Slashdot Mirror
Preliminary Ethereal User's Guide
An Anonymous Coward writes "The prelimiary Ethereal User's Guide is up.
It will be updated over the next month or so, and will be followed by a Developer's Guide.
It is all done in DocBook and the source will be up at the Ethereal web site." If you haven't used ethereal, its an extremely excellent packet sniffer: play with it a little and you'll never use telnet and FTP again (unless of course you knew that already).
Investigate the latest version of Courier-IMAP which has built in support for IMAP-SSL/TLS, as opposed to using stunnel.
stunnel is great for a small number of connections, but the overhead of launching a new process every time is fairly significant as you scale up, so Courier does a great job of a lightweight, secure IMAP server.
You have to use maildir - but both Exim and qmail support it natively now, and it's far superior to the traditional mbox format anyway.
Root can do just the same thing to you on an untrusted UNIX box. At least with S/Key he won't know your password.
Actually, I just checked it out. It is rather nice, however...
Etherpeek and NA Sniffer both do pretty much everything ethereal does.
Ethereal has some neat tcp stream watching features, which is rather unique.
Ethereal is more flexible in terms of filters, and certainly being open source and running on unix are great. However...
Ethereal does NOT seem to have any graph-drawing abilities. Etherpeek and the like can generate stats based on packet size distribution, protocol types, and several other factors. I find these very useful features.
Also, the GUI needs work. I mean, it's great, it's clean, it's great for unix, but etherpeek and NA sniffer both color code automatically, in several ways.
Also, it doesn't seem to have the ability to play back what it records into the network (useful for testing/using other devices to analyze captured data). Of course this can be accomplished with other tools, but Etherpeek and NA sniffer both do this out of the box.
Ethereal does seem to have a superior filtering mechanism; however, the filters in NA sniffer and etherpeek are also competent. (read: Ethereal has a kick-ass filter mechanism, but the others are adequate)
Also, when monitoring a busy network, displaying realtime results, etherpeek is unbalanced. screen updates are very slow, and it's a pain in the ass to use. NA sniffer and etherpeek stay smooth.
Yes, of course, NA sniffer and Etherpeek both costs $$$ ($1000 and up). Yes of course, they aren't open source, and of course, don't run on unix.
So.. from a free tool point of view, etherpeek is fantastic.
From a Sniffer point of view, Etherpeek has some neat features, but is not the best.
I agree that anyone who is knowledgeable and wants to remain undetected can probably do so. My warning wasn't addressed to the hackers/crackers out there (who, after all, don't need me to tell them about the dangers) but rather those who out of curiosity might run out and install this software on their work machine running, for example, Win98. If their network administrator suddenly notices that they're sniffing the local net, there're are going to be some questions asked. And legitimately so. There a are a number of ways, some easier to implement than others, to tell when there's a packet sniffer on your net. For a list, take a look here (scroll down to 2.5 - "How can I detect a packet sniffer?").
Thanks to Ethereal, I discovered a bug in Java's HttpURLConnection. For some reason, after I would make rapid requests to a site, the HTTP headers wouldn't be set, even though I set them in my code. My debugging messages said that I was setting them, but when I used Ethereal to sniff the packets, whoops, they were set to their default values. I called up sun, and it was given a bug ID. They plan to fix it in the 1.3 release for UNIX. I can't tell you how much time this has saved me. It truly is a triumph of open source.
Lucky me, I also run VMWare, which flips on promiscuous mode anyway, so if someone is using a sniffer detector, I can always blame VMWare.
"This is not a company that appears to be bothered by ethical boundaries."
Attorney General Mike Hatch on Microsoft
Try giving a URL for it.
I'll assume that you're referring to Analyzer from the folks at the Politecnico di Torino, the folks who also bring you WinDump, a port of tcpdump to Win32 systems, and WinPcap, a port of libpcap to Win32 systems (including drivers for Windows 9x and Windows NT, including NT 5.0^H^H^H^H^H^HWindows 2000), which is the library that Ethereal on Win32, Analyzer, and WinDump all use.
(The Politecnico di Torino site appears not to be responding at the time that I'm posting this; be patient - we sometimes get folks posting to the ethereal-users mailing list asking "that site is down, how do I get WinPcap?", for which the answer is "it's probably just temporarily down, try again later".)
If you're sniffing your local Ethernet network at work, be careful. To watch net traffic, the Ethernet interface must be put into 'promiscuous' mode (accepts all packets, even if not addressed to your particular machine). Some network administrators are sensitive to this sort of thing, since it can be used to compromise security. There are software tools that can detect when a machine has an Ethernet interface in this mode, and they may be in use at your organization. Be prepared to explain why you're monitoring the net traffic.
If you haven't used ethereal, its an extremely excellent packet sniffer...
I remember showing Ethereal to some guys who did network troubleshooting for a living, and they were astounded. I highly recommend giving it a try.
Don't sweat the petty things. But do pet the sweaty things.
Ah, the joys of binary non-compatibility; UCD SNMP 4.1.1, which RH 6.2 picked up, changed a routine Ethereal uses into a macro, which meant that the Ethereal in the binary RPMs, which were built on RH 6.1, and linked with the UCD SNMP shared library, don't work on 6.2, as a routine it calls isn't present in the 6.2 UCD SNMP shared library. (UCD SNMP 4.1.2 turned that and other macros back into routines; I filed a bug with Red Hat suggesting that they pick up 4.1.2, which, as I remember, they said they'd do in 7.0.)
I threw into Ethereal 0.8.10 a greasy hack, inspired by greasy hacks I've been told are used on Windows to e.g. allow applications to use new DLL routines if present on a particular system without blowing up if they aren't, to work around that.
Whilst it worked on my simulation of that situation on my Debian 2.1 partition, it appears not to work on RH 6.2; I have some diagnostic information from one user who reported that on the ethereal-users mailing list, and will see if I can check in a change more likely to make it Just Work.
That's all you did? Just installing those two RPMs? That's bizarre - what files did installing those two RPMs add to your system?
Or is there an "I then recompiled from source" step after that step?
A great resource that I refer to alot:
Sniffing (network wiretap, sniffer) FAQ
M$: "We're #2!"
Normally (non-promisc) the hardware filters out packets that dont match your MAC. When you go into promisc mode, this is moved into the domain of the OS.
/*
Now the way to find out is to send frames with valid IP data, but to a invalid MAC. Normally the card would filter this out, but *gasp* it doesnt, its in promisc mode.
Thats how the promisc scanners find data. Some OSs will drop the invalid MAC (realizing its not their own) others accept it assuming that the hardware would filter it out
*Not a Sermon, Just a Thought
*/
*Not a Sermon, Just a Thought
*/
Sniffer programs are also useful if you only care about the traffic between two machines, at least one of which is capable of running the sniffer program (or can otherwise produce a network trace file). Perhaps that's less common for network administrators than for software developers, but if you're a developer at a manufacturer of, well, Network Appliances, packet analyzer programs can come in very handy even if you can't see all the traffic on a network segment.
``...play with it a little and you'll never use telnet and FTP again''
Of course, people forget about their mail a lot. Here at UMN, our central mail servers run stunnel, so you can read your POP3 or IMAP mail over an SSL tunnel. Before I found out that they were doing this, I was really bothered by how many people could be sniffing my password. I had tried usin SSH tunnels, but that required you to stay logged in.
New versions of Netscape Communicator do support SSL, and I believe recent versions of mutt do too.
--
Ski-U-Mah!
If you're using Windows, at least.
You'll need WinPcap to get it to capture packets at all - but you'll need WinPcap to get Ethereal to capture packets on Win32 as well.
The Politecnico di Torino folk also have WinDump, a port of tcpdump to Win32, also using WinPcap.
Or just go to the Analyzer site (I'm assuming from the reference to WinPcap that you're talking about the Politecnico di Torino Analyzer). If the site isn't up, try again later.
To watch net traffic, the Ethernet interface must be put into 'promiscuous' mode (accepts all packets, even if not addressed to your particular machine).
true
Some network administrators are sensitive to this sort of thing, since it can be used to compromise security.
According to the sniffit FAQ detecting 'promiscuous' mode is only possible if the os is broken or not configured properly. It is my understanding that linux or even win32 in this mode would be very hard to detect.
Perhaps you recall slashdot's article about packet sniffer-sniffers from Lopht. There is much skepticisim as to whether or not 'Antisniff' can really work as it seems to make alot of assumptions about the machines it scans. If memory serves, one of the tests is to send a message to the client machines and record the time it takes to respond. Then in the future if it respond significantly slower something may be up. Another is to try to overload machines by sending a large number of forged packets all good machines will ignore and the promisc machine will choke on.
With the current state of ethernet sniffing is basically risk free.
The only down side is that you need to be within the same subnet as the victim machine.
An advantage of S/Key is that you don't need to trust the system you are logging in from.
As a matter of interest, how do you forward ftp over ssh? Is this by using ssh to construct a VPN, or is there some other trick?
Cheops is a network "swiss army knife". It's "network neighborhood" done right (or gone out of control, depending on your perspective). It seems that the development has slowed down a bit though.
Have a look at:
http://www.marko.net/cheops/and
http://www.marko.net/cheops/features.htmlRFC1925
*sigh* What's that saying about a little bit of knowledge being a dangerous thing?
SOME NICs will "chirp" when put into promiscuous mode. SOME OSes will exhibit slightly different behavior on their TCP/IP stack when the NIC is running in promiscious mode.
But all of that is irrelevant. Anyone who seriously wants to sniff your network will snip the Tx lines on a special patch cable. Then it doesn't matter what the NIC or OS is doing - nobody will see anything coming out of that NIC. The only(?) way to detect it is by checking line impedence - something a well-stocked site could handle, but not most businesses or schools.
Obviously, this trick will also keep you from actually doing anything useful -- and that itself might be suspicious. (Or might not, if this "dead" system is sitting in a dorm room or otherwise unoccupied office.) But if you have access to a hub (official or not) and a second NIC....
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken