Snoop Protocol; Caching

Anyone on this group familiar with snoop protocol and it's caching algorithims for wifi?

Reply to
ohmy
Loading thread data ...

formatting link

Reply to
ps56k

That was about 1994. To the best of my knowledge, the protocol was never implimented in hardware, but parts and pieces were borrowed for various subsequent protocols. Note that although Wi-Fi was "invented" around 1991, during the time the paper was written, most wireless protocols were proprietary. The articles does hint that they plan to test it on an NCR Wavelan card, which was literally the original

900MHz DSSS 802.11 card.
Reply to
Jeff Liebermann

Dlink is running some form of this on my public wifi connection. Running a sniffer on it, I see lots of UDP packets coming to me with one of the content words being "Cache". Not sure what the purpose of these packets are? Anyone know?

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Reply to
JSmith

No clue. Are you sniffing packets going over the air or over the ethernet? If OTA, it's something else. The Snoop Protocol was suppose to cache packets in the access point. It makes no sense to transmit the contents of the cache as the whole idea is to NOT transmit or retransmit its contents.

Try sniffing with Wireshark and see if it can decode the type header into identifying the traffic. My guess(tm) is some kind of streaming media or file sharing using UDP Host Cache.

Reply to
Jeff Liebermann

?? "The job of the Snoop Agent is to cache data packets for a TCP connection. When the data packets are determined to be lost, identified by duplicate Acks, it retransmits the data packets. The Snoop Agent re-transmits the packets locally without forwarding the Acks to the sender. As a result, the TCP layer is not aware of the packet loss and congestion control algorithm is not triggered. In addition, the Snoop Agent starts a retransmission timer for each TCP connection. When the retransmission timer expires, the Snoop Agent will retransmit the packets that have not yet acknowledged."

The pdf contains the "Snoop Protocol Module Source Code"

Some people are still interested in "Snoop" going by the fact that SourceForge.net has a linux version dated 4th Feb 2008

Reply to
LR

Some comparative tests were run on 802.11b against FEC and in conjunction with FEC.

Reply to
LR

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Sorry for late reply, not at my usual location. OTA. These packets only come with the dlink AP, not with other ones. Also multiple ICMP incoming packets that do not occur at 1 sec intervals like the UDP ones and when I disabled "Destination Unreachable" I was unable to get replies to http post packets to web pages.

Could be P2P, not sure. I am going to try to get commview for wifi. Not familiar with Wireshark, is it better? These UDP packets act like some kind of beacon judging from their 1 sec intervals and they are all on the same incoming port. When blocked the do not seem to effect my net activities, but I don't like my little computer having to deal with them.

Reply to
JSmith

LR wrote in news: snipped-for-privacy@bt.com:

Ok, from what your saying udp packets incoming to the same port at 1-sec intervals do not sound like they are part of snoop protocol, must be something else.

Reply to
JSmith

Some DLink routers and AP's have a setting for endpoint filtering and it is possible that the one you are connected to is set for "Endpoint Independent" for UDP. "Endpoint Independent Once a LAN-side application has created a connection through a specific port, the NAT will forward any incoming connection requests with the same port to the LAN-side application regardless of their origin. This is the least restrictive option, giving the best connectivity and allowing some applications (P2P applications in particular) to behave almost as if they are directly connected to the Internet."

Note the "regardless of their origin"

You could try using Wireshark as Jeff suggested and see what you get for endpoint information.

Reply to
LR

OK thanks for the followup, I will try to learn more.

news: snipped-for-privacy@bt.com:

Reply to
JSmith

You never answered my question as to whether you were sniffing the wireless traffic or the ethernet. If this is your first experience with Wireshark, I suggest you start by sniffing the ethernet (through an ethernet hub setup as an ethernet tap). Wireless sniffing is a bit messy. It's also done using Linux as Windoze requires an expensive

3rd party promiscuous/monitor mode driver.

There are also tutorials on how to sniff wireless with Wireshark. Google finds quite a few:

There are also some tutorials on YouTube for Wireshark:

Reply to
Jeff Liebermann

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Yes I did, did it not thread properly or you did not get it? See below. I am using an older version of commview now on a win98se box and it does show packets from other computers, so I am thinking it is already doing promiscuous? Since this is an unencrypted connection to an AP, I have seend some of the contents of these packets, but some also look encrypted. There is a commview made specifically for wireless, are you familiar with that? I d/l and older version of Wireshark and I will see what it does.

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Ok thanks for the link. Not sure why you did not get my reply that it was OTA I was sniffing. I am on a rather primitive connection here so hard to navigate. I answered my packet question via another route, the packets are UnPnP UDP packets, not snoop as I was thinking. They are supposedly a threat to WinXP, which I am not running, so I just blocked them with my firewall. But I still don't like the fact that my weak computer has to discard them all. I still don't know what the periodic ICMP packets are, I will try to sniff them out.

====

Reply to
JSmith

I found the message where you replied that you were sniffing OTA. Sorry, I must have missed it.

Yes. I didn't want to spend $150 to try it.

Why an older version of Wireshark? Note that it won't work in promiscuous mode without the CACE AirPcap driver and dongle.

In another posting, you were wondering if promiscous mode was working with Commview. If you can see packets that ORIGINATE from remote MAC addresses, it's working. Packets with destination MAC addresses (or IP addresses) don't count.

Ok, that makes sense. So, why would UPnP packets have a content of "cache"? I'll plead ignorance.

They are a problem, but one small packet per second isn't going to make much difference when your wireless can move thousands of packets per second. Yeah, it contributes to overhead, but not that much. I turn off UPnP for no better reason that it doesn't do anything useful for my customers.

Reply to
Jeff Liebermann

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

I am using an older version which I really like, so I might try the one for wireless if wiershark doesn't do it.

Only ver up to .99.0 works with 98se; that's before the name change from etheral. also the company was really nice in email exchanges. I don't like the software where they make you run around getting more software so their software will work. But that was when I was running w95 and I think it was wcap you had to install and that came with user unfriendly instructions. Thanks for the link to aircap, might try it.

ok not at my usual place now, so will take another look at the sniffer output.

will take a second look, don't know offhand; don't have the logs handy.

yeah, ur right.

Reply to
JSmith

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Are you saying that AirPCap will not work without their hardware under any circumstances? The AirPcap driver cannot be used with other adapters?? If it will not, are there any alternative apps for grabbing pass packets on even a single channel?

Reply to
ElliottW

Yes, it will only work with their USB adapter.

No, it will not work with other adapters.

Well, I've never bought or used AirPcap, but I guess I can decode the web pages:

Note that the cheapest offering includes a USB adapter:

The license also clearly indicates that you are buying the software license and the USB adapter:

Ah... here's the fine print: Scope of License. CACE grants to you a perpetual, fully-paid, non-exclusive, non-transferable, nonsublicensable, revocable license to use the AirPcap Software that you obtain under this Agreement, solely and exclusively for use with the AirPcap Wireless Adapter that was purchased with the AirPcap Software from CACE Technologies, Inc.

Exclusively for use with the AirPcap Wireless Adapter means that it will only work with the supplies USB adapter. There's no mention of compatible adapters on any page I could find.

Sure. Anything that's Linux based. It's not as horrible as it sounds. Grab a LiveCD such as:

It includes the Linux version of Wireshark. See the bottom two screen shots at:

Sone tutorials and YouTube videos on installing and using Backtrack 3. Find with Google.

There are also some hacked and obscure promiscuous mode drivers that work under Windoze. I don't wanna go there.

Reply to
Jeff Liebermann

On 02 Mar 2009, you wrote in alt.internet.wireless:

hahahaha ;-) go directly to BSD, do not pass go. I know a little nix, but I think it may be a hassle finding free apps for it and getting all the drivers to work. Thanks for the links I might try Linux. I am running a hardware handicapped machine; last time I tried to use some AV linux based "live" cds, from 3 diff. mfgs, none of them would load or work.

Yeah found out about that today, but problems getting them to work in promiscuous mode. I think I have the prism chipset on my senao knockoff.

Reply to
ElliottW

FreeBSD and the various Linux mutations are fairly similar. Well, at the command line level, they're about 90% the same. However, the 10% that is different will drive you nuts. I would recommend Ubuntu Workstation for beginners.

Pick your hardware carefully and just make sure that Linux drivers are available. Atheros chipsets seem to be the best supported for wireless:

What's your time worth? What's the machine worth? You do the math. Besides, if it were easy, it would be no fun.

Compatibility list for Backtrack:

Linux on laptops:

There are at least 3 different chip manufacturers and perhaps 8 different chips that are delivered inside "Prism" wireless devices:

Hint: Numbers are a good thing.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.