-
November 6th, 2003, 01:27 AM
#1
Ethereal woes
For the past couple weeks I've been getting hits on my firewall from locations in India and China..they are getting dropped by my firewall, so no big deal.... but it did get me curious as to what they are.
Thanks to help from Tigershark, I realized Snort is not effective with my current setup, mainly a properly configured firewall. (at least so far it hasn't let me down)
I turned to Ethereal, and have been trying to create a capture rule that captures only UDP packets incoming. I've looked through the Ethereal documents, winpcap rules library, and tcpdump man pages for help.
This is what I've tried so far:
udp - (gives me all udp traffic, in and out)
udp and dst host -(gives me a parse error)
udp and host xxx.xxx.xxx.xxx -(where x is my ip, also gives me a parse error)
udp and host xxx.xxx.xxx.xxx -(parses correctly, but reads nothing)
udp and dst host xxx.xxx.xxx.xxx (parses correctly, but reads nothing)
So, I basically have 2 options. One, Ethereal can't read outside my firewall, or two, I am not configuring my rules correctly. I tried a rule that sniffed all tcp incoming packets, but that didn't catch anything either, so I'm leaning towards improperly configured rule.
Anybody have any thoughts? It's probably something simple...
On the upside, I've learned tons about various sniffers today
EDIT: I'm not running through any switch, just a basic hub (at least I don't think it's switched)
EDIT2: ok, my apologies. I'm running a 2 computer home network (winxp) through a hub. The computer I'm trying to get the sniffer working on is the host.
-
November 6th, 2003, 02:01 AM
#2
Quick question: are you by any chance connected to a switch when "sniffing"?
-
November 6th, 2003, 02:30 AM
#3
If I get you correctly, your computers are connected to a hub which is connected to your modem (dsl/cable), and you are running a personnal (software) firewall on your computer? Is this right?
Either ways, it would help if you described more precisely your network setup, including where is your firewall and which one it is....
Ammo
Credit travels up, blame travels down -- The Boss
-
November 6th, 2003, 02:35 AM
#4
lol....ok.... yes ammo, you are correct. My computers are connected to a hub, which is in turn connected to the cable modem. I use sygate firewall (personal version). My computer is the host (2 nics in mine)...
My setup is about as basic as you can get....
-
November 6th, 2003, 02:38 AM
#5
The parse errors are caused by the filter rules you are writing not being correct. I can't find the document I used right now but it is printed and placed by my desk at work so I will send you the link tomorrow.
try:
udp && dst host xxx.xxx.xxx.xxx
or (I think)
proto udp && dst host xxx.xxx.xxx.xxx
for now....
I'll get the link to you tomorrow
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 6th, 2003, 02:44 AM
#6
you say the sygate box is multi-homed so im assuming the hub is attached behind it so
of course it cant read whats not reaching it. you need to set up a box in between your gateway computer and the router that routes all traffic threw to the firewall, installing only snort if you want to see whats not getting threw the firewall
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
November 6th, 2003, 02:51 AM
#7
A "Parse error" in ethereal has nothing to do with whether or not it can see the card or traffic from it. Parse means "translate", (or similar)..... It means Ethereal doesn't understand what the hell it is you are trying to say to it..... If the question, (filter), is rephrased in a way that ethereal can understand it, it will give you exactly what you want without changes to the system as long as the traffic was getting there in the first place..... but when it gave you the "parse error" it hadn't even looked to see of the card or the traffic was present......
udp - (gives me all udp traffic, in and out)
clearly proves that his system can read incoming and outgoing... thus, the parse error is nothing to do with the card or the infrastructure.......
Trust me.... I FuXX3d up enough filter commands in Ethereal to have this firmly implanted in my thick skull.....
Write them right or the result is Shite.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 6th, 2003, 03:10 AM
#8
Thank you everybody for your input. The rule Tigershark gave me (the first one) worked correctly, and when I drop sygate, it reads only incoming udp exactly as I was trying...
I would still appreciate that link when you have time to get it TS.
Thanks again!!
-
November 6th, 2003, 01:50 PM
#9
Here you go Groove:
Designing Capture Filters for Ethereal
I used to use it all the time, now I only have to go back from time to time to kick a braincell or two..... It's just what the doctor ordered for writing filters.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|