Slashdot Mirror

APserver
Winamp
Mirc
FlashFXP
Powertoys
DivX
Ethereal
Photoshop
Nero
ATI MMC

Is this going to be like the LIE-Nuks Lee-nooks, thing?

Hopefully not. For one thing, "Ethereal" wasn't named after somebody whose name is pronounced in a way different from the way the same name is pronounced when it's then name of a character in "Peanuts". :-)

See the Ethereal FAQ item on the pronunciation; you're right, they're wrong.

• nmap for basic port sniffing.
• nessus for more extensive security sweeping.
• ethereal for packet capture & analysis.
• snort for intrusion detection.
• magnum marine for spammer management (I feel a mod-down comin on!)

I have a vague notion about how to use some of them in limited fashion, but I'm handicaped by not having an intimate knowledge of how IP and TCP really work (down at the packet level).

While this is an interesting book, its problem is that it is already out of date.

While this is an interesting book, its problem is that it is already out of date.

While this is an interesting book, its problem is that it is already out of date.

While this is an interesting book, its problem is that it is already out of date.

Give credit here but this is how I got it working on 2000:

[quote] For windows get winpcap [polito.it]
then get ethereal for windows [ethereal.com]
and get windump [polito.it]

SANS.org has all the info: Packet capture apps [sans.org][/quote]

There are some programs I expected to be on this distro that aren't.

Tethereal The X version "ethereal" is there, but I've always prefered the text based ethereal
Etherape A cool visual traffic monitor.

Other than that, LAS Linux is pretty cool!

It's pretty easy to configure a router to copy each packet to a specific port for analysis by a dedicated machine.

Well, for some routers/switches, anyway.

There's even an entry in the Ethereal FAQ and an entry in the tcpdump FAQ about that, including links to documentation for at least some switches for doing "port monitoring". (If people have links for switches not listed there, send them on to the ethereal-users or tcpdump-workers mailing lists so we can add them to the FAQs.)

Snort as a recommendation is a rather good pun but, as a network sniffer (packet capture/protocol analyzer) Snort is not the answer.

Snort is an Intrusion Detection System(IDS) that monitors network traffic and performs an action when it sees a matching pattern. That action could be a log entry or it might be configured to save the packet to a file. Other actions are possible using external programs. Snort uses libpcap of TCPDump fame to monitor or capture the network traffic. Snort is useless for displaying or analyzing network traffic but, this is not a function that it was designed for.

Ethereal is a graphical protocol analyzer although it does include a command line version as well called Tethereal. Ethereal also relies on libpcap for actually capturing the network packets but, it goes much further than simply capturing network packets. Ethereal displays a break down of the packets themselves separating categorizing and displaying the various fields and data in a packet. It goes further by also decoding a long list of higher level protocols that may be included in the packet.

Ethereal is also capable of reading and decoding network traffic that has been captured and saved in other formats. Ethereal can read and save packet capture files in MS Network Monitor, NAI Sniffer Pro, and many other formats. Ethereal is increasingly recommended by companies such as Novell who actually has had their own protocol analyzer for years called Lanalyzer. Cisco support engineers are also increasingly recommending the use of Ethereal for capture and analysis of network traffic when troubleshooting potential problems with their equipment.

TCPDump has also been recommended by many people here on Slashdot.. TCPDump is a command line based protocol analyzer. It also relies on libpcap for actual packet capture but, it then displays a break down of the actual packets. Its display is not as attractive or as configurable as the graphical Ethereal and it is more limited in the number of protocols that it can interpret and disassemble but, it is still a very powerful and capable program. Further more, its output can be saved for further examination by ethereal.

The thing is, there are tons of network applications that fulfill usefully different roles:

• record historical data and let you drill-down and see some things (eg. ntop)
• on-the-fly statistics generation (eg. how many failed connections perhaps)
• on-the-fly intrusion detection
• network uptime monitoring with emailing/paging capability
• high-level performance monitoring, optionally including at the router-level with network topography maps
• ...the list goes on and on

Users range from single computers connected to a congested cable modem, to five-nines uptime network admins who maintain multiple datacenters around the world, so there's a wide range of complexity that different apps need to fill.

Add to that user preferences about specific OS's, licenses, languages, etc. they like to use, and you can spend days searching for just the right network app for your specific need.

Here's a link.

I haven't used it for a while (College) but it was the most impressive tool I've ever used for Network Sniffing. It's available for pretty much every major platform.

I use tcpdump on Mac OS X and Linux/Unix, but when I'm at a client site and all I have is my WinXP laptop, Packetyzer is my sniffer of choice. One of my cow-orkers swears by Ethereal, but it's all good.

k.

For windows get winpcap
then get ethereal for windows
and get windump

SANS.org has all the info: Packet capture apps

• Ethereal
• hping
• tcpdump
• tcpflow

Ethereal! It's a very high-end multi-platform sniffer with numerous features, as well as excellent GUI and command-line interfaces that are a joy to use. It has all the features you'd expect in high-end commercial network sniffers, and it's free!

• ethereal
• tcpdump

but I can't find 0.10.3 anywhere!

It's not on the offical ftp site: ftp://ftp.ethereal.com/pub/ethereal/

Nor is it on the source forge page: http://sourceforge.net/project/showfiles.php?group _id=255

Er, ok. I got one. I like Ethereal.

...who knows about port knocking...

Hmm, ok, I do now...thanks to this thread.

...can see that you're making connections to ports x and y before connecting to port z.

Rats. Why I can't I see it, then? Damn it, you make it sound so easy. Come one tell me, what else do I need? I wouldn't really have to be on the same subnet would I? Or owning me a few switches or routers on the network path?

security through obscurity works. I won't tell you how...

Ubi didnt kill live because of lack of interest. there was a HUGE interest going on.

It is a simple case of economics. If there aren't X number of customers Cyan couldn't cover the burn rate of Y. If you aren't making enough money, isn't it better to change early, instead of going [url=http://www.enron.com/]bankrupt[/url]?

PC Gamer was highly impressed with it. the real reason it was killed was most likely because the morons who coded the network side of the game couldnt hack it.

That makes me a moron?

Anyone who played it new that the netcode was POORLY written.

I am afraid you should stop speaking out of your ass now. If you looked at the auctual use of in-game bandwidth, URU uses signifigantly less than most common First Person Shooters. I should know, I wrote an Ethereal plugin while I worked at Cyan. This plugin would disect our own protcol. We closely examined every byte that is sent over the network.

The True cause of the lag lies mostly with the Client. Improvements to this were being made. But since the online part of URU has been stopped, they will never see the light of day.

URU Might of come before its time, and I am deeply saddened to see a project I worked on go down this path.

Just check it out And gator encrypt "phone home" communications but you will find a report is sent each time you visit a web site. Happy sniffing

iTunes Music Store "pages" are really text/XML streams, if I recall correctly. Anyone got a good link for more info? Sure! http://www.ethereal.com/download.html :P

The difference is that a real firewall (Like Zone Alarm or Sygate (free is down at the bottom)) will block the traffic, prompt you to allow/disallow it, and then follow instructions.

Black Ice, on the other hand, will simply watch ports, log traffic, and when someone tries to access your RPC port or whatnot, it simply sets a flag "Serious Error - Someone Hacking" and starts blinking in the system tray. No real response, no ability to block it in the future, just simple monitoring.

In other words, it's a complete waste of CPU cycles from a security standpoint, and if you're using it for traffic monitoring you'd be better served with Ethereal.

Until then if you don't know what your information looks like as it goes through the public Internet check out Ethereal.

This truly is wonderful news! There are a large number of client applications that use Qt for display rendering that really aren't fundamentally X11 applications.

Several of these applications are used daily by our engineering team.

Having a native (or at least X11-free) version of these tools is a real bonus for us; but in particular, it's a bonus for the less sophisticated users that would benefit from using applications as though they were OS/X native applications.

Think about CEO or tech support people who don't (won't) want to run X11 just in order to look at that packet trace or 'jiggle that SNMP MIB'.

I, for one, look forward to this, and will happily help port a few key applications to the Darwin / OS X platform.

This, and portage all in one week! Good News For All!

Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project

Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap

Follow articles/join mailing lists at:

CERT
Securityfocus

Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.

Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.

See the MAC manufacturer reference. Linksys (a WAP maker) has a couple blocks, but they don't use different OUI's for WAPs only. Its easy to detect WAPs if remote administration is enabled (the domain will be descriptive), but otherwise not as far as I know.

Even though you are probably the only one using your wireless router, someone clever running a program like Kismet or Ethereal can still sniff your unencrypted packets and pick out some nasty things from them. You're definitely right about WEP not being secure, but I do think that another layer of security can't hurt (unless of course it does something weird like make your connection flaky).

:)

• Knoppix, just in case
• a Debian disc for good measure
• a muLinux diskette helps, too
• a separate CD with things ranging from Linux kernels, mp3s, any documentation you'll need, web comics, to a small window manager of your choice
• Kismet, Ettercap, Ethereal for when you feel adventurous

Patches have been submitted for Ethereal and Nmap as well.

Well, aside from the 1337ness factor, probably the best thing I can think of is portability. Suppose, like me, your only Mac is an iBook 400 dual-USB. Totally kicks ass for network administration and client support, but I can tell you from long and painful experience that it's not much for compiling. On the other hand, my desktop box is a dual-Xeon monster that absolutely zips througth compiling - a vanilla linux kernel takes a couple of minutes on this box. Now, if I were running Darwin on it, and I wanted to port one of my favorite apps onto it, it would be a hell of a lot less painful for me to do by setting the arch flags in the makefile and deal with all the debugging on a machine that takes less than a tenth of the time to do the compiles before packaging up the binary.

That's just one reason. I'm sure that there are others.

Ethereal is a wonderful thing.

One place I did find logging to be better than the debugger though was in debugging distributed applications.

Actually, I code distributed applications for a living :-) We do some logging that can be turned on and off on the fly so that we can help debug distributed problems both in house and in the field.

I guess I didn't mean to imply printf() is useless, just that it is just one small tool in debugging a problem. If printf() is the only thing you use, then you either have a simple problem or you are going to have to spend a lot of time debugging. I also get some use of of packet sniffers like Ethereal, and as I said you can do a lot with dbx. This all goes back to the original point - use all of the tools you have available, and learn how to use them well!

you can install ethereal

Don't get me wrong: I loooooooooooooooooooooove Mozilla (use it on FreeBSD, got 2002090017 build -- latest I could find) and was really hoping to convert him to Mozilla (and then to LInux....mwuahahahahah!) I'm just wondering if anyone else has had similar problems.

I know this is pretty damned useless as a diagnosis: I work on helpdesk for an ISP, and I always hate it when someone calls and says "My thing doesn't work with my other thing. Why?" I'm just wondering if Mozilla + Printers + Win98 == Kaboom! is a common thing, or just One Of Those Things.

Anyhow, maybe throw in a copy of K-Meleon, or Ethereal if they want to see what browser everyone else is using :-).

There is no need to do it yourself. Use a network traffic analyzer like Ethereal. The Win32 version works quite well.

2. You may use the NCP Documentation only for providing technical
support services to end users of Novell products and to support Your
development of Derivative Software that does not: a) enable more than
one end user per copy of the Derivative Software to access a NetWare
server; or, b) provide NetWare server functions.

Also take a look at Ethereal, which is free, and quite nifty.

The text-interface equivalent is 'tethereal', which provides realtime decoding of AIM messaging traffic, and supports logging raw packets to a file.

One of the most common ways for AIM to work through a firewall is by pretending to be a SSL connection to the AOL 'oscar' server, and tunnel through a HTTP/SSL proxy. But in reality, that session is still cleartext, easily intercepted.

I am not sure if any similar software currently exists for MSN, Yahoo or ICQ. IRC is trivial, and Jabber's XML doesn't take much to extract to human readable dumps.

Even Jabber's SSL support only offers minimal protection, as (despite repeated requests to have the feature added) none of the Jabber client software implementations include any checking of the server certificate, so all Jabber clients are vulnerable to 'man in the middle' attacks.

Ooops - screwed up the URL, that should be http://www.ethereal.com/ . DOH!

Gnome's gnotices also has an article about designing and debugging corba application, using the great application ethereal as an example.

You would initially just see broadcast traffic, and that gives you some IP information to get started from. You could then send a continuous stream of forged packet to the switch pretending to be from MAC addresses you can see. Depending on the switch you may be able to force it to fail and start acting as a hub, or receive packets intended for the legitimate hosts you are faking.

It's a technique known as ARP spoofing, for which there are plenty of tools such as Dugsong's DSniff suite. Get Ethereal as well, capture some packets and see what you can derive about the network - it should be quite a lot. Add a packet generator into the mix and, well, the sky's the limit really. I should also point out that you can very easily break the law with these tools; be careful what you do and where...

Cripes. A lotta talk when all you need to figure out who the culprit is is download Ethereal and run it with a filter of 'port 25'.

The ethernet protocol is broken, people can actually sniff packets on the network...

Guillaume

Bruce, I had to flame the guy a few posts up from you, but he has a 6-digit slashdot userid. Nobody cares how obtuse the wire encoding is because here in the Cenozoic era, we have learned to walk upright and also to use labor-saving software to analyze our protocols. My favorite is ethereal but you might like to browse some others.

at least XML gives a clear description that I can use with a packet sniffer when trying to debug something.

Translated:

My debugging tools are inadequate, and my brain is inadequate for improving them.

You have a powerful, general-purpose computer at your disposal. Why should you care if the protocol can be inspected with the naked eye? Do you use an oscilloscope to pretty-print IP packets? No, you use ethereal! If XML is encoded using ASN.1, then the tools will be modified to decode ASN.1 before showing it to the human. Ethereal already knows about ASN.1 because it uses it to display LDAP traffic. If you don't like ethereal, try Unigone.

Use your CPU, not your eyeballs!

at least XML gives a clear description that I can use with a packet sniffer when trying to debug something.

Translated:

My debugging tools are inadequate, and my brain is inadequate for improving them.

You have a powerful, general-purpose computer at your disposal. Why should you care if the protocol can be inspected with the naked eye? Do you use an oscilloscope to pretty-print IP packets? No, you use ethereal! If XML is encoded using ASN.1, then the tools will be modified to decode ASN.1 before showing it to the human. Ethereal already knows about ASN.1 because it uses it to display LDAP traffic. If you don't like ethereal, try Unigone.

Use your CPU, not your eyeballs!

Download ethereal from www.ethereal.com And if she figures out how to encrypt her traffic so that you can't sniff the packets, then be proud! You have a smart one!