Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
News

Preliminary Ethereal User's Guide 79

An Anonymous Coward writes "The prelimiary Ethereal User's Guide is up. It will be updated over the next month or so, and will be followed by a Developer's Guide. It is all done in DocBook and the source will be up at the Ethereal web site." If you haven't used ethereal, its an extremely excellent packet sniffer: play with it a little and you'll never use telnet and FTP again (unless of course you knew that already).
This discussion has been archived. No new comments can be posted.

Preliminary Ethereal User's Guide

Comments Filter:
  • Of course that'll fix everything you idiot!
  • by stab ( 26928 ) on Sunday July 30, 2000 @08:51AM (#893749) Homepage
    Investigate the latest version of Courier-IMAP [inter7.com] which has built in support for IMAP-SSL/TLS, as opposed to using stunnel.

    stunnel is great for a small number of connections, but the overhead of launching a new process every time is fairly significant as you scale up, so Courier does a great job of a lightweight, secure IMAP server.

    You have to use maildir - but both Exim [exim.org] and qmail [qmail.org] support it natively now, and it's far superior to the traditional mbox format anyway.
  • The Ethereal document makes a mistake that I see more and more. The stuff that comes before the main part of the text is the 'foreword' not the 'forward'. Maybe we ought to just shift to 'preface' since there's less chance to screw it up.
  • Of course look at this:
    Mozilla/4.6 [en] (X11; U; Linux 2.2.14 i586)
    Looks like Linux to me....
  • dude, this shit is fawking gay
  • Root can do just the same thing to you on an untrusted UNIX box. At least with S/Key he won't know your password.
  • *sigh* What's that saying about a little bit of knowledge being a dangerous thing?

    Absolutely. Which is why John's comment is so relevant -- Let's suppose you're working for a Humorless Corporate, and you're found running Ethereal. No admin is going to be happy about it, most will go ballistic, and any pointy-hair is going to see it as a major end-of-job crime. In almost every site I've ever worked, that's a hanging offence for certain (in one Scottish waterfront site, I think it's still one of the few literally hanging offences on the British statute book !).

    Are these people right ? How do I know; it all depends on what you did with it, but nearly every company, nearly everywhere, is going to see this as distinctly A Bad Thing.

    I'm considering running it at work -- I'm working on streaming, and sniffing traffic from my servers would be pretty useful. Out of courtesy I'd warn the admins though, and I'm lucky in that ours are clueful enough to understand why this is reasonable.

  • Actually, I just checked it out. It is rather nice, however...

    Etherpeek and NA Sniffer both do pretty much everything ethereal does.

    Ethereal has some neat tcp stream watching features, which is rather unique.
    Ethereal is more flexible in terms of filters, and certainly being open source and running on unix are great. However...

    Ethereal does NOT seem to have any graph-drawing abilities. Etherpeek and the like can generate stats based on packet size distribution, protocol types, and several other factors. I find these very useful features.
    Also, the GUI needs work. I mean, it's great, it's clean, it's great for unix, but etherpeek and NA sniffer both color code automatically, in several ways.
    Also, it doesn't seem to have the ability to play back what it records into the network (useful for testing/using other devices to analyze captured data). Of course this can be accomplished with other tools, but Etherpeek and NA sniffer both do this out of the box.

    Ethereal does seem to have a superior filtering mechanism; however, the filters in NA sniffer and etherpeek are also competent. (read: Ethereal has a kick-ass filter mechanism, but the others are adequate)

    Also, when monitoring a busy network, displaying realtime results, etherpeek is unbalanced. screen updates are very slow, and it's a pain in the ass to use. NA sniffer and etherpeek stay smooth.

    Yes, of course, NA sniffer and Etherpeek both costs $$$ ($1000 and up). Yes of course, they aren't open source, and of course, don't run on unix.

    So.. from a free tool point of view, etherpeek is fantastic.
    From a Sniffer point of view, Etherpeek has some neat features, but is not the best.

  • It truly is a triumph of open source.

    Um, a "triumph of open source" would be if you fixed it yourself and distributed a patch immediately; no waiting until 1.3, when it may or may not be fixed by Sun...

  • ::sigh:: Sitting at the local high school and setting up a Linux ipmasquerade gateway... what I need, and I haven't been able to find, is a program that filters through the packets to forward and logs time, source IP and URL of the websites that pass through my gatewaybox. No browser proxy, just works on raw packets. Anybody know if something like this exists for Linux?

    Yes, it's Big-Brotherism; no, I didn't like it either.

    BRTB
  • Got a quick question. I know how to follow the TCP Stream and see the text generated. But is there a way to compile the packet stream into a file. Lets say someone ftps a file across the net, can I write that down to a real file? Please excuse my bad english..i am hungry and papajohns.com is slow...
  • Would this be artists getting payed whenever someone downloaded their work, or just a way for guys with large MP3 libraries to make some money sharing illegally?
  • Then again, many (most?) businesses use switched ethernet. Sniff till you go blind, unless you are mirroring a particular port on the same switch you ain't gonna see a whole lot of info.. ./bot
  • yeah but ethereal is cheap .. like where i work there are loads of protocols running and there are no docs ... also there are *4* Ip address schems running on the same set of wires ... and they wouldn't want to spend £1000+ just so i can fix their network .... anyhow i used lanalyser last and i think ethereal is mostly better ..
  • by John Jorsett ( 171560 ) on Sunday July 30, 2000 @11:17AM (#893763)
    I agree that anyone who is knowledgeable and wants to remain undetected can probably do so. My warning wasn't addressed to the hackers/crackers out there (who, after all, don't need me to tell them about the dangers) but rather those who out of curiosity might run out and install this software on their work machine running, for example, Win98. If their network administrator suddenly notices that they're sniffing the local net, there're are going to be some questions asked. And legitimately so. There a are a number of ways, some easier to implement than others, to tell when there's a packet sniffer on your net. For a list, take a look here [robertgraham.com] (scroll down to 2.5 - "How can I detect a packet sniffer?").
  • about ssh and ftp... why bother.. scp gives you secure file transfer and it comes with ssh

    try
    man scp
    for more info

  • by _underSCORE ( 128392 ) on Sunday July 30, 2000 @05:05PM (#893765) Homepage Journal
    Thanks to Ethereal, I discovered a bug in Java's HttpURLConnection. For some reason, after I would make rapid requests to a site, the HTTP headers wouldn't be set, even though I set them in my code. My debugging messages said that I was setting them, but when I used Ethereal to sniff the packets, whoops, they were set to their default values. I called up sun, and it was given a bug ID. They plan to fix it in the 1.3 release for UNIX. I can't tell you how much time this has saved me. It truly is a triumph of open source.

    Lucky me, I also run VMWare, which flips on promiscuous mode anyway, so if someone is using a sniffer detector, I can always blame VMWare.
  • S/Key's great but don't be surprised when your session is hijacked. Ooops I guess it isn't so great after all.

    As for forwarding ftp read the ssh manual.
  • 3. Fonts 102 -- Typography

    Here, we discuss some typography basics. While this information is not essential, many font lovers will find it interesting.

    3.1 Classifications of Typefaces

    Fixed versus variable width

    There are several classifications of typefaces. Firstly, there are fixed width fonts, and variable width fonts. The fixed width fonts look like typewriter text, because each character is the
    same width. This quality is desirable for something like a text editor or a computer console, but not desirable for the body text of a long document. The other class is variable width. Most of
    the fonts you will use are variable width, though fixed with can be useful also ( for example, all the example shell commands in this document are illustrated with a fixed with font ). The most
    well known fixed width font is courier.

    To serif or not to serif ?

    Serifs are little hooks on the ends of characters. For example, the letter i in a font such as Times Roman has serifs protruding from the base of the i and the head of the i. Serif fonts are
    usually considered more readable than fonts without serifs. There are many different types of serif fonts.

    Sans serif fonts do not have these little hooks, so they have a starker appearance. One usually does not write a long book using a sans serif font for the body text. There are sans serif fonts
    that are readable enough to be well suited to documents that are supposed to be browsed / skimmed ( web pages, catalogues, marketting brochures ). Another application that sans serif
    fonts have is as display fonts on computer screens, especially at small sizes. The lack of detail in the font can provide it with more clarity. For example, Microsoft touts Verdana as being
    readable at very small sizes on screen.

    Notable sans serif fonts include Lucida sans, MS Comic Sans, Verdana, Myriad, Avant Garde, Arial, Century Gothic and Helvetica. By the way, Helvetica is considered harmful by
    typographers. It is somewhat overused, and many books by typographers plead users to stay away from it.

    The old and the new -- different types of Serif fonts

    Old Style

    Old style fonts are based on very traditional styles dating as far back as the late 15th century. Old style fonts tend to be conservative in design, and very readable. They are well suited to
    writing long documents. The name ``old style'' refers to the style of the font, as opposed to the date of its design. There are classic old style fonts, such as Goudy Old Style, which wre
    designed in the 20th century. The old style class of fonts has the following distinguishing features:

    Well defined, shapely serifs.
    Diagonal emphasis. Imagine drawing a font with a fountain pen, where lines 45 degrees anticlockwise from vertical are heavy and lines 45 degrees clockwise from verticle are light. Old
    style fonts often have this appearance.
    Readability. Old style fonts are almost always very readable.
    Subtlety and lack of contrast. The old style fonts have heavy lines and light lines but the contrast in weight is subtle, not stark.

    Notable Old Style fonts include Garamond, Goudy Old Style, Jenson, and Caslon ( the latter is contentious -- some consider it transitional )

    Moderns ( or didone )

    The moderns are the opposite of old style fonts. These fonts typically have more character, and more attitude than their old style counterparts, and can be used to add character to a
    document rather than to typeset a long piece. However, nothing is black and white -- and there are some modern fonts such as computer modern and Monotype modern, and New Century
    Schoolbook are very readable ( the contrast between heavy and light is softened to add readability ). They are based on the designs popular in the 19th century and later. Their distinguishing
    features include:

    Lighter serifs, often just thin horizontal lines.
    Vertical emphasis. Vertical lines are heavy, horizontal lines are light.
    Many moderns have a stark contrast between light and heavy strokes.
    Modern typefaces with high contrast between light and heavy strokes are not as readable as the old style fonts.

    Bodoni is the most notable modern. Other moderns include computer modern, and Monotype modern ( on which computer modern is based ).

    Transitional

    Transitional fonts fit somewhere in between moderns and old style fonts. Many of the transitionals have the same kind of readability as the old styles. However, they are based on slightly later
    design. While a move in the direction of the moderns may be visible in these fonts, they are still much more subtle than the the moderns. Examples of transitionals include Times Roman,
    Utopia, Bulmer, and Baskerville. Of these, Times leans towards old style, while Bulmer looks very modern.

    Slab Serifs

    The slab serif fonts are so named because they have thick, block like serifs, as opposed to the smooth hooks of the old styles or the thin lines of some of the moderns. Slab serif fonts tend to
    be sturdy looking and are generally quite readable. Many of the slab serifs have Egyptian names -- such as Nile, and Egyptienne ( though they are not really in any way Egyptian ). These
    fonts are great for producing readable text that may suffer some dilution in quality ( such as photocpied documents, and documents printed on newspaper ). These fonts tend to look fairly
    sturdy. The most notable slab serif fonts are Clarendon, Memphis and Egyptienne, as well as several typewriter fonts. Many of the slab serif fonts are fixed width. Conversely, most ( almost
    all ) fixed width fonts are slab serif.

    The Sans Serif Revolution

    Surprisingly, the rise of sans serif fonts is a fairly recent phenomenon. The first well known sans serif fonts were designed in the 19th early 20th century. The earlier designs include Futura,
    Grotesque and Gill Sans. These fonts represent respectively the ``geometric'', ``grotesque'' and ``humanist'' classes of sans serif fonts.

    Grotesque

    The grotesques where so named because the public were initially somewhat shocked by their relatively stark design. Groteques are very bare in appearance due to the absence of serifs, and
    the simpler, cleaner designs. Because of their ``in your face'' appearance, grotesques are good for headlines. The more readable variations also work quite well for comic books, and
    marketting brochures, where the body text comes in small doses. Grotesques don't look as artsy as their geometric counterparts. Compared to the geometrics, they have more variation in
    weight, more strokes, they are squarer ( because they don't use such circular arcs ). They use a different upper case G and lower case a to the geometrics. While they are minimalistic but
    don't go to the same extreme as the brutally avant-garde geometrics.

    Notable grotesques include the overused Helvetica, Grotesque, Arial, Franklin Gothic, and Univers.

    Geometric

    The Futura font came with the manifesto: form follows function. The geometric class of fonts has a stark minimalistic appearance. Distinguishing features include a constant line thickness (
    no weight ). This is particularly conspicuous in the bold variants of a font. Bold groteques and humanist fonts often show some notable variation in weight while this rarely happens with the
    geometric fonts. Also notable is the precise minimalism of these designs. The characters almost always are made up from straight horizontal and vertical lines, and arcs that are very circular (
    to the point where they often look as though they were drawn with a compass ). The characters have a minimal number of strokes. This gives them a contemporary look in that they embrace
    the minimalistic philosophy that would later take the world of modern art by storm. A tell tale sign that a font is a geometric type is the upper case ``G'', which consists of a minimalistic
    combination of two strokes -- a long circular arc and a horizontal line. The other character that stands out is the lower case ``a'' -- which is again two simple strokes, a straight vertical line
    and a circle ( the other ``a'' character is more complex which is why it is not used ). Notable geometrics include Avant Garde, Futura, and Century Gothic.

    Humanist

    As the name might suggest, humanist fonts were designed with a goal of being less mechanical in appearance. In many ways, they are more similar to the serif fonts than the geometrics and
    the grotesques. They are said to have a ``pen drawn'' look about them. They tend to have subtle variation in weight, especially observable in bold variants. The curve shapes are considerably
    less rigid than those of the geometrics. Many of them are distinguishable by the ``double story'' lower case g, which is the same shape as the g used in the old style serif fonts. The humanist
    typefaces are the easiest to use without producing an ugly document as they are relatively compatible with the old style fonts.

    Compatible Typefaces

    Grouping typefaces is not easy, so it pays to avoid using too many on the one page. A logical choice of two typefaces consists of a serif and a sans serif. Monotype's Typography 101 page
    provides a category-matchup. They conclude that the moderns and geometrics form good pairs, while the old styles and humanists also go together well. The transitionals are also paired with
    the humanists. The slab serifs are paired with the grotesques, and some variants of the slab serifs are also said to match the geometrics or humanists.

    From reading this, one gets the impression that their philosophy is essentially to match the more conservative serifs with the more moderate sans serifs, and pair the wilder modern serifs with
    the avant garde looking ( pun unavoidable ) geometrics.

    3.2 Ligatures, Small caps fonts and expert fonts

    Ligatures

    Properly spacing fonts brings with it all sorts of issues. For example, to properly typeset the letters ``fi'', the i should be very close to the f. The problem is that this causes the dot on the i to
    collide with the f, and the serif on the head of the i to collide with the horizontal stroke of the f. To deal with this problem, font collections include ligatures. For example, the ``fi'' ligature
    character is a single character that one can substitute for the the two character string ``fi''. Most fonts contain fi and fl ligatures. Expert fonts discussed later often include extra ligatures, such
    as ffl, ffi, and a dotless i character.

    Small caps fonts

    Small caps fonts are fonts that have reduced size upper case letters in place of the lower case letters. These are useful for writing headings that require emphasis ( and they are often used in
    LaTeX ). Typically, when one writes a heading in small caps, they use a large cap for the beginning of each word, and small capitals for the rest of the word ( ``title case'' ). The advantage of
    this over using all caps is that you get something that is much more readable ( using all caps is a big typographic sin ).

    Expert fonts

    Expert fonts consist of several extras designed to supplement a typeface. These include things like ligatures, ornaments ( much like a mini-dingbats collection designed to go with the typeface
    ), small caps fonts, and swash capitals ( fancy, calligraphic letters ).

    3.3 Font Metrics and Shapes

    Font metrics define the spacing between variable width fonts. The metrics include information about the size of the font, and kerning information, which assigns kerning pairs -- pairs of
    characters that should be given different spacing. For example, the letters ``To'' would usually belong in a kerning pair, because correctly spaced ( or kerned ), the o should partly sit under
    the T. Typesetting programs such as LaTeX need to know information about kerning so that they can make decisions about where to break lines and pages. The same applies to
    WYWIWYG publishing programs.

    In addition to the metrics, is the font outline, or shape. The components of the fonts shape ( a stroke, an accent, etc ) are called ``glyphs''.
  • Try Analyzer for windows. free, open sourced, impressive.

    Try giving a URL for it.

    I'll assume that you're referring to Analyzer from the folks at the Politecnico di Torino [polito.it], the folks who also bring you WinDump [polito.it], a port of tcpdump [tcpdump.org] to Win32 systems, and WinPcap [polito.it], a port of libpcap [tcpdump.org] to Win32 systems (including drivers for Windows 9x and Windows NT, including NT 5.0^H^H^H^H^H^HWindows 2000), which is the library that Ethereal on Win32, Analyzer, and WinDump all use.

    (The Politecnico di Torino site appears not to be responding at the time that I'm posting this; be patient - we sometimes get folks posting to the ethereal-users mailing list asking "that site is down, how do I get WinPcap?", for which the answer is "it's probably just temporarily down, try again later".)

  • I wish I could split the network into VLANs, but I don't have the equipment or authority. Alas ...
  • It could go as low as you were moderated down you dumbass
  • Switched networks aren't impervious to sniffing [monkey.org]. Switches were developed for speed, not security.
  • If you're sniffing your local Ethernet network at work, be careful. To watch net traffic, the Ethernet interface must be put into 'promiscuous' mode (accepts all packets, even if not addressed to your particular machine). Some network administrators are sensitive to this sort of thing, since it can be used to compromise security. There are software tools that can detect when a machine has an Ethernet interface in this mode, and they may be in use at your organization. Be prepared to explain why you're monitoring the net traffic.
  • You all realize that this is what Carnivore uses? Ethereal means "lacking material substance" which seems to be exactly the kind of response we get from them.

    Seriously however, I've tried most Windows packet sniffers and ugh, no good. The only reasonable one is Microsoft's own sniffer, which is out of the price range of someone trying to troublehsoot HTTP streams.The rest of them usually manage to blow out your connection.

    I'm hoping the FBI uses this as their sniffer so my email address doesn't get munged onto the Child Porn Pirates email traffic.

  • Don't you mean BLOWFISH or something that doesn't do:
    $ssh=~ tr/a-zA-Z/n-za-mN-ZA-M/;
    then:
    $ssh=~ tr/a-zA-Z/n-za-mN-ZA-M/;
    to decrypt.
    Why do I bother?
  • Um, since you need root access to run a packet sniffer like Ethereal, presumably you are the network administrator. If not, then why do you have privileges you don't need?
  • Maybe it's because I'm an idiot but I dont' understand how using a packet sniffer is going to cause me to stop downloading stuff.

    As long as you only log in anonymously you don't have to worry, but if you log in using FTP on a site where you want to be sure that noone is messing with your private files you should use another protocol (or some ftp+ssl solution).


    --
  • More fun is to do bgColor='#ff00ff'
    instead of location.
    But I have other bugs than the any tag on fake email.
  • As a previous poster indicated (humorously), you should use SSH for any remote administration. You can also use SSH along with a POP or IMAP server so that your password isn't passed in cleartext everytime you check your e-mail. (There are other ways to encrypt your password over POP, but I'm not sure about IMAP. I would think there is though.) For file transfer, you can use SFTP, SCP, or regular FTP forwarded over SSH.
  • I've been in work environments where, for testing purposes, I was given root permissions on my particular Unix workstation but not on other machines. In that case, I'd have been able to run a packet sniffer (and in fact did a number of times because I was debugging a network-using app). I was actually thinking , however, of Win98 users in particular, since they have no restrictions on what they can do with their NICs.

  • However, on a properly configured network most people will be properly isolated from seeing most traffic due to switching. I used to be on a very busy hub. I could see pretty much everything. It was very interesting. After they got more connections installed to get rid of the hub we all went to the switch. Now I only see stuff for me and broadcast stuff.

    As a side note, I have to say the Ethereal packet analyser is one of the best peices of open source software I have ever seen. I think there's a lot of crappy open source stuff out there that gets a lot more credit then it deserves but Ethereal is excellent and does not suffer from these problems as far as I can tell. It doesn't get every packet right and occationally it crashes but it's not 1.0 yet. I have been using it for some time to reverse engineer the CIFS protocol(Microsoft Windows native file and print sharing protocol) and it works fantastic. It basically made the project possible. I have spend probably _hundreds_ of hours in front of it.

    http://www.zing.org [zing.org]

    Thanks Richard!

    KidSock

  • They can't have been very good network trouble shooters if astounded by Ethereal.



    When I worked in networking, a sniffer that could decode the protocol I dealt with was the only real tool I used. At the time Lanwatch was the only one that could really decode the protocol I used.

  • That's well and good. Everyone loves good sniffers, but maybe you should attatch some information about how we can protect our sensitve information. To stop those crackers from getting at my supply of pron. Again.

    Why is there no spoon?
  • If you haven't used ethereal, its an extremely excellent packet sniffer...
    I remember showing Ethereal to some guys who did network troubleshooting for a living, and they were astounded. I highly recommend giving it a try.
  • It's great that Linux's evolution towards user friendliness includes tools outside the base of casual users.

    A better manual would have come in handy when I was trying to use the filter option to isolate packets.

    Who knows, maybe support for SSL will come next? I'd love to be able to snoop and decipher ssl data on the fly (If I had access to the private key of the enciphered stream).

  • After that everything installed, but got a run error: "error in loading shared libraries: ethereal: undefined symbol: snmp_set_suffix_onl".

    Ah, the joys of binary non-compatibility; UCD SNMP 4.1.1, which RH 6.2 picked up, changed a routine Ethereal uses into a macro, which meant that the Ethereal in the binary RPMs, which were built on RH 6.1, and linked with the UCD SNMP shared library, don't work on 6.2, as a routine it calls isn't present in the 6.2 UCD SNMP shared library. (UCD SNMP 4.1.2 turned that and other macros back into routines; I filed a bug with Red Hat suggesting that they pick up 4.1.2, which, as I remember, they said they'd do in 7.0.)

    I threw into Ethereal 0.8.10 a greasy hack, inspired by greasy hacks I've been told are used on Windows to e.g. allow applications to use new DLL routines if present on a particular system without blowing up if they aren't, to work around that.

    Whilst it worked on my simulation of that situation on my Debian 2.1 partition, it appears not to work on RH 6.2; I have some diagnostic information from one user who reported that on the ethereal-users mailing list, and will see if I can check in a change more likely to make it Just Work.

    Installing ucd-snmp-utils and ucd-snmp-devel fixed the runtime error.

    That's all you did? Just installing those two RPMs? That's bizarre - what files did installing those two RPMs add to your system?

    Or is there an "I then recompiled from source" step after that step?

  • What the hell would anyone who is not a network administrator be doing with a packet sniffer? Learning? Not on a corporate network, thank you very much. That is why test LANs are built.

    If an unauthorized person is sniffing packets on my company's network, they are going to be in very deep sh*t, I can promise you that.

  • by Mark A. Rhowe ( 216675 ) on Sunday July 30, 2000 @07:15AM (#893787) Homepage
    A great resource that I refer to alot:
    Sniffing (network wiretap, sniffer) FAQ [robertgraham.com]

  • Don't like fags do ya? Hmm. Maybe you should think about why.

    Get comfortable with yourself and you'll be comfortable with others.

    - Desi
  • Normally (non-promisc) the hardware filters out packets that dont match your MAC. When you go into promisc mode, this is moved into the domain of the OS.

    Now the way to find out is to send frames with valid IP data, but to a invalid MAC. Normally the card would filter this out, but *gasp* it doesnt, its in promisc mode.

    Thats how the promisc scanners find data. Some OSs will drop the invalid MAC (realizing its not their own) others accept it assuming that the hardware would filter it out

    /*
    *Not a Sermon, Just a Thought
    */
  • Sniffer programs are also useful if you only care about the traffic between two machines, at least one of which is capable of running the sniffer program (or can otherwise produce a network trace file). Perhaps that's less common for network administrators than for software developers, but if you're a developer at a manufacturer of, well, Network Appliances, packet analyzer programs can come in very handy even if you can't see all the traffic on a network segment.

  • ``...play with it a little and you'll never use telnet and FTP again''

    Of course, people forget about their mail a lot. Here at UMN [umn.edu], our central mail servers run stunnel [stunnel.org], so you can read your POP3 or IMAP mail over an SSL tunnel. Before I found out that they were doing this, I was really bothered by how many people could be sniffing my password. I had tried usin SSH tunnels, but that required you to stay logged in.

    New versions of Netscape Communicator do support SSL, and I believe recent versions of mutt do too.
    --
    Ski-U-Mah!
  • Analyzer is the way to go. Free, open sourced, and really nice UI.

    If you're using Windows, at least.

    You'll need winpcap to get it to work right.

    You'll need WinPcap [polito.it] to get it to capture packets at all - but you'll need WinPcap to get Ethereal to capture packets on Win32 as well.

    The Politecnico di Torino folk also have WinDump [polito.it], a port of tcpdump to Win32, also using WinPcap.

    Search for it on packetstorm.

    Or just go to the Analyzer site [polito.it] (I'm assuming from the reference to WinPcap that you're talking about the Politecnico di Torino Analyzer). If the site isn't up, try again later.

  • but what does Ethereal do that would astound network troubleshooters?

    Provides a GUI packet capture and analysis program for UNIX? GUI sniffers are something Windows and Mac folk have been used to for a while, but if the network administrators had only seen tty-oriented tools such as tcpdump or snoop, Ethereal might've been a surprise.

    Ethereal isn't the only GUI packet capture and analysis program for UNIX; there's also Knetdump [uni-duisburg.de] (given the first letter, nobody gets a prize for guessing which GUI toolkit and desktop environment it uses :-)), and there's also tcpview [washington.edu], a Motif application based on an old version of tcpdump.

  • on the local machine, it's easy to detect promiscuity, but you can't readily deduce this about a machine elsewhere on the network.
  • I am going to use a sniffer in the near future to sniff ICQ (2000) packages. So I would like to try a few.

    What other (good) sniffers are their for the Windows platform?
  • by childlll ( 216874 ) on Sunday July 30, 2000 @09:14AM (#893796) Homepage
    " ``...play with it a little and you'll never use telnet and FTP again'' "

    yup... because you'll go blind!!! ;-)
  • Sorry that doesn't work, Leave it to the real bug finders
  • Many companies use an OS like Win98 where any bozo can set the promisc flag on their card.
  • Anyone can bring in their own laptop and hook it into an ethernet
    socket. The point is that if you start looking inside packets, it is
    possible to see that the packets have been tampered with.
  • by ffatTony ( 63354 ) on Sunday July 30, 2000 @10:15AM (#893800)

    To watch net traffic, the Ethernet interface must be put into 'promiscuous' mode (accepts all packets, even if not addressed to your particular machine).

    true

    Some network administrators are sensitive to this sort of thing, since it can be used to compromise security.

    According to the sniffit FAQ detecting 'promiscuous' mode is only possible if the os is broken or not configured properly. It is my understanding that linux or even win32 in this mode would be very hard to detect.

    Perhaps you recall slashdot's article about packet sniffer-sniffers from Lopht [lopht.com]. There is much skepticisim as to whether or not 'Antisniff' can really work as it seems to make alot of assumptions about the machines it scans. If memory serves, one of the tests is to send a message to the client machines and record the time it takes to respond. Then in the future if it respond significantly slower something may be up. Another is to try to overload machines by sending a large number of forged packets all good machines will ignore and the promisc machine will choke on.

    With the current state of ethernet sniffing is basically risk free.

    The only down side is that you need to be within the same subnet as the victim machine.

  • If your only concern is having your password seen in the clear, then you might replace the password meachanism with Lamport's S/Key.


    An advantage of S/Key is that you don't need to trust the system you are logging in from.

    As a matter of interest, how do you forward ftp over ssh? Is this by using ssh to construct a VPN, or is there some other trick?

  • Try NetXray or Sniffer Pro from Network Associates International. They are almost the same and are available for d/l for filling out registration info (last I checked). www.nai.com
  • Does anyone know of a graphical, or at least somewhat user-friendly version of scp? I've looked all over without success.

    It seems really strange, all things considered, and how much people complain about the insecurity of FTP.

    TheGeek

  • If one of my users runs a sniffer, I couldn't give a shit. Switches are cheap these days. There's a reason to use them.

  • I used to get a lot of use out of my Sniffer (the original one from Network General). I solved a lot of network problems on both ethernet and token ring with that tool. Unfortunately, I don't get to use it much, anymore. Ethernet switches are cheap nowadays, and as a result, networks are more finely segmented, sometimes down to the single node level. Switches, working as designed, filter out all the traffic that's not explicitly unicast towards the sniffer's MAC address (or broadcast, of course). As a result, you don't get the whole picture of what's going on with your network.

    Some switches can be programmed to put a port into 'diagnostic mode' (forward all packets to this port because there's a sniffer there) but it's usually more trouble than it's worth, especially when you have a large building with a dozen or more switches.

    That said, I'll probably still try out Ethereal. For the times that I still can make use of a sniffer, it'll be nice to get that DOS partition off my laptop.
    --
  • Time to remove javascript from the URL's. DO NOT mouseover that link either or you get the ubiquitos troll link :(....


    If you think education is expensive, try ignornace
  • You meant on the same ether segment not subnet, right? Unless you have a really crappy and unreliable network everything is switched anyways, changes are you can't even sniff the machine next to you.
  • It is my understanding that linux or even win32 in this mode would be very hard to detect.

    eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
    inet addr:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.128
    UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
    RX packets:5490631 errors:362 dropped:0 overruns:0 frame:492
    TX packets:5668545 errors:2 dropped:0 overruns:0 carrier:3
    collisions:1153503 txqueuelen:100
    Interrupt:11 Base address:0xe400

    Note the PROMISC flag above. The results of "ifconfig eth0" on my Linux machine.
  • Maybe it's because I'm an idiot but I dont' understand how using a packet sniffer is going to cause me to stop downloading stuff.
  • Or do we see a lot more of these VA Linux Conspiracy theories posted right after X-Files?

    Coincidence.. I think not.
  • True h4x0rs don't use distros. They write their entire system with binary editors.

    --
  • relying on such mechanisms can prove troublesome

    turn one port in to hub mode and see everything

    and you happily operate as though everything is tickety boo as you telnet and su your way around your network

    one rogue employee and it's asta la vista I believe
    .oO0Oo.
  • Cheops is a network "swiss army knife". It's "network neighborhood" done right (or gone out of control, depending on your perspective). It seems that the development has slowed down a bit though.

    Have a look at:

    http://www.marko.net/cheops/ [marko.net]

    and

    http://www.marko.net/cheops/features.html [marko.net]
  • Tampered with? Huh? No one said anything about changing and rebroadcasting any packets.
  • Yupper, you can get a demo version of Sniffer 2.5 from the site at http://www.sniffer.com/ - look at the grey bar at the top of the page for the tab that says buy/try. It is a limited version and an older release (currently on 3.5.02) but it does work a treat. As for Net X-Ray, that product was from a company that Network Associates purchased because their GUI was so great. Up until then the Sniffer had primarily been a DOS based product on a Dolch platform, and this GUI really changed the way things were going. Now the interface is incredibly similar to that one (can't improve on perfection) but with the excellent back end that came from the original Sniffer. As you might tell from my name, I work with this product a lot, so I'm happy to answer any questions you have about it!
  • Well, you learn something new every day.

    Actually, there has been systematic discrimination against ghosts in computer games since the early days. The ghosts were none too happy about being cast as the villians in Pac-man, for example.

    But things are starting to look up. Programs specifically targetted at ghosts are starting to appear -- first came Ghostscript, and now there's Ethereal.
  • Jackmama is correct.

    Obviously switched topologies do make it harder to get visibility of the entire network. However, some products including NAI's Sniffer range do allow you to set a span port on your switch (from inside the Sniffer software in some cases) and then sniff the mirrored port. Additionally, you can send traps from the switch to NAI's Sniffer that will allow it to snap to switch generated alarms on a port, or it will do port roaming. So while you do get a cut down view, you get some visibility into potential issues.

    Additionally, you need to consider your network design - VLANs are a good environment to incorporate Sniffer into. And there is always more to sniff than just your LAN. You might want to keep an eye on your ATM or Gigabit backbone, your Packet over Sonet links, or Frame Relay, HSSI, HDLC, PPP, etc. I know you can do all of that and a bit more with the NAI Sniffer, so I wouldn't rule out Sniffing as a network management tool!

    I'll get off my soapbox now, shall I?

    Snifferchick

  • Okay. Fair enough.
    I assumed (perhaps arrogantly?) that a network administrator would invest in network tools, regardless of the OS involved. I know that any well equipped network shop has a copy of either etherpeek or NA sniffer...., or something darn similar.

    A $30,000 Wandell & Goltermann network analyzer runs windows 3.11....
  • by coyote-san ( 38515 ) on Sunday July 30, 2000 @10:32AM (#893820)
    *sigh* What's that saying about a little bit of knowledge being a dangerous thing?

    SOME NICs will "chirp" when put into promiscuous mode. SOME OSes will exhibit slightly different behavior on their TCP/IP stack when the NIC is running in promiscious mode.

    But all of that is irrelevant. Anyone who seriously wants to sniff your network will snip the Tx lines on a special patch cable. Then it doesn't matter what the NIC or OS is doing - nobody will see anything coming out of that NIC. The only(?) way to detect it is by checking line impedence - something a well-stocked site could handle, but not most businesses or schools.

    Obviously, this trick will also keep you from actually doing anything useful -- and that itself might be suspicious. (Or might not, if this "dead" system is sitting in a dorm room or otherwise unoccupied office.) But if you have access to a hub (official or not) and a second NIC....
  • You don't even need the VLANs (though that's always nice... layer 3 switches can get expensive..).
    Just having the switch hides all your traffic other than broadcast traffic... (arp, etc..)
    That, plus perhaps some security settings, and you're set..
  • SSH can be configured to forward arbitrary ports over a secure connection. This is often done automagically for X, but you probably need to explicitly tell it to forward anything else. What happens is that the client listens on a local port (say 9000) and forwards any connections to it over the secure connection to the server. At the server, this encrypted stream is hooked up to a local port (say 110). At the client, you have your POP fetcher check localhost:9000 instead of remote:110. Neither side knows about the encryption. For details on how to set this up, you can check the ssh man page. On the server, you can block external access to port 110 so that only local connections can be made to it (from the ssh daemon, for example) to prevent remote exploits against a possibly insecure daemon.
  • SCP is a user-friendly as it can ever be. If you feel like you need some GUI for SCP, why don't you go ahead and write one?
  • To protect your computer you should use SSH port forwarded over SSH port forwarded over SSH with super-duper encryption enabled ( --enable-rot13 ). This should all be done over a private T1 line that has been encased in cement with rabid dogs guarding both ends of the line.

    Be sure to test out the setup by telneting in from a cable modem though.

  • I am going to try it out.. but what does Ethereal do that would astound network troubleshooters? What does it do that is 'astounding' when compared to software like Etherpeek or Network Associate's SNIFFER+, and the like?

    Certainly, it may have some neat-o-rama features that they don't... it may even be better.. but enough to astound them?
  • Then we'd just end up reading perfaces and porlogues.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

When you are working hard, get up and retch every so often.

Working...