Anyone used packet analysis tools? [modified]
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
Years ago (before .NET) I used RawEther[^] for packet analysis and spoofing for an Internet over satellite simulator. It worked quite well, the nightmares I can remember dealt with little vs. big endian and, for injecting packets, something about how the checksum calculation was done was a bit bizarre. I haven't used either of the two tools you mentioned. A couple books on TCP/IP and UDP were very helpful as well. Marc
People are just notoriously impossible. --DavidCrow
There's NO excuse for not commenting your code. -- John Simmons / outlaw programmer
People who say that they will refactor their code later to make it "good" don't understand refactoring, nor the art and craft of programming. -- Josh Smith -
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
Trollslayer wrote:
anyone have experiences/nightmares to share?
Problems I have had is to really cath all packets on the network. Some raw packet sniffers seems to catch outgoing pakets only if windows firewall is enabled etc.. jhaga
It would be glorious to see mankind at leisure for once. It is nothing but work, work, work. I cannot easily buy a blank-book to write thoughts in; they are commonly ruled for dollars and cents. A[man], seeing me making a minute in the fields, took it for granted that I was calculating my wages. — business! - I think that there is nothing, not even crime, more opposed to poetry, to philosophy, ay, to life itself, than this incessant business. Henry David Thoreau
-
Sorry, I meant reverse engineer some software using a tool like Ethereal. The software in question send large amounts of data to a piece of cable TV headend equipment. Elaine (look it's Monday)
-
Sorry, I meant reverse engineer some software using a tool like Ethereal. The software in question send large amounts of data to a piece of cable TV headend equipment. Elaine (look it's Monday)
-
Sorry, I meant reverse engineer some software using a tool like Ethereal. The software in question send large amounts of data to a piece of cable TV headend equipment. Elaine (look it's Monday)
Trollslayer wrote:
Sorry, I meant reverse engineer some software using a tool like Ethereal.
Ok. You're instantly forgiven. Regarding experiences and/or nightmares I think of Ethereal as the tool I'd use because it's free, easy to install, easy to use and provides flexibility beyond what I've ever needed. Nice filtering possibilities on both protocol and address. The only "drawback" in my opinion is that it uses WinPCAP which hooks at driver level, which means that packets that take "shortcuts" ni the ip-stack won't be detected such as sending to localhost. To be able to track the packets, they have to be tranfered to the NIC. -- Roger
"It's supposed to be hard, otherwise anybody could do it!" - selfquote
-
Trollslayer wrote:
Sorry, I meant reverse engineer some software using a tool like Ethereal.
Ok. You're instantly forgiven. Regarding experiences and/or nightmares I think of Ethereal as the tool I'd use because it's free, easy to install, easy to use and provides flexibility beyond what I've ever needed. Nice filtering possibilities on both protocol and address. The only "drawback" in my opinion is that it uses WinPCAP which hooks at driver level, which means that packets that take "shortcuts" ni the ip-stack won't be detected such as sending to localhost. To be able to track the packets, they have to be tranfered to the NIC. -- Roger
"It's supposed to be hard, otherwise anybody could do it!" - selfquote
I might have to set up a PC as a gateway to intercept the traffic so this won't be a problem. Thanks. Elaine :rose:
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
Trollslayer wrote:
does anyone have experiences/nightmares to share?
I've written and done packet analysis, you've got better tools than I, so I expect you will be fine. Make sure you are prepared to start partitioning your data. You'll get a LOT to work with. Taking apart a communication system via raw packets is like learning chinese from a book written by a Monk in the mountains you never met, can't ever hope to reach, and you have no idea what was on his mind when he wrote it, and only the faintest idea about the subject. It's data browsing at its finest... that looks like it is changing as a double float (exponent and mantissa regions), that looks like a long int, notice how the last byte rarely changes? I used to do cryptography puzzles as a child, eventually reaching the stage where you get no hints, no partial key, only that it is a substitution cypher and you know the number of letters in each word and each substitution is constant (though I graduated even beyond that by teens, this is sufficient). I loved that kind of search, this looks like it might be that... set test, examine the result. So for me it was rather obvious a jump into decrypting raw packets. You'll get everything even stuff you don't want to see... first step partition out the stuff you believe is NOT your comm traffic, isolate down the data, then you can start taking apart the comm protocol. :) good luck! by the way... be careful... reading raw ethernet traffic is akin to being "curious." I think I lost a life or two at that stage....
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
-
Trollslayer wrote:
does anyone have experiences/nightmares to share?
I've written and done packet analysis, you've got better tools than I, so I expect you will be fine. Make sure you are prepared to start partitioning your data. You'll get a LOT to work with. Taking apart a communication system via raw packets is like learning chinese from a book written by a Monk in the mountains you never met, can't ever hope to reach, and you have no idea what was on his mind when he wrote it, and only the faintest idea about the subject. It's data browsing at its finest... that looks like it is changing as a double float (exponent and mantissa regions), that looks like a long int, notice how the last byte rarely changes? I used to do cryptography puzzles as a child, eventually reaching the stage where you get no hints, no partial key, only that it is a substitution cypher and you know the number of letters in each word and each substitution is constant (though I graduated even beyond that by teens, this is sufficient). I loved that kind of search, this looks like it might be that... set test, examine the result. So for me it was rather obvious a jump into decrypting raw packets. You'll get everything even stuff you don't want to see... first step partition out the stuff you believe is NOT your comm traffic, isolate down the data, then you can start taking apart the comm protocol. :) good luck! by the way... be careful... reading raw ethernet traffic is akin to being "curious." I think I lost a life or two at that stage....
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
Thanks Jeff, assuming it happens I will get the chance to run test patterns through the existing system which will be a big help. I mean... how hard could it be? :rolleyes: Elaine (oddly optimistic fluffy tigress)
-
Thanks Jeff, assuming it happens I will get the chance to run test patterns through the existing system which will be a big help. I mean... how hard could it be? :rolleyes: Elaine (oddly optimistic fluffy tigress)
Trollslayer wrote:
I mean... how hard could it be?
about as difficult as washing two cats at once... err... I mean riding bareback on a bronco with a nasty temper, who was also just bitten by a wasp
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
Wireshark. That's what Ethereal is now. I dont think theres many changes ATM though.
:badger:
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
Packetyzer is a cool wrapper around ethereal.
Packetyzer Website:
Windows user interface for the Ethereal packet capture and dissection library
Packetyzer makes it easy to look at each packet and dissect what’s being transmitted. Go ahead install it without fear. I’ve recommended it to a couple of network admins who have fallen in love with it. It's been a couple of months since I have openen Packetyzer but as memory serves you can set a filter, just watching packets from one IP to another. Very nice when trying to figure out what's being sent.
I'd love to help, but unfortunatley I have prior commitments monitoring the length of my grass. :Andrew Bleakley:
-
Trollslayer wrote:
I mean... how hard could it be?
about as difficult as washing two cats at once... err... I mean riding bareback on a bronco with a nasty temper, who was also just bitten by a wasp
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
I love it when someone says something like that. It just kinda sets the stage for an interesting story. My favorite sniffer has always been Sniffer Pro 4.7. Wireshark et al, are ok. The guru of packet analysis (Laura Chappell) would tell you to make sure you know your protocol thouroughly so you understand whats going on. Good luck, and let us know how it went.
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
-
I may need to reverse engineer some software [that sends large amounts of TCP/IP data using a tool] like Packetyzer[^] or Ethereal[^] (Windows or Linux), does anyone have experiences/nightmares to share? Thanks. Elaine (eternally appreciative fluffy tigress) -- modified at 10:53 Monday 22nd January, 2007
I don't know what the fuss is. By the way, Ethereal is now known as WireShark see http://wireshark.org Run it, select interface, hit capture, tcp streams are the easiest to follow, click 'Follow Stream'. In the time that it took to post this message the job would probably already be done.