Ethereal woes
Results 1 to 9 of 9

Thread: Ethereal woes

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019

    Ethereal woes

    For the past couple weeks I've been getting hits on my firewall from locations in India and China..they are getting dropped by my firewall, so no big deal.... but it did get me curious as to what they are.

    Thanks to help from Tigershark, I realized Snort is not effective with my current setup, mainly a properly configured firewall. (at least so far it hasn't let me down)

    I turned to Ethereal, and have been trying to create a capture rule that captures only UDP packets incoming. I've looked through the Ethereal documents, winpcap rules library, and tcpdump man pages for help.

    This is what I've tried so far:

    udp - (gives me all udp traffic, in and out)
    udp and dst host -(gives me a parse error)
    udp and host xxx.xxx.xxx.xxx -(where x is my ip, also gives me a parse error)
    udp and host xxx.xxx.xxx.xxx -(parses correctly, but reads nothing)
    udp and dst host xxx.xxx.xxx.xxx (parses correctly, but reads nothing)

    So, I basically have 2 options. One, Ethereal can't read outside my firewall, or two, I am not configuring my rules correctly. I tried a rule that sniffed all tcp incoming packets, but that didn't catch anything either, so I'm leaning towards improperly configured rule.

    Anybody have any thoughts? It's probably something simple...

    On the upside, I've learned tons about various sniffers today

    EDIT: I'm not running through any switch, just a basic hub (at least I don't think it's switched)

    EDIT2: ok, my apologies. I'm running a 2 computer home network (winxp) through a hub. The computer I'm trying to get the sniffer working on is the host.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Quick question: are you by any chance connected to a switch when "sniffing"?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    If I get you correctly, your computers are connected to a hub which is connected to your modem (dsl/cable), and you are running a personnal (software) firewall on your computer? Is this right?
    Either ways, it would help if you described more precisely your network setup, including where is your firewall and which one it is....

    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    lol....ok.... yes ammo, you are correct. My computers are connected to a hub, which is in turn connected to the cable modem. I use sygate firewall (personal version). My computer is the host (2 nics in mine)...

    My setup is about as basic as you can get....

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The parse errors are caused by the filter rules you are writing not being correct. I can't find the document I used right now but it is printed and placed by my desk at work so I will send you the link tomorrow.

    try:

    udp && dst host xxx.xxx.xxx.xxx

    or (I think)

    proto udp && dst host xxx.xxx.xxx.xxx

    for now....

    I'll get the link to you tomorrow
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    you say the sygate box is multi-homed so im assuming the hub is attached behind it so
    of course it cant read whats not reaching it. you need to set up a box in between your gateway computer and the router that routes all traffic threw to the firewall, installing only snort if you want to see whats not getting threw the firewall
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    A "Parse error" in ethereal has nothing to do with whether or not it can see the card or traffic from it. Parse means "translate", (or similar)..... It means Ethereal doesn't understand what the hell it is you are trying to say to it..... If the question, (filter), is rephrased in a way that ethereal can understand it, it will give you exactly what you want without changes to the system as long as the traffic was getting there in the first place..... but when it gave you the "parse error" it hadn't even looked to see of the card or the traffic was present......

    udp - (gives me all udp traffic, in and out)
    clearly proves that his system can read incoming and outgoing... thus, the parse error is nothing to do with the card or the infrastructure.......

    Trust me.... I FuXX3d up enough filter commands in Ethereal to have this firmly implanted in my thick skull.....

    Write them right or the result is Shite.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Thank you everybody for your input. The rule Tigershark gave me (the first one) worked correctly, and when I drop sygate, it reads only incoming udp exactly as I was trying...

    I would still appreciate that link when you have time to get it TS.

    Thanks again!!

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Here you go Groove:

    Designing Capture Filters for Ethereal

    I used to use it all the time, now I only have to go back from time to time to kick a braincell or two..... It's just what the doctor ordered for writing filters.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •