A Network Sniffer On Steroids

QuantumCrypto writes "Errata has developed a new network sniffer, dubbed 'Ferret,' that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more. 'You don't realize how much you're making public, so I wrote a tool that tells you,' said Robert Graham, Errata's chief executive. Errata has released the source code to this version 1.0, 'feature-poor and buggy' tool on its site. Anyone with a wireless card will be able to run it, Graham said."

Broadcom cards?

[ShaunC]

Does anyone know if there are any special driver requirements, beyond "anyone with a wireless card?" The documentation is rather...sparse. I've got a Broadcom wireless card in my laptop and it's generally a pain to get things like aerodump going; it requires installing a debug driver, then rolling back the driver afterwards, and the network functionality itself is disabled during this period, at least with aerodump.

I'm curious if ferret can sniff without the added hassle...

Re:Broadcom cards?

[Kadin2048]

Broadcom chipsets are absolute and utter crap. DO NOT USE THEM.

The problem is that you could toss out your crappy, but admittedly working, Broadcom-based card, and inadvertently pick up a Marvell one instead, or one of the newer ones that have some sort of proprietary binary blob firmware that gets loaded by the driver, and will probably never, ever have legitimate Linux drivers.

If you have a wireless card that actually works on Linux, here's a piece of advice: get on your knees and thank the diety of your choice for smiling on you, and not leading you astray into the Purgatory of identical-model-number-but-different-chipsets, or the Hell of alpha-quality drivers. And then, don't mess with anything.

And if you got AES working, sacrifice a goat.

Re:Broadcom cards?

[caluml]

If you have a wireless card that actually works on Linux,

Just check what card it is before you buy, and don't buy any that don't have Open Source, native Linux support. It's what I do. Cisco, Orinoco, the new Intel IPW drivers.
If you buy something that doesn't work, don't cry when it doesn't work.

Wireshark?

[Hackeron]

How is this different to say wireshark or any other traffic analyzer?

Re:Wireshark?

[Arkaic]

Umm. Wireshark/Ethereal have had Win32 versions for quite some time. From reading the article and the download page I see nothing which distinguishes this app from others which were done first, and better.

Re:Wireshark?

[$RANDOMLUSER]

How is this different to say wireshark or any other traffic analyzer?

Duh. It's on steroids.

Re:Wireshark?

[Hackeron]

After reading their presentation and other material, here's how it's different to wireshark -- the packet analyzer part is just one of it's features:

1) It can respond to various requests like DHCP requests (so it's like a lightweight collection of servers?)
2) It has a port scanner to show running services (like nmap)
3) It has kismet/netscambler functionality to break into wireless access points
4) They go on and on about it not looking at data leakage but intential data like startup programs querying servers, etc -- After 6-7 pages of explaining this I still don't see the difference...

At the end of the day, this looks like wireshark+nmap+kismet tied together made for the intent of tracking desired actions like buying new hardware in a firm

So looks like move along, nothing to see her to me but I get the steroid bit now

Re:Wireshark?

[basotl]

Errata Errata has developed another network sniffer that looks for traffic using 25 protocols

Wire Shark Hundreds of protocols are supported, with more being added all the time.
Wireshark's most powerful feature is its vast array of display filters (over 51000 as of version 0.99.5).

Something isn't adding up for Errata having more.

Normally people complain that Wireshark looks at too many protocols and presents a network vulnerability.

Re:Wireshark?

[twistah]

By your logic, Wireshark is no different than tcpdump. But obviously, they are different. Wireshark is great at dissecting packets, not just dumping them in hex format. Ferret is good for sniffing broadcast information, such as NetBIOS traffic and iTunes DAAP, which can assist you in getting a picture of the current network. That's all it does. Yes, they are all pcap based, but they serve different purposes.

Just like you could use Wireshark to sniff for passwords (or, hell, even tcpdump + ngrep), but it's a lot easier to use dsniff or Cain. I think Ferret is interesting stuff, as long as they develop it beyond a proof-of-concept. (Note that I only spent a few minutes reading about the tool, sorry for any misinformation.)

Re:Wireshark?

[klem]

Hum, as long as your wireless card is in monitor mode (http://en.wikipedia.org/wiki/Monitor_mode , this mode is controlled by the OS, so ethereal doesn't even know about it), ethereal can read and analyze with 802.11 packets just fine.
Furthermore, it's not even limited to "regular" data packets (IP or ARP packets encapsulated into 802.11 ) . You can see things like 802.11 association/authentication/probes packets (it's funny how some people believe that preventing the AP from announcing its network name (ESSID) adds security, as the ESSID is transmitted in the association / probes packets)

Re:Wireshark?

[s_p_oneil]

Over 99% of Internet users wouldn't have a clue how to use Wireshark. "What are all these SYN messages? Are they caused by a virus or spyware?"

Actually, that's a gross exaggeration. Very few Internet users would even be able to figure out how to start a capture in Wireshark. The more timid ones wouldn't even make it to the "No capture interface selected!" error, and most of the rest would be lost when they ran into that.

If Ferret successfully dumbs it down, then it could be quite useful to a lot of Internet users. In that case, I wouldn't say it was a sniffer on steroids though. More like a "for dummies" version.

Re:Wireshark?

[slickwillie]

Well, for one thing Ethereal (Wireshark) used to have the best slogan on the Net:

"Sniffing the glue that holds the Internet together."

From TFA

[Who235]

"If the government was taking this information from you, people would be up in arms."

First of all, they probably are sniffing you whenever it's convenient (like at the airport).

Second of all, people sadly don't seem to care all that much.

This looks like a cool tool, and I share the hope of an earlier poster that it will work with Broadcom cards - since that's what I have.

Brilliant

[Gothmolly]

You mean that by analyzing my DNS and HTTP traffic, either in the clear or from a cracked WEP session, that you can infer, or worse, identify, certain definite pieces of information about my Internet usage habits?
Boy, if I had a tool that could do that, I'd certainly astroturf it on Slashdot.

Darn

[Kohath]

I needed a steroid sniffer that works on my network.

Can I operate it in reverse or something?

my god

[mastershake_phd]

My neighbor likes clown pron.

I've seen this before

[ciaran.mchale]

A Network Sniffer On Steroids.

I've seen this before. It starts off with steroids, but pretty soon the network sniffer moves on to crack cocaine. A short while later, he takes a job as a fluffer in midget porn movies to feed his habit.

Anyone remember a Mac one from 99/2000?

[Kadin2048]

Does anyone remember a Mac utility that came out a while back (by which I mean, maybe 5 or so years ago), that would put an Airport into promiscuous mode, and sniff for traffic, and then decode and display any images that it sniffed? It was a pretty amusing little program; I think I remember reading that it was thrown together at MacHack and won best of show, or some other honor.

Basically you could run it, and it would give you an idea of what everyone on the wireless network was browsing, in the clear, at that moment, all sort of jumbled together.

I've always wanted something like that, to use as a demonstration of how insecure most wireless APs (unencrypted ones) are, for nontechnical people, but I've never been able to find it, or any record of it. Sometimes I wonder if I just hallucinated the whole story.

It would be a heck of a demo to just run something like that, particularly if you could target a particular connection, and then tell someone to load a web page, and be able to instantly display some or all of the page, or at least its images, in real time, to prove that you really were listening in on what they were doing. Most packet sniffers don't provide any direct, obvious, graphical output of stuff they sniff, and that's frankly just not dramatic enough to make an impression.

Re:Anyone remember a Mac one from 99/2000?

[maxume]

http://www.etherpeg.org/

(I have no idea if it works with newer hardware/drivers, but I am pretty sure this is what you are talking about.)

On linux:

http://www.ex-parrot.com/~chris/driftnet/

Re:Anyone remember a Mac one from 99/2000?

[GreyDuck]

Well, I remember Driftnet. Does that count?

I remember horrifying the chief engineer at my last job by running that on the proxy/firewall box. My demonstration might have been more effective had I shown it to the General Manager, but then again I might've gotten myself thrown out the door that much sooner...

Reinventing 1/16 of a wheel

[krunoce]

The Errata sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it a "network sniffer on steroids."

Oh Wowsers! DHCP, SNMP, DNS and HTTP! That's so many! It's a shame Ethereal can only look at these!

I doubt it.

[Kenja]

I'm willing to bet that most people with a wireless network card dont even know what the term "sniffer" means, much less be able to run one.

Wow! 25 protocols?

[A+Guy+From+Ottawa]

Incredible... they support 25 protocols!!!

And to think I used to use Wireshark/libpcap which is open source, available on almost every platform, is not buggy, and supports hundreds of protocols. It even has a graphical user interface.

But I think these guys are really on to something...

OT: Linux compatible, and tasty, too?

I just went over to Amazon to check the prices on some of those cards, and this completely made my day. (Look at the "Technical Details")

Proxim 8482-FC ORiNOCO Wireless 11a/b/g PCI Card, $82.27

Technical Details

        * One 6.5-ounce package
        * Made with enriched wheat flour and natural vanilla flavoring
        * 100% cholesterol free and sweetened with sorbitol
        * America's number one brand of sugar-free cookies
        * Creme-filled, vanilla cookies perfect for low-carb diets

Do you think they're RoHS-compliant, too?

Wireshark, anyone?

[drix]

Wireshark does waaaaay more than 25 protocols.

Wireshark does NOT do this

What makes this sniffer stand out is not the fact that it can parse different protocol formats -- it's that it collects relevant data in a meaningful summary.

For example, any sniffer can filter and then parse HTTP traffic, but an analyzer like this one tells you relevant bits like someone's web account names.

Either you're lucky, or I angered God.

[Kadin2048]

If I were you, I'd be buying lotto tickets. I have a box going somewhere of WiFi cards that I've ripped out of systems because I couldn't get them working on Linux. It's not full, but there are a bunch in there, plus a bunch in systems that just don't work and I've not bothered to pull, plus a lot more that I've tried to get working and returned. They tend to be a combination of Marvell and Texas Instrument ACX chipsets, neither of which I've ever gotten to work successfully (and by "work," I mean natively, without Windows-driver hacks, and will work with WPA-PSK AES, and without installing anything alpha-quality or destabilizing). The TI ones are particularly awful, because they're the kind that require firmware blobs to be loaded at startup, so they'll pretty much never be supported in the hardcore FOSS distros (although I heard a rumor that Mepis may support them).

I have only ever gotten lucky with one wireless card on a Linux machine, and that was a DWL-650 and Ubuntu Dapper, a combination which (naturally) you can't buy anymore, because the DWL-650 has been replaced by the DWL-650+, which has a completely different (ACX!) chipset.

My plan is to dump the crate out every few years and see if the situation has changed, but after buying and returning pretty much every card at all of the local stores which even seemed to be distantly or possibly related to anything that might have out-of-the-box Linux drivers, I decided to can the whole endeavor.

It's easier, IMO, (and cheaper, if you look at the prices for "real" Linux-compatible WiFi cards from Orinoco/Cisco/etc. -- notwithstanding the fact that they need to be ordered a week in advance of when you need them) to buy routers that will work in bridge mode (aka "game adapters", or a WRT54GL with DD-WRT if you can find one), and can just be attached to any type of box via Ethernet, than to actually mess around with getting a card working natively on anything except Windows and MacOS. (And it's not like Windows is necessarily any picnic, either, particularly when you start talking about WPA. MacOS only avoids it by only having a handful of cards.)

Dude...

[geekoid]

You should be out in the garage getting your clown suit on.

Re:Dude...

[Knara]

And chopping off his own shins.

Re:Dude...

[BertieBaggio]

Plus, every time ya want to break out the sillystring, it turns out the aerosol's all leaked out, and it's just a big letdown.

Yeah, I hear they have pills you can take for that.

Ferret on Vista

[kantmakm]

in order to run ferret on vista, you need to run cmd.exe as administrator b4 running ferret from the cmd line.

It's worse than that

[istartedi]

According to this banner ad I saw on another site, my IP address is visible!

Not on steroids, not for linux.

[WK2]

They include the source code, and say that it "should" compile in linux. However, it uses many Windows-specific variable types. This code will not be cross compatible without a major overhaul.

This program is not ethereal on steroids. It's more like ethereal and kismet got drunk, had sex, and had a retarded baby, which they named ferret.

Good Linux WIFI Cards

[stevenm86]

Good for linux- with monitor mode

* Atheros-based cards. Strangely, I don't hear these mentioned very often, but they have excellent support, complete with monitor mode, creating multiple interfaces from one card, etc. Oh and airpwn supports it :) - http://madwifi.org

* Intel Pro Wireless (2100 / 2200 / 2950) - Works well, has monitor mode, wep in hardware, drivers actually developed by intel - http://ipw2200.sf.net and in the kernel at this point

* Orinoco / Hermes / Lucent cards - in the kernel

* Cards based on the Prism chipset based (http://prism54.org) BE WARNED though, some of the newer ones require "softmac" firmware which is currently not working all that well

I have used a card from all of these manufacturers and if I were getting a new laptop, I would probably go with Atheros and if not that, then Intel.

EVERYTHING about this article is wrong.

[jurgen]

This is a great example of the worst of slashdot (which isn't saying much)... just about everything in this article as it appears on the main page is wrong, word for word.

• Category: YRO... why? What does this have to do with "rights"?
  
  
• Title: "Sniffer on Steroids". Nothing steroidal about it... according to the authors of the software it is a buggy piece of shit whipped up quickly to demonstrate a very /specific/ type of traffic analysis for a talk.
  
  
• "Looks for traffic using 25 protocols". Uh no, it doesn't use the protocols, it analyzes them.
  
  
• List of protocols and applications... misses the point entirely as nothing explicitly as any other sniffer can also "capture" all those protocols. The point is that this program looks for and explicitly points to information within those protocol that you probably didn't realize was "seeping" out with those protocols. Mind you, you could still find all that same information with ANY OTHER SNIFFER... there is nothing technologically new about this sniffer. Rather, the authors have made a list of things that "seep" out with various applications and protocols that most people haven't thought of, and have written a simple ordinary sniffer that explicitly includes this list.
  
  
• "Anyone with a wireless card will be able to run it"... uhm, yeah, anyone with a WINDOWS machine and the right kind of wireless card. Doh.
  

Even for slashdot, that's pretty bad, eh?

:j

They probably already are

[Weaselmancer]

I have a friend who works at Best Buy/Geek Squad. A guy came in with a government contract and a laptop, needing repairs. He was making small talk and said his job was to wardrive around and break into people's home computers and search them for child porn.

Take it with a grain of salt - the guy was just some dude with a busted laptop walking into a Best Buy. But he did have a government contract, and a lot of wireless sniffer software on his machine.

Re:They probably already are

[Lord+Ender]

Right. He had advanced security software, a van with sophisticated antennas, and no IT department to fix failures of their own equipment. So he takes it to Best Buy, where the teenage "technicians" install unnecessary anti-virus software, which proceeds to wipe out ("clean") all his security software...

Yeah, right. They don't make salt grains big enough.