Domain: tcpdump.org
Stories and comments across the archive that link to tcpdump.org.
Comments · 21
-
Re:Why do people still use Ubuntu?
Honest question. I want to know.
Because I run Linux on VMs when I'm trying to do platform-specific work (and, as a core developer for a library with rather a lot of platform-dependent - and platform-OS-version-dependent - code implementing those attempting-to-be-mostly-platform-independent APIs, there's a fair bit of that involved).
As a result, I want to spend as little time as possible dicking with the OS, leaving as much time as possible to actually adding new capabilities and fixing bugs. Ubuntu seems to do a good job of that; if you have another distribution to recommend for this, please do. Note that, whilst I haven't yet had to do any kernel work (other people fixed the kernel issues before I got around to building a kernel with my changes), I'd like a distribution where the process of building and installing a new kernel is as simple a process as possible. Fedora fails here. (In the OS on which I last did kernel work, it's pretty much
make; mv
/mach_kernel /mach_kernel.save; cp mach_kernel /; rebootand it was, as I remember, similarly simple in the previous UN*X on which I did kernel work.)
-
Re:Wireshark [chown] sucks
To fully access the data stack from eth0 or wlan0 you need to run wireshark as root otherwise your trace will not be complete.
Nope.
For one thing, Wireshark shouldn't be accessing the network interfaces, it should be asking the dumpcap program, which is one of the components of Wireshark, to do so. To quote Wireshark's README.packaging file:
WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.
For another thing, the README.packaging document (in the "Privileges" section, which contains that rather emphatic quote), and the CaptureSetup/CapturePrivileges page in the Wireshark Wiki, discuss ways in which you can avoid even running dumpcap as root - it may need additional privileges, but not full root privileges.
All packet sniffers technically need to have root to be effective on any Unix like system.
Nope. See the above documents and the main libpcap man page (following "Reading packets from a network interface may require that you have special privileges:"). That's what the ChmodBPF script installed by Wireshark on OS X does; see the "Under BSD (this includes Mac OS X)" section - it does the "some other way to make that happen at boot time".
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
Presumably he had to answer to the Coca-Cola company for that?
Ok Thanks I am running the older version LOL
$ wireshark --version wireshark 1.4.6 Copyright 1998-2011 Gerald Combs and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (32-bit) with GTK+ 2.24.4, with GLib 2.28.6, with libpcap 1.1.1, with libz 1.2.3.4, with POSIX capabilities (Linux), without libpcre, with SMI 0.4.8, with c-ares 1.7.3, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Mar 18 2011 15:44:36), without AirPcap. Running on Linux 2.6.38-8-generic, with libpcap version 1.1.1, with libz 1.2.3.4, GnuTLS 2.8.6, Gcrypt 1.4.6. Built using gcc 4.5.2. ~ $
Guess I should upgrade and RTFM. I only use it when doing single traces though so the chances of leaving something open and being hacked while using it are almost zero, I do not run it as a process on the server only as a tracking mechanism if something gets hacked and then only on a the old laptop that I use for diagnostics. I should set it up as a service though if I can figure out an effective way to keep the log sizes down to specific info instead of a verbose as hell text file! Would be great if the files it created could be time stamped and compressed by wireshark itself on the fly as it logs. I tried setting up a cron with a shell script to do that but could not get it to spawn an output text log. Guess I should hone up my bash skills and do some more RTFM. Hopefully wireshark can use automated scripts to setup logging with a cron job without running a the gui something like the way I run vlc nox.
-
Re:Wireshark [chown] sucks
To fully access the data stack from eth0 or wlan0 you need to run wireshark as root otherwise your trace will not be complete.
Nope.
For one thing, Wireshark shouldn't be accessing the network interfaces, it should be asking the dumpcap program, which is one of the components of Wireshark, to do so. To quote Wireshark's README.packaging file:
WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.
For another thing, the README.packaging document (in the "Privileges" section, which contains that rather emphatic quote), and the CaptureSetup/CapturePrivileges page in the Wireshark Wiki, discuss ways in which you can avoid even running dumpcap as root - it may need additional privileges, but not full root privileges.
All packet sniffers technically need to have root to be effective on any Unix like system.
Nope. See the above documents and the main libpcap man page (following "Reading packets from a network interface may require that you have special privileges:"). That's what the ChmodBPF script installed by Wireshark on OS X does; see the "Under BSD (this includes Mac OS X)" section - it does the "some other way to make that happen at boot time".
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
Presumably he had to answer to the Coca-Cola company for that?
-
Re:And where have they put the power button on the
Sometimes it's really convenient to just reboot and get to work, instead of launching an extra environment. Yes, virtualisation works, but unless one has to multitask between os-dependant applications,
And some do. (I do development on cross-platform software, and it's Way Cool to be able to try stuff on various non-OS X OSes without having to reboot and not have my regular development/Web access/e-mail/etc. environment handy and without having to have other machine on which to do it. The downside is that, given that I want multiple versions of those OSes, about 1/3 of my "disk" is filled up with VMs....)
-
tcpdump?
i wonder if this job could be done with tcpdump in Linux?
http://www.tcpdump.org/ -
Re:Some options
In the case of Perl (the language) and perl (the language system's implementation), there's The Perl Foundation. They pay bounties, give grants for certain projects, help support sites like Perlmonks and use Perl;, and more.
The tcpdump and libpcap projects are on SourceForge, but they don't have their donations link enabled. The projects' home page isn't coming up for me ATM, so I can't say if they have anything there.
The strace project is also on SourceForge and also does not have their donations enabled. The web page listed for the project is the project's SourceForge page itself, so I don't know where else to look off the top of my head. -
Re:Specifications
- It's very frustrating when you find previously unknown and undocumented features in software that you have purchased.
Well, for this situation finding a potential problem is easy: Port scan, security scanner. Two things that you should be doing on every network enabled device.
The time consuming part comes with the follow up where you check the results of the scans on the local machines and determine if you trust that the exposed services are being handled by secure apps. If in doubt, use an encrypted tunnel or yank the service -- whatever is appropriate. (If neither is an option, determine the danger and try and deal with it as best you can.)
Along with that, setting up a filter to check for supposedly unused ports can catch some clever developers.
Not perfect (it doesn't handle piggybacked dynamic connections on port 80 for example), though it is a good initial test.
-
Uhm dude... that's not a sniffer...A quick rtfa tells me that this isn't a sniffer at all, it's just a perl script that parses the plain-text output from someone elses sniffer. Sorry, no donut. NEXT!
What's up with tcpdump and friends, snort, kismet, bsd-airtools and ethereal anyway?
-
Re:Switched Routers?
It's pretty easy to configure a router to copy each packet to a specific port for analysis by a dedicated machine.
Well, for some routers/switches, anyway.
There's even an entry in the Ethereal FAQ and an entry in the tcpdump FAQ about that, including links to documentation for at least some switches for doing "port monitoring". (If people have links for switches not listed there, send them on to the ethereal-users or tcpdump-workers mailing lists so we can add them to the FAQs.)
-
Re:Ethereal
btw, for the google impaired: tcpdump
-
Great tools.
-
Re:DoItYourselfJust in case you are serious: You need tcpdump (and screen) to be installed for that command line to work. Instead, install a packetsniffer of Your choice (like windump) and tell it to grab tcp-packets with tcp-header "window size" set to 55808.
You could avoid a lot of trouble, if You installed a more usable operating system before. I expect a networking OS distribution to ship with a packetsniffer.
/graf0z. -
Materials to start with
Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project
Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap
Follow articles/join mailing lists at:
CERT
Securityfocus
Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.
Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV. -
This is a hoax!This seems to be a hoax.
Here's a tcpdump for www.microsoft.com, on an XP box:
03:47:16.259661 10.0.0.52.1328 > www.us.microsoft.com.http: S 2485226999:2485226 999(0) win 16384 (DF)
03:47:16.279661 www.us.microsoft.com.http > 10.0.0.52.1328: S 631604626:63160462 6(0) ack 2485227000 win 65535 (DF)
03:47:16.289661 10.0.0.52.1328 > www.us.microsoft.com.http: . ack 1 win 17520 (D F)
03:47:16.289661 10.0.0.52.1328 > www.us.microsoft.com.http: P 1:398(397) ack 1 w in 17520 (DF)
03:47:16.339661 www.us.microsoft.com.http > 10.0.0.52.1328: . ack 398 win 65139And here's for www.msn.com:
03:50:22.169661 10.0.0.52.1397 > www.msn.com.http: S 2535664221:2535664221(0) wi n 16384 (DF)
03:50:22.199661 www.msn.com.http > 10.0.0.52.1397: S 3601141750:3601141750(0) ac k 2535664222 win 65535 (DF)
03:50:22.209661 10.0.0.52.1397 > www.msn.com.http: . ack 1 win 17520 (DF) 03:50:22.209661 10.0.0.52.1397 > www.msn.com.http: P 1:391(390) ack 1 win 17520 (DF)
03:50:22.269661 www.msn.com.http > 10.0.0.52.1397: . ack 391 win 65146These look like perfectly valid TCP handshakes. I did notice that when refreshing a site, IE reuses the previous connection, but that's legal (assuming it used Connection: KeepAlive in the HTTP header. I didn't verify that.)
The samples were taken on my network's gateway, which is a Linux box, hence impartial
:)But don't take my word for it. Try it yourself!
-
Re:MD5 checksums
Take a look at tcpdump.org. There are no MD5 checksums for any of the tarballs. Doesn't change my last comment, though.
:-) -
Re:FBI's "outdated" computer systems?
Hahaha what a funny comment... rotflmao, and then you realize it is no fiction at all and that even systems that are used by people that are involved with carnivore collected data run outbreak. This data may not even be filtered as the court order specifies, does the court really understand whats going on when presented with basicly a tcpdump filter expresion, do they have an *objective* technical review of the filtering applied? This very story is about a carnivore box which captured to much data.
It would be entirely posible that a judge would create a court order that is not specific on the technical details of the filter (how does a device connected to an isp border router know what of ip`s it should drop packets from, Would it have acces to the radius authentication data when connected to a border router??? unlikely) so the tech adapting the carnivore box for this particular isp asumes a little freedom, he would not want to miss any packets and the boss agrees that monitoring UBL@aol.com is really importand..... Then some outbreak/exchange using investigator cant figure out what to make of the data he is presented with. Sure it goes to forensic experts first wich reasamble the packets into plain text e-mails (the ones the judge wanted) but they also had a really complicated looking story about this new "jabber" thingy.
So the investigator who is no scully whatsoever asks some techs what it is all about, they agree that if the not-so-scully fbi agent mails the collected data they will run their l33t perl script to reasambe the jabber sesion packets in a plain text. They have been testing this quick perl hack for in office testing, their hobby is arp cache poisoning the office to monitor browsing habbits across the switch (they made their hobby their job, who wouldn`t want to do that) They figured it would be cool to see each others jabber sesion....
Tech does de-jabber.pl tcpdumped.log|mail not-so-scully@exchange.somelittlebranchwithnomoney . bi.gov The not-so-scully investigator is disapointed, all the decoded jabber sesionS talk about is the newest britaney and eminem cd`s, so after saving the mail to c:\my documents the not-so-scully investigator goes to read his next mail which seams a lot more promising... it reads "I send you the file to have your advice"
And now it turns out, mike the 18 year old kid who is really happy about his ubl@aol.com addres (cool, his friends always have a laugh about that) has been hanging around the mosque with his muslim friend becouse they trade the newest eminem en britany cd`s there, not 747 fligh manuals....
Now this is scary *fiction* ofcourse, just like the whole sircam picking up fbi files and carnivore capturing the wrong mails things looked like a joke once to. -
Re:India ?. now way manIndia has a carnivore clone ?.
Yes. TCPdump and grep.
-
Re:Might be outdated.
Well, looking at the date on that page (01 October 1998) it seems to me that this info just might be just a tad out of date. Have you actually looked at what's in the 2.4 kernel? Maybe things haven't changed, but it sure wouldn't harm to have a look before fudding.
The item in Linux on that page says
Current releases of the supported versions of Linux (Red Hat and Slackware) do not use BPF or DLPI. Instead, libpcap sniffs packets by reading packets one by one into user space. The packets source address is compared against its interface name. This implies that all interfaces send all data to all promiscuous listening processes and that the user code is responsible for determining if a packet is interesting.
The packet sniffing mechanisms available in 2.0[.x] kernels, err, umm, suck. 2.2 introduced a better mechanism, and if you've configured in the right kernel option ("Socket Filter" or something such as that) it supports doing packet filtering at the kernel level (i.e., uninteresting packets aren't copied up to userland).
Some Linuxes come with libpcap libraries that use the new mechanism; the current CVS version of libpcap at the tcpdump.org Web site, and the beta versions of libpcap 0.6, also use the new mechanism.
2.4 has, I believe, a mechanism that shares a memory-mapped buffer between the kernel and userland; I don't know if any versions of libpcap use it yet.
So Linux may now do a better job, at least if you configure the socket filter code into your kernel. It doesn't have any buffering mechanism to "batch up" multiple packets in one recvfrom() call, the way BPF and the bufmod STREAMS module on Solaris do; the 2.4 mechanism (which will, I think, eliminate a copy) might obviate the need for that.
(People are looking at similar memory-mapped mechanisms for BSD. Had I bothered to implement the "memory-mapped stream head" stuff I was thinking about ages ago at Sun, it might've been available in Solaris as well; so it goes....)
Note that on Solaris, the same "everything is copied to userland" problem exists that exists on some versions of Linux; I'm not sure why the NFR document speaks of the Linux mechanism as being lower-performance - it may be due to the lack of a buffering mechanism to batch up packets. (They speak of HP-UX, which also lacks such a buffering mechanism, as requiring more CPU for that reason.)
-
Re: Analyzer
Try Analyzer for windows. free, open sourced, impressive.
Try giving a URL for it.
I'll assume that you're referring to Analyzer from the folks at the Politecnico di Torino, the folks who also bring you WinDump, a port of tcpdump to Win32 systems, and WinPcap, a port of libpcap to Win32 systems (including drivers for Windows 9x and Windows NT, including NT 5.0^H^H^H^H^H^HWindows 2000), which is the library that Ethereal on Win32, Analyzer, and WinDump all use.
(The Politecnico di Torino site appears not to be responding at the time that I'm posting this; be patient - we sometimes get folks posting to the ethereal-users mailing list asking "that site is down, how do I get WinPcap?", for which the answer is "it's probably just temporarily down, try again later".)
-
Re: Analyzer
Try Analyzer for windows. free, open sourced, impressive.
Try giving a URL for it.
I'll assume that you're referring to Analyzer from the folks at the Politecnico di Torino, the folks who also bring you WinDump, a port of tcpdump to Win32 systems, and WinPcap, a port of libpcap to Win32 systems (including drivers for Windows 9x and Windows NT, including NT 5.0^H^H^H^H^H^HWindows 2000), which is the library that Ethereal on Win32, Analyzer, and WinDump all use.
(The Politecnico di Torino site appears not to be responding at the time that I'm posting this; be patient - we sometimes get folks posting to the ethereal-users mailing list asking "that site is down, how do I get WinPcap?", for which the answer is "it's probably just temporarily down, try again later".)
-
Re:Spyware Removal
Currently the freeware version of Optout only can detect and remove Aureate/Radiate/Binary Bliss (advert.dll) spyware. However, this type of spyware is embedded in hundreds of freeware products.
If you're looking for a utility to detect all Spyware, you will have to do it yourself using a program such as tcpdump or windump.