======================================================================== PktDem, version 2.1 ======================================================================== PktDem version 2.1 Copyright (C) 1997 by Pascal Urien, All Rights Reserved. Other informations: http://ourworld.compuserve.com/homepages/UrienP/pktdem.htm For more information or suggestions, please mail to UrienP@compuserve.com Contents. ========= 1 - PktDem Overview. 2 - Getting Started. 3 - The help menu. 4 - PktDem basic modes of operation. 5 - Receiver modes. 6 - Showing/Hiding broadcast packets. 7 - Sending packets. 8 - Ip mode. 9 - The dump mode. 10 - The Sort Mode. 11 - Statistics Plot - ("g" option). 12 - Reading statistics - ("s" option). 1- PktDem.exe overview ====================== * PktDem is a program running under Dos (v3...v7), graphics plot are working under EGA mode (640.350, 16 colors). It'is designed to produce basic informations about your ethernet LAN (10baseT, 100baseT, ...). With PktDem, let's see your LAN working !!. * PktDem main Fonctions. - Statistics Graphics Plot (load and frames count). - Network Traffic dump. - Network Traffic analysis (sorted by IP addresses and TCP/UDP port). - Traffic generator (ping or mac frames). - Ip mode (Ping - ARP). - Arp Table. 2 - Getting started. ==================== Command Line: pktdem.exe or pktdem.exe Packet_Vector PktDem works with packet driver. The software automatically detects a resident packet driver. If several drivers are installed it's nessary to specify a Packet Vector (an hexadecimal number between 0x60 and 0x7F). If a packet driver is detected, the following information is displayed: Packet Driver Vector At 0060 Looking for an Ethernet Adapter, number=0, type=65535 [handle= 4288] Version 0001, Class 1, Type 51, Number 0, Basic 130 Mac Address: 00 80 C7 A1 60 7A Old receiver mode = 5, Receiver mode has been set to Unicast+Multicast [5] 13508 records available for statistics Press Any key To Continue 3 - The help menu. ================== UrienP@compuserve.com Receiver mode is unicast+multicast Show Broadcast packets h -> print this help info s -> show statistics d -> dump received packets or D dump packets in dump.txt file i -> set ip mode @ -> set my ip address n -> set ip destination address a -> send ARP to n, A->auto ARP (in file arp.txt) p -> send a Ping packet,or P send several ping packet x -> receive packet unicast or multicast y -> receive all packets z -> receive unicast only o -> receive nothing, stop receiver c -> Ip statistics, C->Configuration Parameters l -> List Ip statistics, L save results in the class.txt file t -> transmit a packet, T-> re-transmit a packet, r->send burst packet f -> set filter parameters for options d and D b -> ignore broadcast packet, B-> show broadcast packet g -> plot ethernet statistics load & frames count q -> quit 4 - PktDem basic modes of operation. ==================================== Pktdem can work under three exclusive modes. Mode 1: IP mode. ================ An ip address must be defined. The software processes icmp request (ping) and ARP. The user can send arp and ping in this mode. Mode 2: dump mode. ================== In this mode incoming frames are displayed or dumped in a file. Frames can be filtered according ip addresses and port number. In this mode PktDem is usually set to process (receive) all packets. Mode 3: sort mode. ================== In this mode incoming frames are sorted, the result is either displayed or recorded in a file. In this mode PktDem is usually set to process (receive) all packets. 5 - Receiver modes. =================== PktDem can program your ethernet card in four ways: - Receive nothing (receiver mode "o"). In this case all incoming packets are discarded. - Receive unicast MAC frames (frames whose destination address is equal to your MAC address (receiver mode "z"). - Receive unicast or multicast frames (frames with multicast destination address), receiver mode "x". - Receive all frames (promiscious mode), discarding their destination address (receiver mode "y"). 6 - Showing Hiding broadcast packets. ===================================== Broadcast packets are transmitted with a destination address equal to FF FF FF FF FF FF. The "b" option hides these packets while running in dump mode, the "B" option shows broadcast packets for this mode. 7 - Sending packets. ==================== This function is designed for testing purposes only. The "t" option is used to format and send one packet. The "T" option is used to send one formatted packet. The "r" option sends a packets burst. Example 1: formatting a packet. =============================== t Enter Data MAC DA (6 bytes) example 08 00 45 07 01 78 08 00 45 07 01 78 MAC SA (6 bytes) normal 00 80 C7 A1 60 7A 00 80 C7 A1 60 7A Protocol ID (example 20 01) 20 01 Number of data bytes 4 Please Enter 4 Bytes (in hexa) example A3 001=>01 002=>02 003=>03 004=>04 Please check your Data MAC DA 08 00 45 07 01 78 MAC SA 00 80 C7 A1 60 7A Data 08 00 45 07 01 78 00 80 C7 A1 60 7A 20 01 01 02 03 04 Send this packet (y-n) Packet has been sent Done ... Example 2: Sending a formatted packet. ====================================== T Please check your Data MAC DA 08 00 45 07 01 78 MAC SA 00 80 C7 A1 60 7A Data 08 00 45 07 01 78 00 80 C7 A1 60 7A 20 01 01 02 03 04 Send this packet (y-n) Packet has been sent Done ... Example 3: Sending a packet burst. ================================== r MAC DA (6 bytes) example 08 00 45 07 01 78 08 00 45 07 01 78 MAC SA (6 bytes) normal 00 80 C7 A1 60 7A 00 80 C7 A1 60 7A PID Min (example 20 01) 20 01 PID Max (example 20 01) 20 02 Number of burst packets to send 2 Data size of sent packet 64 Check data MAC DA 08 00 45 07 01 78 MAC SA 00 80 C7 A1 60 7A PID Min 2001, PID Max 2002 Number of burst packets to send 2 Data size of burst packet 64 Confirm (y/n) Press any key to cancel 0000000001 Done ... 8 - Ip mode. ============ This mode is turned on by the "i" key. An IP address MUST be defined before entering the IP mode, this is done by the "@" key. +---------------------+ | ICMP | +----------+----------+ | +----------+----------+ +-------+ | IP + | ARP | +----------+----------+ +-------+ | +----------+----------+ | ETHERNET MAC | +---------------------+ Mini IP stack used in IP mode. Entering the IP mode. ===================== - use "@" to define your IP address. - use "i" to enter the IP mode. How to ping. ============ - Define a target IP address - key "n". - Send an ARP packet to this node - key "a" - Ping the target node - key "p" - The "P" option allows the user to send a burst of ping packets. P number_of_ping_packets. ARP table. ========== The "A" option sends an ARP to IP addresses whose end number is between .1 and .254. A table showing the correspondance between MAC addresses and IP adresses is recorded in the arp.txt file. 129.192.51.3 <=> 02:60:8C:2E:68:9A 129.192.51.4 <=> 08:00:38:42:0C:2B A part of the arp.txt file. Example. ======== You must define your Ip Address first The key @ performs this operation Your IP Adress is 0:0:0:0, new value (y/n) Done ... You must define your Ip Address first The key @ performs this operation Your IP Adress is 0:0:0:0, new value (y/n) Enter your IP address 129.192.51.124 Done ... Ip mode has been selected... You must send and ARP before pinging The key a performs this function You must define an Ip destination Address first The key n performs this function Destination Adress is 0:0:0:0, new value (y/n) Enter the IP destination address 129.192.51.200 Done ... Sending ARP to 129.192.51.200 ARP response from Ip 129.192.51.200 <=> Mac 08:00:0B:3D:1C:5F Pinging 129.192.51.200 Pong from 129.192.51.200 Number of ping frames to send 2 Pinging 129.192.51.200 Press any key to cancel 0000000001 Pong from 129.192.51.200 Pong from 129.192.51.200 9- The dump mode ================ Dump mode displays incoming packet or records them in a file named dump.txt. length= 886 IPseq#8376 129.192.51.241:3383 => 129.192.51.168:6000 TCP seq#= 525776502 ack#= 1941092786 win= 16060 PSH ACK 08 00 5A 01 9C 61 02 60 8C 2C F0 C2 08 00 45 00 ..Z..a.`.,....E. 03 68 20 B8 00 00 3C 06 EF D2 81 C0 33 F1 81 C0 .h....<.....3... 33 A8 0D 37 17 70 1F 56 B6 76 73 B2 B9 B2 50 18 3..7.p.V.vs...P. 3E BC 06 5A 00 00 00 0E 00 0D 00 01 02 A8 00 01 A dumped packet. Before entering the Dump mode you will typically set the "promiscious receiver" option (key "y"), and the "ignore broadcast packet" option (key "b"). Entering the Dump mode ====================== - key "d" selects the display packet option. - key "D" sets the dump in file option (file name is dump.txt). Filtering Packets ================= Dumped packets can be filtered by their IP address and multiple UDP/TCP port number. In order to reduce the amount of dumped bytes, a dump size can be specified. This is done by the "f" option. Ip filter value is 0:0:0:0, new value (y/n) Enter the IP Filter Address (0.0.0.0==no-filter, 255.255.255.255==All) =>129.192.0.1 Number of bytes to dump 64, new value (y/n) new value=>128 Number of port to dump 0 New value (y/n) Number of port to scan (0 == Every Port)=>2 port01 (decimal value)=>21 port02 (decimal value)=>23 Done ... 10 - The Sort Mode ================== The sort mode is used to record packets number and bytes load sorted by their IP addresses and TCP/UDP port. Typically 10,000 records are available. This function is usefull to evaluate the ethernet traffic or to check the LAN security. It is activated by the "c" key. The receiver is usually in promiscious mode before setting this mode. PktDem v2.1 (c) Pascal Urien 1997 (10:09:58,33) 350 records FramesCt= 14149 BytesCt= 3265447 * Type* IP Address SA * IP Address DA *Ptcol* Port* Count * Bytes * 0800 201.192.001.061 129.192.050.150 00006 00000 0000000229 0000016678 0800 202.192.008.002 202.192.008.255 00017 00125 0000000003 0000000321 0806 000.000.000.000 000.000.000.000 00000 00000 0000000080 0000004800 PktDem Sorting mode. Sorting Parameters. ("C" option). ================================= The following parameters can be adjusted: * Packet protocol ID (PID) between 0 and a maximum value. * Sorting mode - IP packets source address. - IP packets destination address. - IP SA and DA, in order. - IP SA and DA, without order. - UDP/TCP port only * IP layer encapsulated protocol (between 0 and a maximum value). * TCP/UDP port between 0 and a maximum value. Maximum Protocol ID to record from 0h to FFFFh Actual value is FFFF, new value (y/n) new value=>FFF0 Recording Mode 0->IP SA, 1->IP DA, 2->SA & DA in order, 3->SA & DA without order 4->port Actual value is 3, new value (y/n) new value=>3 Maximum Protocol over IP to record from 0h to FFh Actual value is FF, new value (y/n) new value=>6A Maximum Port to record 0...FFFFh Actual value is 007F, new value (y/n) new value=>F567 Done ... Saving records ("L" option). ============================ Records are saved in the class.txt file by the use of the "L" key. PktDem v2.1 (c) Pascal Urien 1997 (16:46:59,36) 84 records FramesCt= 1112 BytesCt= 259588 * Type* IP Address SA * IP Address DA *Ptcol* Port* Count * Bytes * 0000 000.000.000.000 000.000.000.000 00000 00000 0000000048 0000004468 0800 129.192.001.001 129.192.001.002 00017 00000 0000000001 0000000129 A part of the class.txt file. Viewing Records ("l" option). ============================= The "l" option displayed records. 11 - Statistics Plot ("g" option) ===================== Three statistics information are plotted: * The frames (packets) count per second. * The cumulative frames count. * The network load in bytes/s The graphical plot is activated by the "g" key. While plotting, press key t, to modify the refresh time r, to modify the FrameRate scale l, to modify the NetLoad scale c, to modify the frame count rate ESC, to quit PktPlot Press Any Key to Continue... Four parameters can adjusted, as for example the network load full scale. NetLoad Scale [1.250e+06], change (y-n), default is no : ?1e6 12- Reading statistics - "s" option =================================== The "s" shows the network statistics. The field named "Packets lost by PC" counts the number of packets lost by the pktdem software. Packets Lost by PC 12830 Packets Received 28663 Packets Sent 0 Bytes Received 32067071 Bytes Sent 0 Errors In 0 Errors Out 0 Packets Lost 0 ======================================================================= PktDem, version 2.1 =======================================================================