Preliminary Ethereal User's Guide

An Anonymous Coward writes "The prelimiary Ethereal User's Guide is up. It will be updated over the next month or so, and will be followed by a Developer's Guide. It is all done in DocBook and the source will be up at the Ethereal web site." If you haven't used ethereal, its an extremely excellent packet sniffer: play with it a little and you'll never use telnet and FTP again (unless of course you knew that already).

Re:Mail a problem, too.

[stab]

Investigate the latest version of Courier-IMAP which has built in support for IMAP-SSL/TLS, as opposed to using stunnel.

stunnel is great for a small number of connections, but the overhead of launching a new process every time is fairly significant as you scale up, so Courier does a great job of a lightweight, secure IMAP server.

You have to use maildir - but both Exim and qmail support it natively now, and it's far superior to the traditional mbox format anyway.

Re:*sigh* - use cables with Tx lines snipped

[John+Jorsett]

I agree that anyone who is knowledgeable and wants to remain undetected can probably do so. My warning wasn't addressed to the hackers/crackers out there (who, after all, don't need me to tell them about the dangers) but rather those who out of curiosity might run out and install this software on their work machine running, for example, Win98. If their network administrator suddenly notices that they're sniffing the local net, there're are going to be some questions asked. And legitimately so. There a are a number of ways, some easier to implement than others, to tell when there's a packet sniffer on your net. For a list, take a look here (scroll down to 2.5 - "How can I detect a packet sniffer?").

Ethereal == Nectar of the gods

[_underSCORE]

Thanks to Ethereal, I discovered a bug in Java's HttpURLConnection. For some reason, after I would make rapid requests to a site, the HTTP headers wouldn't be set, even though I set them in my code. My debugging messages said that I was setting them, but when I used Ethereal to sniff the packets, whoops, they were set to their default values. I called up sun, and it was given a bug ID. They plan to fix it in the 1.3 release for UNIX. I can't tell you how much time this has saved me. It truly is a triumph of open source.

Lucky me, I also run VMWare, which flips on promiscuous mode anyway, so if someone is using a sniffer detector, I can always blame VMWare.

Sniffing FAQ

[Mark+A.+Rhowe]

A great resource that I refer to alot:
Sniffing (network wiretap, sniffer) FAQ

Re:Sniffers aren't as useful as they used to be

[Guy+Harris]

Sniffer programs are also useful if you only care about the traffic between two machines, at least one of which is capable of running the sniffer program (or can otherwise produce a network trace file). Perhaps that's less common for network administrators than for software developers, but if you're a developer at a manufacturer of, well, Network Appliances, packet analyzer programs can come in very handy even if you can't see all the traffic on a network segment.

Re:Mail a problem, too.

[childlll]

" ``...play with it a little and you'll never use telnet and FTP again'' "

yup... because you'll go blind!!! ;-)

I'm not sure this is entirely true

[ffatTony]

To watch net traffic, the Ethernet interface must be put into 'promiscuous' mode (accepts all packets, even if not addressed to your particular machine).

true

Some network administrators are sensitive to this sort of thing, since it can be used to compromise security.

According to the sniffit FAQ detecting 'promiscuous' mode is only possible if the os is broken or not configured properly. It is my understanding that linux or even win32 in this mode would be very hard to detect.

Perhaps you recall slashdot's article about packet sniffer-sniffers from Lopht. There is much skepticisim as to whether or not 'Antisniff' can really work as it seems to make alot of assumptions about the machines it scans. If memory serves, one of the tests is to send a message to the client machines and record the time it takes to respond. Then in the future if it respond significantly slower something may be up. Another is to try to overload machines by sending a large number of forged packets all good machines will ignore and the promisc machine will choke on.

With the current state of ethernet sniffing is basically risk free.

The only down side is that you need to be within the same subnet as the victim machine.

*sigh* - use cables with Tx lines snipped

[coyote-san]

*sigh* What's that saying about a little bit of knowledge being a dangerous thing?

SOME NICs will "chirp" when put into promiscuous mode. SOME OSes will exhibit slightly different behavior on their TCP/IP stack when the NIC is running in promiscious mode.

But all of that is irrelevant. Anyone who seriously wants to sniff your network will snip the Tx lines on a special patch cable. Then it doesn't matter what the NIC or OS is doing - nobody will see anything coming out of that NIC. The only(?) way to detect it is by checking line impedence - something a well-stocked site could handle, but not most businesses or schools.

Obviously, this trick will also keep you from actually doing anything useful -- and that itself might be suspicious. (Or might not, if this "dead" system is sitting in a dorm room or otherwise unoccupied office.) But if you have access to a hub (official or not) and a second NIC....