[13176] in bugtraq
Re: Analysis of "stacheldraht"
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Fri Dec 31 20:25:12 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GUL.4.21.9912311528090.7545-100000@red2.cac.washington.edu>
Date: Fri, 31 Dec 1999 15:37:24 -0800
Reply-To: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
From: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
X-To: Jordan Ritter <jpr5@darkridge.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.05.9912311430180.3058-100000@demerol>
On Fri, 31 Dec 1999, Jordan Ritter wrote:
> # Programs like "ngrep" do not process ICMP packets, so you will not as
> # easily (at this point in time) be able to watch for strings in the data
> # portion of the ICMP packets (except using the patches to tcpshow from
> # Appendix C and patches to sniffit provided in the analysis of TFN).
>
> The latest version of ngrep (1.35) does in fact match ICMP, and has been out
> for some time now.
Jordan,
Sweet! I updated the analysis to use ngrep in preference to
tcpdump/tcpshow for most stuff:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
ngrep is *way* more convenient to use, but I had to note that it
doesn't run on as many systems as tcpdump/tcpshow (e.g., Digital Unix
4.x) and it doesn't seem to read tcpdump files, so if you want to
caputure the raw packets for later analysis (timing, flags, etc.) you
need to stick to tcpdump/tcpshow. If only I'd sent the analysis out
*before* Christmas... ;)
--
Dave Dittrich Client Services
dittrich@cac.washington.edu Computing & Communications
University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]</a>
PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
