM, NetBIOS-NS, NetBIOS-SSN, OSPF, PAP, PPP, PPPoE, Q.931,RIP, RTCP, RTP, SDP, SIP, SMB, SNAP, SNMP, SSL, STP, TCP, TELNET, TLS, TPKT, UDP, X.509




Protocol Special Support

H.323 Suite 

Protocol VersionsSupport for Q.931, H.225, H.225 RAS, H.235, H.245
Latest versions of all protocols (see ITU-T ASN.1 Database)
  • H.225 - version 7 (2003)
  • H.245 - version 12 (2005 )
  • H.235 - version 9 (2005)
PDU AnalysisH.225 and H.245 messages are PDU based. Unsniff innovative PDU analysis allows you to look beyond mere link layer packets and just see the H.323 messages.

Descriptions 

The PDUs have detailed descriptions attached to them including important information like user name, signalling channel information, disconnect reasons etc.

AdvancedFeatures like H.245 tunneling, H.225 FastStart are supported
H.235 SecurityH.235 ClearTokens / CryptoTokens and other constructs as defined in H.235 are fully supported for all messages.
Channel SetupAutomatically track H.245 signalling channels, and RTP/RTCP Channels for each call
Extract CallsIf a call is setup successfully, Unsniff will extract each leg of the call as a user object. You can then save these calls or play back.
Call NamingThe calls are named according to the channel and session numbers for easy identification
PER DecoderAdvanced ASN.1 PER (Packed Encoding Rules) decoder is designed to deal with faulty packets effectively without overshooting frame boundaries. Will be available for general use via the Unsniff Developers API pack.

One click playback  

Right click on a call leg to playback conversation.

This feature is only available for G.711 a-Law, G.711 mu-Law, GSM, and iLBC codecs

 

IAX2

Click here for article "Analyzing IAX2 (Asterisk) protocol with Unsniff"
Track Calls

Stateful decode, will track all calls if the NEW message is seen. Unsniff will print the codec used for each voice mini frame.

Extract Calls 

All call legs are extracted and stored as User Objects.  You can then save or playback these user objects.

One click playback  

Right click on a call leg to playback conversation.

This feature is only available for G.711 a-Law, G.711 mu-Law, GSM, and iLBC codecs

 

Ethernet


Resolve MAC addresses

Lookup MAC addresses using the Unsniff Name Cache. Match either the full MAC address or partially.

Show Manufacturer name

Resolve the OUI part of the MAC address using the built in database containing thousands of manufacturers.

Supports 802.3 or Ethertype

Both 802.3 format and Ethertypes are supported

Ethertype access points

Flexible access points for you to plugin your own protocols



DNS


Extract hostnames automatically

Unsniff can automatically extract names of IP and IPv6 hosts by listening to DNS messages. This allows you to convert addresses to names without sending out inverse DNS requests.

Self contained names

After you have resolved addresses to names, the information is stored in the capture file. This way you can open the capture file in another computer and be able to see the hostnames



NetBIOS - NS (Name Service) 

Extract hostnames automatically

Unsniff can automatically extract NetBIOS names of hosts by listening to NB-NS messages.

Self contained names

After you have resolved addresses to names, the information is stored in the capture file. This way you can open the capture file in another computer and be able to see the hostnames




PPP


Decompress Van-Jacobson

Van Jacobson compression is frequently used on low-bandwidth links. Unsniff can decompress VJ and continue to decode the higher layer protocols.


 

IP

Reassemble IP fragments

IP fragmentation can happen in a network when a larger MTU is used than what is supported by the link layer. Unsniff can reassemble IP fragments (even if out of order) and feed back into the analysis process. When reassembly is complete - the entire packet is then handed over for decoding the upper layer protocols.

Type of Service

Unsniff can show the TOS field in three formats :

1. Plain

2. Diffserv code point

3. Precedence + TOS ( as per RFC 791)



FTP

Extract files transferred via FTP

Unsniff can extract files as user objects.

o Single files or multiple files

o ASCII and Binary

o Get and Put methods

Stateful packet decode

Each FTP packet is tagged with what file it is associated with. This is useful in situations where you see a flood of FTP packets but have no-idea what file is being transferred.


SMB


Reassemble large SMBs

Large SMB messages are reassembled and decoded.

Stateful decode of SMBs

All SMBs related to file operations are tagged with the appropriate Ids (filenames, TreeID, FID, etc).

Extract files transferred across network shares

Unsniff extracts files transferred as user objects.

Open XML plugin

The XML specification for the SMB protocol is open (see the installation folder smb.xml). You can use this file :

o as a reference for writing other XML plugins

o modify some of the messages (if you have access to better documentation of the SMB protocol)

HTTP

Click here for article Analyzing HTTP Streams using Unsniff

 

Extract content

Extracts all content transferred via HTTP as user objects. These include.

  • HTML
  • Stylesheets
  • Images (all formats)
  • Audio, Video
  • Flash

Reconstruct web pages completely

HTTP reconstructionReconstructs webpages completely. You can see websites offline just as they appeared while browsing. This takes advantage of the full-featured reassembly support provided by Unsniff.  Even webpages transferred via indefinite length, chunked, or compressed are supported.

This feature is so powerful that some of our testers are using Unsniff as an  “offline web recorder !”.

TCP

Full Featured Reassembly

The TCP plugin supplied with Unsniff is capable of full featured reassembly. All conditions such as retransmissions, out-of-order packets, duplicate packets are handled correctly.

Streams support for other protocols

A number of protocols that are based on the TCP stream layer can use the reassembly features of the TCP stream.

Real time monitoring of multiple streams

You can monitor TCP states of multiple streams simulatneously in real time. Just switch to the “Streams Sheet” while a capture is in progress. You can also see the last segment that was seen on the stream.

Ladder Diagram

A unique ladder diagram is available that tries to capture the latency of the stream.

Break into an established connection

Ideally Unsniff would like to see the initial 3-way SYN handshake for TCP stream monitor. You can also break into an established TCP session and perform reassembly from a suitable point thereon. 

Flexible stream based monitoring

You can setup Unsniff to call your stream based protocols -

o When atleast one byte of valid data is available in either direction

o When a specified number of bytes are available in either direction

o When the stream is closed normally or capture is stopped

RTP

Extract voice conversation

Unsniff will extract voice in each direction as user objects. For selected codecs (G.711 a-Law, G.711 u-Law, GSM) you can right click on a conversation and play back the conversation from within Unsniff.

SIP

Dynamically setup RTP decoding

Listens to SDP payload of SIP messages and prepares Unsniff to decode appropriate port numbers as RTP.

Dyanamic payload types

Dynamic payload type mappings are extracted from SIP messages. This information is used by the RTP plugin to interpret voice packets.

Setup conversation names

Use SIP messages to construct a name for the conversation. This is usually based on the called and calling SIP phone number or URI.

SSLv3 / TLS

See article : How to analyze SSL/TLS connections with private key material ?

Stateful decode of SSL/TLS records

TLS records are shown in the PDU sheet as they are seen by the TLS layer.

Decryption support

Unsniff can decrypt SSLv3/TLS1.0 sessions if the correct key material is provided. The cipher suites supported are:

  • RC4_128_WITH_MD5
  • RC4_128_EXPORT40_WITH_MD5
  • RSA_WITH_AES_256_CBC_SHA
  • RSA_EXPORT1024_WITH_RC4_56_SHA
  • RSA_EXPORT1024_WITH_DES_CBC_SHA
  • RSA_WITH_RC4_128_MD5
  • RSA_WITH_RC4_128_SHA

Private Key Manager

You can associate TLS servers (host and port) with a private key file in PKCS#8 format. Unsniff manages these keys for you so you do not have to enter them each time you run Unsniff. The keys must be in unencrypted raw or PEM format.

  • Raw PKCS#8 private key encoded in Base64
  • PCKS#8 key in PEM format

SNMP

* with the optional snfplugs plugin.

Versions

All SNMP versions v1,v2,v3

MIB compiler built in *

Powerful mib compiler for reading in your own mib files

OID to name resolution *

Resolve OIDs to easy to object names

MIB database *

Unsniff features a high performance MIB database optimized for rapid lookups. This database ships with the most common standard MIB modules. You can also add other MIB files into this database.

Extra support for SNMPv3

Unsniff can identify common v3 exchanges like engine discovery and error reporting.

OID Name Formats    

You can resolve OIDs to Names in three different formats

  • Last name only with index appended (eg. sysObjectID.0 )
  • Last few names with index appended (eg. mib-2.system.sysObjectID.0)
  • Full name (eg. .iso.org.dod.internet.mgmt.mib-2.system.sysObjectID.0)    
Decrypt v3 PDUsUnsniff can decrypt SNMP PDUs. This is of enormous help to Unsniff users who are using SNMP v3 in their network management applications.  

1. Provide the USM user name and Privacy Passphrase
2. Unsniff automatically detects encrypted PDUs and decrypts them

Supported ciphers
  • MD5 Auth with CBC-DES
  • SHA Auth with CBC-DES
  • MD5 Auth with CFB-AES128
  • SHA Auth with CFB-AES128