-
June 10th, 2004, 06:57 AM
#1
New Win32 cmd line packet sniffer.
Hey Hey,
Next Generation Security Technologies has released ngSniff 1.2. You can grab the executable here. In the zip file you'll find a 40K executable and 4.8K of text files. No installation, no packet driver, just extract and run.
It definately isn't the most advanced packet sniffer out there, but what it lacks in options, it makes up for in cleanliness. You can specify the interface (it will generate a list of interfaces... not pointing to some random registry driver entry but rather to the IP address), a host to specifically listen for, a host to specifically ignore, and a string of data to watch for. By default ngSniff will display to stdout, however you can tell it to write to a log file.
I decided to generate a specific packet for testing purposes to display for you.
This is the command I executed from the comand line of my Windows XP Machine.
Code:
ngSniff.exe --interface 0 --pattern "AntiOnline"
Here's the hping2 command I executed on my SuSE 9.1 box
Code:
hping -RA -p 80 -t 69 -d 50 -E testdata 192.168.1.100
If you care, testdata contains
Code:
AntiOnline Test Packet
Here's the capture displayed to stdout on the command line of my Windows XP Machine.
Code:
IP HEADER 192.168.1.101 -> 192.168.1.100
------------------------------------------
IP->version: 4
IP->ihl: 5
IP->tos: 8
IP->tot_len: 90
IP->id: 52672
IP->frag_off: 0
IP->ttl: 69
IP->protocol: 6
IP->checksum: 44848
TCP HEADER
----------
TCP->sport: 1352
TCP->dport: 80
TCP->seq: 1572835341
TCP->ack: 1842659933
TCP->off: 5
TCP->flags: RST|ACK
TCP->window: 512
TCP->checksum: 37159
TCP->urp: 0
----- Begin of data dump -----
41 6e 74 69 4f 6e 6c 69 6e 65 20 54 65 73 74 20 AntiOnline Test
50 61 63 6b 65 74 0a 00 00 00 00 00 00 00 00 00 Packet..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 ..
----- End of data dump -----
As you can see I set a few of the fields manually so that you could see the results (the packet data obviously), the TCP Flags, the TTL, the destination port. Anyways as you can see, it's very clean, quite small and very easy to use... definately a handy addition to the IT toolkit.
Peace,
HT
[Edit]
Tedob1 just pointed out that this is my '1337' post. I think I'm supposed to say "ph33r m3" or something corny like that... Anyways.. Yay for me!
[/Edit]
-
June 10th, 2004, 07:14 AM
#2
thanks for taking the trouble to test it then show your results. too many just post links for things they've never tried and have no idea how good or bad it reallly is.
looks allot better than packetmon. not as good as ethereal but much more handy. im going to give it a go tomorrow. thanks!
edit: oh no! i just noticed you post count....1337
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|