Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Network Sniffer On Steroids

Posted by kdawson on from the data-seepage dept.

QuantumCrypto writes "Errata has developed a new network sniffer, dubbed 'Ferret,' that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more. 'You don't realize how much you're making public, so I wrote a tool that tells you,' said Robert Graham, Errata's chief executive. Errata has released the source code to this version 1.0, 'feature-poor and buggy' tool on its site. Anyone with a wireless card will be able to run it, Graham said."

12 of 129 comments (clear)

  1. Re:Wireshark? by Arkaic · · Score: 3, Informative

    Umm. Wireshark/Ethereal have had Win32 versions for quite some time. From reading the article and the download page I see nothing which distinguishes this app from others which were done first, and better.

  2. Re:Wireshark? by Hackeron · · Score: 5, Informative

    After reading their presentation and other material, here's how it's different to wireshark -- the packet analyzer part is just one of it's features:

    1) It can respond to various requests like DHCP requests (so it's like a lightweight collection of servers?)
    2) It has a port scanner to show running services (like nmap)
    3) It has kismet/netscambler functionality to break into wireless access points
    4) They go on and on about it not looking at data leakage but intential data like startup programs querying servers, etc -- After 6-7 pages of explaining this I still don't see the difference...

    At the end of the day, this looks like wireshark+nmap+kismet tied together made for the intent of tracking desired actions like buying new hardware in a firm

    So looks like move along, nothing to see her to me but I get the steroid bit now

  3. Re:Wireshark? by basotl · · Score: 2, Informative

    Errata Errata has developed another network sniffer that looks for traffic using 25 protocols

    Wire Shark Hundreds of protocols are supported, with more being added all the time.
    Wireshark's most powerful feature is its vast array of display filters (over 51000 as of version 0.99.5).

    Something isn't adding up for Errata having more.

    Normally people complain that Wireshark looks at too many protocols and presents a network vulnerability.

    --
    HTC EVO 4G LTE w/ CM 10.2 | NookColor w/ CM 10.2 | Samsung Epic 4G w/ CM 10.1
  4. Reinventing 1/16 of a wheel by krunoce · · Score: 2, Informative

    The Errata sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it a "network sniffer on steroids."

    Oh Wowsers! DHCP, SNMP, DNS and HTTP! That's so many! It's a shame Ethereal can only look at these!

  5. Re:Anyone remember a Mac one from 99/2000? by maxume · · Score: 4, Informative

    http://www.etherpeg.org/

    (I have no idea if it works with newer hardware/drivers, but I am pretty sure this is what you are talking about.)

    On linux:

    http://www.ex-parrot.com/~chris/driftnet/

    --
    Nerd rage is the funniest rage.
  6. Re:Anyone remember a Mac one from 99/2000? by GreyDuck · · Score: 2, Informative

    Well, I remember Driftnet. Does that count?

    I remember horrifying the chief engineer at my last job by running that on the proxy/firewall box. My demonstration might have been more effective had I shown it to the General Manager, but then again I might've gotten myself thrown out the door that much sooner...

    --
    I'm only wearing black until they come out with something darker.
  7. Wireshark, anyone? by drix · · Score: 3, Informative

    Wireshark does waaaaay more than 25 protocols.

    --

    I think there is a world market for maybe five personal web logs.
  8. Re:Wireshark? by klem · · Score: 2, Informative

    Hum, as long as your wireless card is in monitor mode (http://en.wikipedia.org/wiki/Monitor_mode , this mode is controlled by the OS, so ethereal doesn't even know about it), ethereal can read and analyze with 802.11 packets just fine.
    Furthermore, it's not even limited to "regular" data packets (IP or ARP packets encapsulated into 802.11 ) . You can see things like 802.11 association/authentication/probes packets (it's funny how some people believe that preventing the AP from announcing its network name (ESSID) adds security, as the ESSID is transmitted in the association / probes packets)

  9. Wireshark does NOT do this by Anonymous Coward · · Score: 3, Informative

    What makes this sniffer stand out is not the fact that it can parse different protocol formats -- it's that it collects relevant data in a meaningful summary.

    For example, any sniffer can filter and then parse HTTP traffic, but an analyzer like this one tells you relevant bits like someone's web account names.

  10. Either you're lucky, or I angered God. by Kadin2048 · · Score: 2, Informative

    If I were you, I'd be buying lotto tickets. I have a box going somewhere of WiFi cards that I've ripped out of systems because I couldn't get them working on Linux. It's not full, but there are a bunch in there, plus a bunch in systems that just don't work and I've not bothered to pull, plus a lot more that I've tried to get working and returned. They tend to be a combination of Marvell and Texas Instrument ACX chipsets, neither of which I've ever gotten to work successfully (and by "work," I mean natively, without Windows-driver hacks, and will work with WPA-PSK AES, and without installing anything alpha-quality or destabilizing). The TI ones are particularly awful, because they're the kind that require firmware blobs to be loaded at startup, so they'll pretty much never be supported in the hardcore FOSS distros (although I heard a rumor that Mepis may support them).

    I have only ever gotten lucky with one wireless card on a Linux machine, and that was a DWL-650 and Ubuntu Dapper, a combination which (naturally) you can't buy anymore, because the DWL-650 has been replaced by the DWL-650+, which has a completely different (ACX!) chipset.

    My plan is to dump the crate out every few years and see if the situation has changed, but after buying and returning pretty much every card at all of the local stores which even seemed to be distantly or possibly related to anything that might have out-of-the-box Linux drivers, I decided to can the whole endeavor.

    It's easier, IMO, (and cheaper, if you look at the prices for "real" Linux-compatible WiFi cards from Orinoco/Cisco/etc. -- notwithstanding the fact that they need to be ordered a week in advance of when you need them) to buy routers that will work in bridge mode (aka "game adapters", or a WRT54GL with DD-WRT if you can find one), and can just be attached to any type of box via Ethernet, than to actually mess around with getting a card working natively on anything except Windows and MacOS. (And it's not like Windows is necessarily any picnic, either, particularly when you start talking about WPA. MacOS only avoids it by only having a handful of cards.)

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  11. Ferret on Vista by kantmakm · · Score: 2, Informative

    in order to run ferret on vista, you need to run cmd.exe as administrator b4 running ferret from the cmd line.

  12. Good Linux WIFI Cards by stevenm86 · · Score: 4, Informative

    Good for linux- with monitor mode

    * Atheros-based cards. Strangely, I don't hear these mentioned very often, but they have excellent support, complete with monitor mode, creating multiple interfaces from one card, etc. Oh and airpwn supports it :) - http://madwifi.org

    * Intel Pro Wireless (2100 / 2200 / 2950) - Works well, has monitor mode, wep in hardware, drivers actually developed by intel - http://ipw2200.sf.net and in the kernel at this point

    * Orinoco / Hermes / Lucent cards - in the kernel

    * Cards based on the Prism chipset based (http://prism54.org) BE WARNED though, some of the newer ones require "softmac" firmware which is currently not working all that well

    I have used a card from all of these manufacturers and if I were getting a new laptop, I would probably go with Atheros and if not that, then Intel.