Cryptzone Support

 
If you wish to submit a support ticket please sign in to your customer portal or use the “submit a ticket” button at the top menu.
If you need to find documentation about our Sheriff Suite please login to the Hive- Click Here

 

Article

Snooping_traffic_on_the_appgate_server

« Go Back

Information

 
Article Number000001054
Article

Using snoop

Snoop is a network sniffer avaiable on the Solaris OS. To be able to use it, you need to open a terminal console on the appgate server and become root. The manual can be found with the command "man snoop".

Running the command in foreground produces a condesed packet overview of the ones currently captured. If you would like to capture whole packages you can run snoop with "-o <filename>" and it captures packets to the file called filename. You can then analyze the capture with a GUI like wireshark on your local computer.

Snooping client-traffic when using iptunning

Every client connected to an appgate server with iptunneling has an iptunnel IP address. Traffic sent to a resource behind the appgate system is sent to that iptunneling interface on the client machine. On the appgate server the traffic is then sent to the ressource. The source IP from which the packets are sent to the resource, on the appgate server, has the IP address of the client's iptunneling interface. 

Example: Client has 172.24.0.7 on the IP tunneling interface. This IP will appear as a source address when the appgate server is forwarding the clients traffic to the requested resource.

The Traffic does flow out on the interface for which the target resource can be reached (according to routing). To analyse traffic, for example dedicated to the DNS server, you need to identify the interface name, which then can be used as an argument to snoop. You find the interface name by either finding network to interface mapping in the appgate console or in a terminal window of the appgate server. The simplest way to find out what interface the traffic is flowing on you can use the command "route get" in a terminal window. For example I would like to know on which interface the DNS Server is connected (routed) too:

appgate:~#route get dns.cryptzone.int
 route to: dns.cryptzone.int
destination: 192.168.99.0
 mask: 255.255.255.0
 gateway: 192.168.1.1
 interface: bge3
 flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire
 0 0 0 0 0 0 0 0

The answer is bge3. 

Snooping traffic on the server

  1. Find out what you are looking for, e.g IP, protocols, ports
  2. Find out on what interface where that traffic is routed to respectively is expected to be.
snoop -d <interface_name> <ip_address>

As an example:

snoop -d bge2 172.24.0.7

The command will show all packets on the interface bge2 which have src or dst address with 172.24.0.7. 

Another example:

snoop -d bge2 172.24.0.7 port 53
172.24.0.7 -> dns.cryptzone.int DNS C cryptzone.com. Internet Addr ?
dns.cryptzone.int -> 172.24.0.7 DNS R

The command will show all packets on the interface bge2 which have src or dst address with 172.24.0.7, and packets have src or dst port 53. 

 

Related File 
Additional Files 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255