|
-
September 20th, 2001, 06:51 PM
#11
Member
Unless you write a program that would extract the information from the packets.. you're pretty much only going to be able to look at it.
Any sort of modification to the packet will corrupt it and the TCP/IP stack will deny it when it gets to the destination.
PID is "Process IDentification". It's the unique number associated with a running process.
I don't know what OS you run, but, I've written a crude Linux packet sniffer if you would like to browse over it. It will dump RAW socket data from the specified network interface. Even works with PPPd ;-)
I'll post it on http://www.o-negative.net as soon as I recover from recent Vuln-Dev mailing list crap.
Jason Parker - http://www.o-negative.net
o-Negative: Information Network
-
September 21st, 2001, 11:00 PM
#12
maybe I missed something.........But why do you wanna take the chance of getting kicked out for.......I think I'm having a brain fart, But what is this for?
-
October 3rd, 2001, 01:56 PM
#13
Banned
Originally posted by jparker
OK.. here we go witha little lesson on sniffing:
A) It's not detectable from a remote network source (by any method that I have heard of) This is because the packets are never modified only looked at. So, unless you're on the local machine, or, you put this sniffer on a machine that someone can find the running pid, then you're OK.
B) As for logging the binary data? Sure you can, why you would is beyond me because of the fact that every packet that is read by your sniffer is going to be a the form of a "packet frame". A "bundle" with a specific format that it's wrapped in to be sent across the network. Logging this raw data will corrupt the binary. It's the job of the TCP/IP or whatever network stack to correctly maintain the binary data structure.
You could log plaintext information form your sniffer, but then, that would just be unethical.
You can get caugth by a computer on the same lan as you. Just imagine that you send a forged ethernet packet with random MAC address, your IP address and ICMP echo-request.
If your card is set to promiscuous, it will let that packet (with a not-matching MAC address) go further, will see that IP is correct and then respond to the ICMP ping : your computer just said to the other side "Ok guy, I'm in promiscuous mode", which is frequently associated with sniffing.
Remember that you can put tcpdump into a non-promiscuous mode. man tcpdump for more details.
Jean-Francois
-
October 4th, 2001, 05:36 AM
#14
hey watt
A running pid is a *nix device to see <an id more so> what processes are working on a system. It's like hitting cntrl alt del in windows and seeing whats running only on a more efficent scale. I think it stands for process ID but I could be wrong.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
![jparker[] is offline](/images/statusicon/user-offline.png)
