A Network Sniffer On Steroids

QuantumCrypto writes "Errata has developed a new network sniffer, dubbed 'Ferret,' that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more. 'You don't realize how much you're making public, so I wrote a tool that tells you,' said Robert Graham, Errata's chief executive. Errata has released the source code to this version 1.0, 'feature-poor and buggy' tool on its site. Anyone with a wireless card will be able to run it, Graham said."

Broadcom cards?

[ShaunC]

Does anyone know if there are any special driver requirements, beyond "anyone with a wireless card?" The documentation is rather...sparse. I've got a Broadcom wireless card in my laptop and it's generally a pain to get things like aerodump going; it requires installing a debug driver, then rolling back the driver afterwards, and the network functionality itself is disabled during this period, at least with aerodump.

I'm curious if ferret can sniff without the added hassle...

Re:Broadcom cards?

[Cherita+Chen]

Anyone know how you would accomplish this without kicking the card into monitor mode?

Re:Broadcom cards?

[Kadin2048]

Broadcom chipsets are absolute and utter crap. DO NOT USE THEM.

The problem is that you could toss out your crappy, but admittedly working, Broadcom-based card, and inadvertently pick up a Marvell one instead, or one of the newer ones that have some sort of proprietary binary blob firmware that gets loaded by the driver, and will probably never, ever have legitimate Linux drivers.

If you have a wireless card that actually works on Linux, here's a piece of advice: get on your knees and thank the diety of your choice for smiling on you, and not leading you astray into the Purgatory of identical-model-number-but-different-chipsets, or the Hell of alpha-quality drivers. And then, don't mess with anything.

And if you got AES working, sacrifice a goat.

Re:Broadcom cards?

[caluml]

If you have a wireless card that actually works on Linux,

Just check what card it is before you buy, and don't buy any that don't have Open Source, native Linux support. It's what I do. Cisco, Orinoco, the new Intel IPW drivers.
If you buy something that doesn't work, don't cry when it doesn't work.

Re:Broadcom cards?

[pclminion]

If you have a wireless card that actually works on Linux, here's a piece of advice: get on your knees and thank the diety of your choice for smiling on you, and not leading you astray into the Purgatory of identical-model-number-but-different-chipsets, or the Hell of alpha-quality drivers. And then, don't mess with anything.

Funny, this hasn't been my experience. I've booted the latest Knoppix live CD on many random PC's and even a Mac Mini and it's never had any trouble using whatever wireless was in the system. Maybe I'm just incredibly lucky to never hit a box with a non-working wireless card?

Re:Broadcom cards?

[scalla]

You then should sacrifice a herd of goats.

Re:Broadcom cards?

[Crazyscottie]

If you have a wireless card that actually works on Linux, here's a piece of advice: get on your knees and thank the diety of your choice for smiling on you, and not leading you astray into the Purgatory of identical-model-number-but-different-chipsets, or the Hell of alpha-quality drivers. And then, don't mess with anything.

And if you got AES working, sacrifice a goat.

Not to brag or anything, but I got one working fairly easily, with AES and as an access point, no less:
-D-Link WDA-1320 (I imagine the WDA-2320 would work fine also) -Atheros 5005G chipset -Madwifi drivers with hostapd on Gentoo

I fully agree about the Broadcom crap, though. You're almost certainly going to have to do some mangling with fwcutter and/or ndiswrapper... and even then, it's not guaranteed. I wouldn't touch a Broadcom with a ten-foot pole if you're using Linux.

Re: Broadcom cards?

[Dolda2000]

It's easy for you to say that, but in reality, things aren't that easy. I spent months trying to find a good WiFi card for Linux before I actually did, and I did check online documentation first to see that it should work. I went through, I think, 4 cards that were "supposed" to work in Linux, but didn't, because, as the GP said, they had different chipsets despite being the same model number. Even looking at the revision numbers hardly worked, as demonstrated by my favorite failure -- I don't remember the make and model, but the one supposed to work with Linux was v2 of the model. They failed to mention, however, that v2 meant the second revision of the first version of the card, not the second version of the card, which came with a completely unsupported Marvell chipset.

Eventually, I figured out that the best bet seems to be to get a "NoName" Taiwanese card, since Asian companies seem to be much more comfortable with handing out specifications for the products than US companies. I found a Ralink-based card by "Gigabyte Corporation". Even so, the Linux driver was alpha quality, to say the least, so I am now running FreeBSD on the laptop it was intended for (not an entirely bad side effect, admittedly).

Anyway, the point was that it really isn't easy to find a card that works with Linux, regardless of whether it's supposed to work, since the vendors really seem to be trying their very best to conceal what chipset is actually inside the RF shield. Really, how hard would it be to just print the PCI ID somewhere on the box? Now that I think about it, I'm almost beginning to wonder if it isn't a Microsoftish conspiracy, all of it. :)

Re:Broadcom cards?

[kbahey]

A few months ago, I bought an HP laptop, nice machine, with AMD X2 Turion dual core. However, there was a problem with the Broadcom wireless card. I got IRQ conflicts between the wireless and touchpad mouse. Took it back to the store and got a refund.

Ended up with a Toshiba laptop that has Intel PRO/Wireless 3945ABG. Works well. Pity, because I like AMD's CPUs.

Re:Broadcom cards?

[Martin+Blank]

All modern cards get binary blobs of proprietary firmware that is loaded by the driver. It's an FCC requirement of all software radios that is intended to limit the use of the radios outside of the intended use. Older wireless NICs used hardware radios, and so had no such requirements. Atheros has been a software radio for some time, and has worked well with the MADWifi project to provide the HAL required for the drivers.

This was going to be a major problem with the attempt to block kernel tainting in 2008, because legally, there was no way around having wireless drivers taint the kernel due to their use of the proprietary HAL.

Re:Broadcom cards?

[dreamlax]

The problem there is price. If you can only afford cheap wireless adapters (and hence probably can't afford a legit copy of Windows either) then your only choice is a shit card. Or, sometimes it says it will work in Linux (like my Netgear WG511). Quite a few places said the WG511 was supported by the Prism drivers so I bought it thinking it'll work a charm. When I finally got it and shoved it in my laptop, the prism drivers didn't work. I pull it out and took another look at the model number and it says "WG511" and then in smaller text "v2". Completely different chipset, hell, completely different manufacturer, and from a completely different part of the world, but the same god damned model number. Now I've got half-arsed wireless with ndiswrapper. Working, but really, really . . . really annoying.

Re:Broadcom cards?

[dropadrop]

Just check what card it is before you buy, and don't buy any that don't have Open Source, native Linux support. It's what I do. Cisco, Orinoco, the new Intel IPW drivers. If you buy something that doesn't work, don't cry when it doesn't work. This could not really be made any harder by the companies manufacturing the cards. Sure if you buy something from Orinoco or Cisco you are on safe waters, but other then that you are on weak ice. Manufacturers (most of them) change the cards chipset for every revision, and there is no way to know what you are getting (even looking at the box or physical card might not make it any easier).

Re:Broadcom cards?

[nickyx]

Just check what card it is before you buy, and don't buy any that don't have Open Source, native Linux support. It's what I do. Cisco, Orinoco, the new Intel IPW drivers. If you buy something that doesn't work, don't cry when it doesn't work.

Yeah cos companies never change the chipset of a card without changing the model number.....

Re:Broadcom cards?

[caluml]

Cry me a river. Take along a bootable Linux Live CD, and try it out on the actual machine you want to buy.

Wireshark?

[Hackeron]

How is this different to say wireshark or any other traffic analyzer?

Re:Wireshark?

[TLouden]

It was built on a Windows system and comes with an executable?

I'm personally in favour of easier to use software (ie. something with a Make file or a .deb, etc.)

Re:Wireshark?

[Arkaic]

Umm. Wireshark/Ethereal have had Win32 versions for quite some time. From reading the article and the download page I see nothing which distinguishes this app from others which were done first, and better.

Re:Wireshark?

[$RANDOMLUSER]

How is this different to say wireshark or any other traffic analyzer?

Duh. It's on steroids.

Re:Wireshark?

[Red+Flayer]

FTA:

The Errata sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it a "network sniffer on steroids."

Reading. It's what's for knowledge.

Oh, and Wireshark was Ethereal. They had to change the name due to trademark concerns.

Re:Wireshark?

[garcia]

How is this different to say wireshark or any other traffic analyzer?

This one is feature poor and buggy.

Re:Wireshark?

[mistralol]

Dunno but i managed to write something better than this when i was 16.
Its really sad to see crap stuff make it.

Re:Wireshark?

Wireshark already does those things. The fact that they can't even refer to its name properly says a lot.

Re:Wireshark?

[Red+Flayer]

I don't know the specs of Ferret. I assume (typically a bad idea, of course) from the quote that Ferret searches more protocols than Wireshark, and thus casts a greater net.

Re:Wireshark?

[Arkaic]

Reading. It's what's for knowledge. Indeed.

From the Ethereal feature page: 759 protocols can currently be dissected
From the Wireshark web site: Hundreds of protocols are supported, with more being added all the time

Re:Wireshark?

Plus, it has the 'roid rage...

Re:Wireshark?

[daveb]

I don't believe wireshark/ethereal can get to 802.11 without paying for a plugin from cace, at least not promiscuously (which is all I care about)

But apart from 802.11, wireshark seems to capture WAY more than this one. So the only real question is does it do a better job or does it do it a better way? Because if it is "better" (in whatever way) then adding protocols is just a dissection task.

I suspect that it's not that hot really.

Re:Wireshark?

[Hackeron]

After reading their presentation and other material, here's how it's different to wireshark -- the packet analyzer part is just one of it's features:

1) It can respond to various requests like DHCP requests (so it's like a lightweight collection of servers?)
2) It has a port scanner to show running services (like nmap)
3) It has kismet/netscambler functionality to break into wireless access points
4) They go on and on about it not looking at data leakage but intential data like startup programs querying servers, etc -- After 6-7 pages of explaining this I still don't see the difference...

At the end of the day, this looks like wireshark+nmap+kismet tied together made for the intent of tracking desired actions like buying new hardware in a firm

So looks like move along, nothing to see her to me but I get the steroid bit now

Re:Wireshark?

[basotl]

Errata Errata has developed another network sniffer that looks for traffic using 25 protocols

Wire Shark Hundreds of protocols are supported, with more being added all the time.
Wireshark's most powerful feature is its vast array of display filters (over 51000 as of version 0.99.5).

Something isn't adding up for Errata having more.

Normally people complain that Wireshark looks at too many protocols and presents a network vulnerability.

Re:Wireshark?

[tgbrittai]

How is this different to say wireshark or any other traffic analyzer? Um, it's got electrolytes! It's what networks crave!

Re:Wireshark?

[twistah]

By your logic, Wireshark is no different than tcpdump. But obviously, they are different. Wireshark is great at dissecting packets, not just dumping them in hex format. Ferret is good for sniffing broadcast information, such as NetBIOS traffic and iTunes DAAP, which can assist you in getting a picture of the current network. That's all it does. Yes, they are all pcap based, but they serve different purposes.

Just like you could use Wireshark to sniff for passwords (or, hell, even tcpdump + ngrep), but it's a lot easier to use dsniff or Cain. I think Ferret is interesting stuff, as long as they develop it beyond a proof-of-concept. (Note that I only spent a few minutes reading about the tool, sorry for any misinformation.)

Re:Wireshark?

[Jah-Wren+Ryel]

How is this different to say wireshark or any other traffic analyzer?

It works on fiber-optics because it has frickin laser beams attached to its wire, that's how!

Re:Wireshark?

>> How is this different to say wireshark or any other traffic analyzer?

no "lasers". less space than a cablewhale. lame.

Re:Wireshark?

[gfunicus]

To me it sounds more like dsniff http://monkey.org/~dugsong/dsniff/, capturing only passwords, usernames, that kind of stuff.

Re:Wireshark?

[klem]

Hum, as long as your wireless card is in monitor mode (http://en.wikipedia.org/wiki/Monitor_mode , this mode is controlled by the OS, so ethereal doesn't even know about it), ethereal can read and analyze with 802.11 packets just fine.
Furthermore, it's not even limited to "regular" data packets (IP or ARP packets encapsulated into 802.11 ) . You can see things like 802.11 association/authentication/probes packets (it's funny how some people believe that preventing the AP from announcing its network name (ESSID) adds security, as the ESSID is transmitted in the association / probes packets)

Re:Wireshark?

[s_p_oneil]

Over 99% of Internet users wouldn't have a clue how to use Wireshark. "What are all these SYN messages? Are they caused by a virus or spyware?"

Actually, that's a gross exaggeration. Very few Internet users would even be able to figure out how to start a capture in Wireshark. The more timid ones wouldn't even make it to the "No capture interface selected!" error, and most of the rest would be lost when they ran into that.

If Ferret successfully dumbs it down, then it could be quite useful to a lot of Internet users. In that case, I wouldn't say it was a sniffer on steroids though. More like a "for dummies" version.

Re:Wireshark?

[Sancho]

It may not add security, but it prevents Windows from trying to connect to it (as does using WEP, even though WEP is trivial to crack), so it can be useful.

Re:Wireshark?

[slickwillie]

Well, for one thing Ethereal (Wireshark) used to have the best slogan on the Net:

"Sniffing the glue that holds the Internet together."

Re:Wireshark?

[Hackeron]

Wireshark is a packet analyser, tcpdump and ngrep are packet captures, ngrep (no relation to tcpdump) is just a hell of a lot easier to use. Tcpdump truncates everything to 68bytes by default and has all sorts of other silly defaults and just not trivial to use.

Wireshark supports all protocols listed by Ferret and more, there are plugins for password sniffing but dsniff or cain are just a lot lighter and more efficient when analyzing large amounts of live data like at an ISP. I had to analyze around 400GB of ISP captured data to find a network problem and I tell you, wireshark is VERY slow with this much data ;)

As for iTunes DAAP and I think NetBIOS you would need to broadcast requests to get a response at which point you're no longer capturing data but acting as a client or a service sniffer like nmap.

Re:Wireshark?

[Hackeron]

Oh, I misunderstood what you meant on broadcast scanning - you could do the same with wireshark with a wireless set to monitor mode or by connecting your standard ethernet to a spanning port on a switch or to any port on a hub and sniff sniff :)

Re:Wireshark?

[daveb]

oooohh kay

what you're saying SOUNDS right - so what's the point of this which is always at the top of the wireshark FAQ

If wireshark can capture all of the layer 2 traffic then thats cool - and I might go back and try it again. the last time I tried I didn't get anything lower than layer3 and even then I didn't get anything apart from my own stuff (i.e. not promiscuous).

Are you getting something different?

Re:Wireshark?

[klem]

Oops, i failed to mention that i had only tested it on Linux. Your page seems to refer to a windows product, which appears to be not necessary under linux.

I'm not sure "promiscuous mode" has a meaning on WiFi network: the (almost) equivalent of this is in the WiFi world is the monitor mode. The monitor mode causes your card to capture all packet on the selected WiFi channel.
Additionnally, when not in monitor mode, your network interface will act as an Ethernet interface (the network card driver will rewrite the 802.11 packets to Ethernet packets before passing them up to the protocols stack). Because of this, any sniffer will see normal Ethernet packets. However, in monitor mode, your driver will pass raw 802.11 packets, which you will be able to sniff.
However, i've no clue about how to enable monitor mode under Windows. I've got it to work under Linux with Orinoco, Prism2-based, and Atheros-based cards.

Re:Wireshark?

[jez9999]

So this thing's doing drugs too? Are there any sober protocol analyzers out there?

Re:Wireshark?

[sherpajohn]

How is this different to say wireshark or any other traffic analyzer? This is like wireshark with frickin' laser beams attached to their heads - well not really, its more like a mutated sea bass, ill tempered as it may be.

Re:Wireshark?

[drinkypoo]

Yeah, that's why I use MAC filtering. If someone's going to connect, well, I don't even have WPA and WEP is a kleenex, so they're going to get in. But they won't get in accidentally just driving by if I use SOMETHING. When I have cared about security (nothing much is on that network just now but a printer - what are they going to do, use up my paper?) I have used VPN and blocked all non-VPN traffic.

Re:Wireshark?

[daveb]

aahh that makes sense.

Yeah - I meant monitor not promiscuous. You can see I haven't done a lot with 802.11

thanks for that. Most of the decent network monitoring tools are linux, I should have tried that out first

cheers

From TFA

[Who235]

"If the government was taking this information from you, people would be up in arms."

First of all, they probably are sniffing you whenever it's convenient (like at the airport).

Second of all, people sadly don't seem to care all that much.

This looks like a cool tool, and I share the hope of an earlier poster that it will work with Broadcom cards - since that's what I have.

Re:From TFA

[frisket]

I'm tired and I haven't written a Makefile that I had to deduce by hand and eye in many aeons. Has anyone written a Makefile suitable for Deb or Edgy they could share?

Re:From TFA

[jd]

If people cared about sniffers, they wouldn't be using unsecured protocols with wireless. They probably wouldn't use unsecured routers either. They're rather restricted on the Internet itself, as most websites don't provide SSL/TLS access or IPSec tunneling. It's quite pathetic, really. (For that matter, why are wireless routers so nausiatingly limited? There are a half-dozen very standard wireless routing protocols and over two hundred have been developed. But wireless routers often don't support any. If they do, it's the ad-hoc protocol, which is probably the least-useful. I've yet to see a wireless router even support the Mobile IP extensions, which you would think would be the first thing that would be included.)

If you're using Linux, then airsnort and WifiRadar will probably provide most of what you want for wireless. Wireshark captures on wireless as well, as others have noted, but I've never used it in that mode and can't tell you what the results are like. I am not sure of the status of EtherApe, which is graphically superior when it comes to mapping activity, although it is informationally pretty pathetic. You'd certainly want passive fingerprinting tools, as sniffers are generally not too hot in that arena - nmap and other active fingerprinting tools would probably not be smart if the user has any kind of security in place. However, there are only a few hundred of those, so you're not at massive risk. Of course, running Nessus or another auditing package might be a little obvious, even for those who are fairly clueless.

Now, if you're the sadistic, malicious sort, basic wardriving must be getting rather tiresome anyway. Why not add some excitement to the process - say by installing nmap on the other person's computer and have it scan the NSA's network repeatedly?

Brilliant

[Gothmolly]

You mean that by analyzing my DNS and HTTP traffic, either in the clear or from a cracked WEP session, that you can infer, or worse, identify, certain definite pieces of information about my Internet usage habits?
Boy, if I had a tool that could do that, I'd certainly astroturf it on Slashdot.

Re:Brilliant

[iminplaya]

It's good to know that it's out there. Time to built an adequate defense system. If these guys have it, we can only imagine what the government is sniffing the networks with.

Re:Brilliant

[BSAtHome]

Yes, all good ol' hackers already know the tricks of the trade and there are rarely any new ones (different hardware/proto same old hooks). You have indeed identified the sensation effect of the news and therefore it is in a newsite like news.com.com. Information is blown out of proportion and it is then called news. For the layman perspective it is absolutely shocking that you can infer very much from looking at the network. For the insider it is something we use knowingly or unknowingly all of the time. Let the sensationalism die out a bit and then you can go back looking at the boss' data so that you can plan the next stock transactions.

Re:Brilliant

[SoVeryTired]

Who still uses WEP? Any wireless router bought in the last few years will support WPA encryption instead. That said, it seems like a lot of vendors use WEP as the default encryption scheme. That's just irresponsible if you ask me.

Re:Brilliant

[cortana]

I have to use WEP because my Nintendo DS cannot do WPA.

Re:Brilliant

[Sancho]

I have to use WEP because my Nintendo DS cannot do WPA. I've never managed to get my DS to connect to my access point, whether it's WEP, open, or what.

I don't have a Windows machine, so the USB dongle won't help, either. Kinda sucks for games where unlockable content exists, but you have to connect to the Wifi to get it.

Re:Brilliant

[g-san]

Your only adequate defense system would be to not send any traffic. That's like trying to have a conversation with someone with a third party present and come up with a defense so they cannot hear it. Speak spanish you say? Sorry, the internet only has one language, IP. And typically, unless you wrote the client and the server, you are probably using a well known standard protocol. That means I can look at traffic for an application I have never seen and still be able to glean a fair amount of info.

I suppose the only real defense is to send a ton of bogus traffic along with your real traffic. Even then, given a while to sit down with a trace and good filters, the devil in the details will be found.

Darn

[Kohath]

I needed a steroid sniffer that works on my network.

Can I operate it in reverse or something?

Re:Darn

[fmobus]

only in Soviet Russia!

Re:Darn

[BSAtHome]

Make contact to an ethernet port that has power enabled.

I installed it and now...

[shoma-san]

I see dead people...

Extra protocols?

If the only distinguishing factor is it's ability to decode more protocols, why doesn't someone just come up with a sniffer/analyzer that has the ability to plug in software protocol analyzers? You provide a user interface and a framework, you call each analyzer with the data you've collected (you could optimize by having a "fast interest checker" for each protocol) and display the results. I would think that this would be pretty quick and easy given the number of FOSS tools that are already out there. IE do we really need yet another app with another ui and buggy behaviour?

Re:Extra protocols?

[DeLanceS]

You mean Wireshark, which already does this.

Re:Extra protocols?

[geekoid]

yes, and maybe soneone should hace said "Linus, we already have operating systems."

More then one can be good.

Now, I ahven't used this product, so as far as I know it's crap, but there isn't any logic in saying there is already on available so don't make another better one.

my god

[mastershake_phd]

My neighbor likes clown pron.

Re:my god

He must be funny in the head.

Re:my god

[smellsofbikes]

I'll go you one better: my girlfriend likes clown pron. She has two tapes thus far. Her best friend likes *midget* pron. They've been searching for midget clown pron.

I spend a lot of time rebuilding bikes out in the garage, or anywhere out of hearing range.

Re:my god

[uufnord]

Get off my wireless connection! Whippersnapper.

Re:Different from Ethereal?

[extern_void]

Ethereal just works.

I've seen this before

[ciaran.mchale]

A Network Sniffer On Steroids.

I've seen this before. It starts off with steroids, but pretty soon the network sniffer moves on to crack cocaine. A short while later, he takes a job as a fluffer in midget porn movies to feed his habit.

Re:I've seen this before

[Red+Flayer]

Sounds like someone who'd be a good friend for mastershake_phd's neighbor.

I see...

So, he reimplemented dsniff? How quaint...

Anyone remember a Mac one from 99/2000?

[Kadin2048]

Does anyone remember a Mac utility that came out a while back (by which I mean, maybe 5 or so years ago), that would put an Airport into promiscuous mode, and sniff for traffic, and then decode and display any images that it sniffed? It was a pretty amusing little program; I think I remember reading that it was thrown together at MacHack and won best of show, or some other honor.

Basically you could run it, and it would give you an idea of what everyone on the wireless network was browsing, in the clear, at that moment, all sort of jumbled together.

I've always wanted something like that, to use as a demonstration of how insecure most wireless APs (unencrypted ones) are, for nontechnical people, but I've never been able to find it, or any record of it. Sometimes I wonder if I just hallucinated the whole story.

It would be a heck of a demo to just run something like that, particularly if you could target a particular connection, and then tell someone to load a web page, and be able to instantly display some or all of the page, or at least its images, in real time, to prove that you really were listening in on what they were doing. Most packet sniffers don't provide any direct, obvious, graphical output of stuff they sniff, and that's frankly just not dramatic enough to make an impression.

Re:Anyone remember a Mac one from 99/2000?

[maxume]

http://www.etherpeg.org/

(I have no idea if it works with newer hardware/drivers, but I am pretty sure this is what you are talking about.)

On linux:

http://www.ex-parrot.com/~chris/driftnet/

Re:Anyone remember a Mac one from 99/2000?

[GreyDuck]

Well, I remember Driftnet. Does that count?

I remember horrifying the chief engineer at my last job by running that on the proxy/firewall box. My demonstration might have been more effective had I shown it to the General Manager, but then again I might've gotten myself thrown out the door that much sooner...

Re:Anyone remember a Mac one from 99/2000?

[rograndom]

Driftnet

http://www.google.com/search?q=driftnet&sourceid=m ozilla2&ie=utf-8&oe=utf-8

Reinventing 1/16 of a wheel

[krunoce]

The Errata sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it a "network sniffer on steroids."

Oh Wowsers! DHCP, SNMP, DNS and HTTP! That's so many! It's a shame Ethereal can only look at these!

So...

It's doping the internet?

Actually, that would explain a lot...

I doubt it.

[Kenja]

I'm willing to bet that most people with a wireless network card dont even know what the term "sniffer" means, much less be able to run one.

Wow! 25 protocols?

[A+Guy+From+Ottawa]

Incredible... they support 25 protocols!!!

And to think I used to use Wireshark/libpcap which is open source, available on almost every platform, is not buggy, and supports hundreds of protocols. It even has a graphical user interface.

But I think these guys are really on to something...

OT: Linux compatible, and tasty, too?

I just went over to Amazon to check the prices on some of those cards, and this completely made my day. (Look at the "Technical Details")

Proxim 8482-FC ORiNOCO Wireless 11a/b/g PCI Card, $82.27

Technical Details

        * One 6.5-ounce package
        * Made with enriched wheat flour and natural vanilla flavoring
        * 100% cholesterol free and sweetened with sorbitol
        * America's number one brand of sugar-free cookies
        * Creme-filled, vanilla cookies perfect for low-carb diets

Do you think they're RoHS-compliant, too?

Re:OT: Linux compatible, and tasty, too?

Can I assume that somebody has already sent this in to WTF's Error'd, or should I do it?

Re:OT: Linux compatible, and tasty, too?

Do you think they're RoHS-compliant, too?

Apparently you can eat it, so let's hope so...

Re:OT: Linux compatible, and tasty, too?

[StickyWidget]

Post a screenshot to WorseThanFailure.com. Amazon does that. A lot.

The Widget of Sticky

Re:OT: Linux compatible, and tasty, too?

[Thomas+Shaddack]

RoHS is a scam. Just ignore it wherever you can, and opt for non-RoHS stuff (in case of complete boards); the leadless solders are rumoured to develop cracks after few years of thermal cycles.

Re:OT: Linux compatible, and tasty, too?

[adolf]

Also, too: Tin whiskers, which are a far scarier problem with lead-free solders.

Evidently "anyone" means..

[Stalin]

"Windows users".

Wireshark, anyone?

[drix]

Wireshark does waaaaay more than 25 protocols.

Wireshark does NOT do this

What makes this sniffer stand out is not the fact that it can parse different protocol formats -- it's that it collects relevant data in a meaningful summary.

For example, any sniffer can filter and then parse HTTP traffic, but an analyzer like this one tells you relevant bits like someone's web account names.

Re:Wireshark does NOT do this

Ettercap already does this.

Re:Wireshark does NOT do this

[SCHecklerX]

Like dsniff?

Re:Wireshark does NOT do this

probably

Either you're lucky, or I angered God.

[Kadin2048]

If I were you, I'd be buying lotto tickets. I have a box going somewhere of WiFi cards that I've ripped out of systems because I couldn't get them working on Linux. It's not full, but there are a bunch in there, plus a bunch in systems that just don't work and I've not bothered to pull, plus a lot more that I've tried to get working and returned. They tend to be a combination of Marvell and Texas Instrument ACX chipsets, neither of which I've ever gotten to work successfully (and by "work," I mean natively, without Windows-driver hacks, and will work with WPA-PSK AES, and without installing anything alpha-quality or destabilizing). The TI ones are particularly awful, because they're the kind that require firmware blobs to be loaded at startup, so they'll pretty much never be supported in the hardcore FOSS distros (although I heard a rumor that Mepis may support them).

I have only ever gotten lucky with one wireless card on a Linux machine, and that was a DWL-650 and Ubuntu Dapper, a combination which (naturally) you can't buy anymore, because the DWL-650 has been replaced by the DWL-650+, which has a completely different (ACX!) chipset.

My plan is to dump the crate out every few years and see if the situation has changed, but after buying and returning pretty much every card at all of the local stores which even seemed to be distantly or possibly related to anything that might have out-of-the-box Linux drivers, I decided to can the whole endeavor.

It's easier, IMO, (and cheaper, if you look at the prices for "real" Linux-compatible WiFi cards from Orinoco/Cisco/etc. -- notwithstanding the fact that they need to be ordered a week in advance of when you need them) to buy routers that will work in bridge mode (aka "game adapters", or a WRT54GL with DD-WRT if you can find one), and can just be attached to any type of box via Ethernet, than to actually mess around with getting a card working natively on anything except Windows and MacOS. (And it's not like Windows is necessarily any picnic, either, particularly when you start talking about WPA. MacOS only avoids it by only having a handful of cards.)

Proprietary Cracking

The whole proprietary cracking market is loaded and full of crap. Instead of teaching people about the actual workings of computer networks (as often real crackers do, most often illegally) it's better to make a cracker out of yourself than depend on these jerks.

Anyways, any intellectual who has any interest in cracking had better read a few of the old philes or at least RFCs to know what's going on. This stuff is about as functional as Microsoft Windows (which isn't) and is only suitable for the obsessively compulsive washing masses.

Dude...

[geekoid]

You should be out in the garage getting your clown suit on.

Re:Dude...

..and sawing your legs off at the knees

Re:Dude...

[Knara]

And chopping off his own shins.

Re:Dude...

[smellsofbikes]

I'm a coulrophobe, is the problem with that otherwise-great plan.

Plus, every time ya want to break out the sillystring, it turns out the aerosol's all leaked out, and it's just a big letdown.

Re:Dude...

[BertieBaggio]

Plus, every time ya want to break out the sillystring, it turns out the aerosol's all leaked out, and it's just a big letdown.

Yeah, I hear they have pills you can take for that.

Re:Dude...

[smellsofbikes]

Close, close: aerosols contain nitrous oxide, while viagra affects nitric oxide. But I still think you should get points for it.

Re:Dude...

[BertieBaggio]

Quite correct; sildenafil causes NO to be released into the corpora cavernosa, triggering the release of GC (guanylate cyclase) which leads to vasodilation. Then you have an increased local bloodflow... and where you go from there is nobody else's business.

I never thought my relatively basic education in anatomy and pharmacology would be used in posts to /. though.

Re:Dude...

[Hatta]

Aerosols don't contain nitrous oxide. They usually contain some sort of hydrocarbon, sometimes halogenated. Nitrous oxide is the propellant in whipped cream, and that's about it. Nitrous oxide is relatively safe, hydrocarbons especially the halogenated ones will fuck up your liver and nervous system. I hope you haven't been huffing silly string.

Re:Dude...

[smellsofbikes]

rock *on*! Biochemist bonding moment...

Ferret on Vista

[kantmakm]

in order to run ferret on vista, you need to run cmd.exe as administrator b4 running ferret from the cmd line.

Orinoco?

[turgid]

Orinoco? My dear fellow, I'll give you Orinoco

Now don't get me started on marmalade sandwiches...

It's worse than that

[istartedi]

According to this banner ad I saw on another site, my IP address is visible!

Not on steroids, not for linux.

[WK2]

They include the source code, and say that it "should" compile in linux. However, it uses many Windows-specific variable types. This code will not be cross compatible without a major overhaul.

This program is not ethereal on steroids. It's more like ethereal and kismet got drunk, had sex, and had a retarded baby, which they named ferret.

Re:Not on steroids, not for linux.

It requires only minimal changes to compile in Linux, the only type that needs converting is the 64 bit uint and some function changes for string compares.

-typhoncore

Good Linux WIFI Cards

[stevenm86]

Good for linux- with monitor mode

* Atheros-based cards. Strangely, I don't hear these mentioned very often, but they have excellent support, complete with monitor mode, creating multiple interfaces from one card, etc. Oh and airpwn supports it :) - http://madwifi.org

* Intel Pro Wireless (2100 / 2200 / 2950) - Works well, has monitor mode, wep in hardware, drivers actually developed by intel - http://ipw2200.sf.net and in the kernel at this point

* Orinoco / Hermes / Lucent cards - in the kernel

* Cards based on the Prism chipset based (http://prism54.org) BE WARNED though, some of the newer ones require "softmac" firmware which is currently not working all that well

I have used a card from all of these manufacturers and if I were getting a new laptop, I would probably go with Atheros and if not that, then Intel.

Re:Good Linux WIFI Cards

[dunng808]

* Atheros-based cards. Strangely, I don't hear these mentioned very often, but they have excellent support, complete with monitor mode, creating multiple interfaces from one card, etc. Oh and airpwn supports it :) - http://madwifi.org/

That's what is in my MacBook, and apparently Apple uses the same driver as the other beasties. So, maybe they aren't mentioned very often, but there are a lot of them being used outside the Windows realm.

EVERYTHING about this article is wrong.

[jurgen]

This is a great example of the worst of slashdot (which isn't saying much)... just about everything in this article as it appears on the main page is wrong, word for word.

• Category: YRO... why? What does this have to do with "rights"?
  
  
• Title: "Sniffer on Steroids". Nothing steroidal about it... according to the authors of the software it is a buggy piece of shit whipped up quickly to demonstrate a very /specific/ type of traffic analysis for a talk.
  
  
• "Looks for traffic using 25 protocols". Uh no, it doesn't use the protocols, it analyzes them.
  
  
• List of protocols and applications... misses the point entirely as nothing explicitly as any other sniffer can also "capture" all those protocols. The point is that this program looks for and explicitly points to information within those protocol that you probably didn't realize was "seeping" out with those protocols. Mind you, you could still find all that same information with ANY OTHER SNIFFER... there is nothing technologically new about this sniffer. Rather, the authors have made a list of things that "seep" out with various applications and protocols that most people haven't thought of, and have written a simple ordinary sniffer that explicitly includes this list.
  
  
• "Anyone with a wireless card will be able to run it"... uhm, yeah, anyone with a WINDOWS machine and the right kind of wireless card. Doh.
  

Even for slashdot, that's pretty bad, eh?

:j

Re:EVERYTHING about this article is wrong.

[drinkypoo]

"Looks for traffic using 25 protocols". Uh no, it doesn't use the protocols, it analyzes them.

Yeah, and if I can read books in two languages, I'm not using the languages, I'm analyzing them, right?

What about encryption? WPA2, etc.?

[SpecialAgentXXX]

I read TFA, but nowhere did it mention anything about encryption. I am assuming that since I use WPA2, I don't need to worry about anyone sniffing my wireless traffic. I think it is irresponsible for this article to not include anything about encryption - spread fear about wireless usage, but don't provide a solution.

They probably already are

[Weaselmancer]

I have a friend who works at Best Buy/Geek Squad. A guy came in with a government contract and a laptop, needing repairs. He was making small talk and said his job was to wardrive around and break into people's home computers and search them for child porn.

Take it with a grain of salt - the guy was just some dude with a busted laptop walking into a Best Buy. But he did have a government contract, and a lot of wireless sniffer software on his machine.

Re:They probably already are

[Lord+Ender]

Right. He had advanced security software, a van with sophisticated antennas, and no IT department to fix failures of their own equipment. So he takes it to Best Buy, where the teenage "technicians" install unnecessary anti-virus software, which proceeds to wipe out ("clean") all his security software...

Yeah, right. They don't make salt grains big enough.

Re:They probably already are

[Weaselmancer]

Where did I say he had a van full of equipment?

He had a laptop computer with basically the same kind of stuff you find on Remote Exploit, just in Win32 versions. And my buddy didn't say he had a virus problem, the machine was physically busted - most likely from a drop. He bought the laptop through Best Buy and they were returning it to the manufacturer for replacement.

And I did say to take the story with a grain of salt - I'm not sure I believe it either.

Although. Wouldn't it be funny if the guys at Dell or wherever scanned his hard drive, and found all the "evidence" he had been collecting?

EtherPEG - Driftnet

It was probably a variant of EtherPEG.. I don't use a mac, but driftnet runs great in linux. Works on ethernet too, although most networks are switched these days.

Re:EtherPEG - Driftnet

>> Works on ethernet too, although most networks are switched these days.

Do you have any idea what you are talking about?

Grains, no.

[jd]

But they do mine rock salt in Cheshire. The tunnels are a good ten foot or so in height and the salt is blasted out with high explosives. Now, that's the stuff you should be taking with stories like this.

Re:Grains, no.

They just had a Dirty Jobs episode about that.. 'cept it was in Kansas.
Fun with toxic NO2 dust after explosions.

For the 1337 brethren!

[Gazzonyx]

Awfully nice of a computer security company that, just being a year old, to include PowerPoint slides of their hacking tool on their website! Yeah, right, I guess I'll just download them and assume they're not infected.

And for that note, they'd better be! It would be even scarrier if said company was actually using powerpoint as an effective means of communication to all their 1337 brethren using windows. Then again, the source is for visual studio... Something about this rubs me the wrong way, anyone else?

Completely off topic, but I just realized while thinking of holes in office... is today patch tuesday? Or is that next tuesday?

Oh, yeah, and their program doesn't work with linksys wireless G cards, nor does it understand the '/?' switch from the command line.

Similar research project also named Ferret

[Phy6]

There is a very similar OSS research project called Ferret by a prof at UMD. I used to be IT support for an institution he is a member of. (Institute for Systems Research)

http://www.enre.umd.edu/faculty/cukier.htm

http://ferret.sourceforge.net/

Re:Similar research project also named Ferret

[Verunks]

There is also LinkFerret Network Monitor but it's commercial

Vista may save us....

[BLKMGK]

No seriously, I said that with a straight face!

I watched a briefing on Vista wireless and compared to XP it's WAY different. The MSFT guy on the stage actually said the words monitor mode and mangle packets! Apparently the XP driver setup for wireless kludged wireless to look like a regular wired NIC. For Vista that's not the case - you can have filter drivers and all sorts of stuff going on with wireless. The SDK for drivers even supposedly comes with SOURCE for a wireless driver supporting Realtek wireless cards. The presenter also showed the results of a one minute sniff of the conference network doen on his laptop - APs, clients, encryption supported, speeds supported, blah lah - all done in Vista using off the shelf drivers. Tehre are supposed to be something like 150 hooks in all of the Vista wireless drivers to allow for this sort of thing in order for the driver to be certified plus you can apparently roll your own. There's still some abstraction from the hardware of course so there could still be limitations but the alternative is a hell like there is with Linux right now. I'm fortunate to have like 5 cards that work under Linux but NONE of them are what I'd call "new". If Vista is really doing what this rep claimed then Vista is going to be MUCH better for capturing wireless than XP was. Products like AirPCAP and goofy expensive custom widgets to get monitor mode on XP can take a flying leap - maybe.

Anyway, this was a BlackHat presentation done in Vegas this past year - they had a whole series on Vista. The video might be up on the BlackHat site, if it is take a look. Vista is still new enough that much of this probably hasn't been explored yet btu stay tuned - this looks like ONE benefit to Vista....

just spit coffee peanutbutter +crackers on monitor

HA