Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Regarding Packet capturing and decoding

Status
Not open for further replies.
nsmaddict

nsmaddict

Technical User
Sep 6, 2004
10
IN
Hi All,

Can anyone let me know the complete process of packet capturing and decoding or analysing through the packet capturing tools? Kindly let me know the detailed information:

1. How the stealth mode works?
2. How layer wise packet decoding takes place?What all engines are there?
3. Most imp questions:

a . Can i capture the packets from the virtual interface? If yes then how?
b. If so then while decoding the packet how it is processed in both the physical and virtual interface?
c. How z the packet capturing and decoding happens for clustering packets and multicast traffic?

Waiting for a proper and good response.

Reg,
Neelima Sharma
 
Sort by date Sort by votes
ok then
1. How the stealth mode works?

Stealth mode is a form of recon by an attacker basically tcp rquires a three way handshkw to set up a session in folowing format

host sends SYN packet
server send SYN ACK
host sends ACK

after server recieves the final ack and the session is created and logged

all an attacker needs to do is send out SYN packets and no Ack the server responds but does not log hence stealth..


2. How layer wise packet decoding takes place?What all engines are there?

Layer wise ??basicaly i think what you are getting at is how you break out the DATA NETWORK TRANSPORT and APPLICATION level of the packet.. basically the decoder stacks the info on the decode window like explorer and you can break open the various levels ethereal is pretty good at this and its free



3. Most imp questions:

a . Can i capture the packets from the virtual interface? If yes then how?

Yes virtual interfaces are seen as ordinary interface to the decoder just chhose it as the adapter you are sniffing

b. If so then while decoding the packet how it is processed in both the physical and virtual interface?

The interface is bridged so it sends everything to the virtual interface usually you requirethe winpcap component in your network connections to allow the card to go into promiscious mode

c. How z the packet capturing and decoding happens for clustering packets and multicast traffic?

The card goes into promiscious mode so it just captures everything it sees on the wire

 
Upvote 0 Downvote
Hi Schofs,

Thanks for the response.But still continuing with the response i have not followed some explaination.Can you be much more clear on these explaination.

1.All an attacker needs to do is send out SYN packets and no Ack the server responds but does not log hence stealth..

What do you mean by this? If this is the continuation of the previous signal exchange then also i didnot get the proper way the stealth mode of network adapter.

2. Yes for the second query the better word if break out of the data.But what i wanted to know is what all modules of ethereal are used in breaking of the data layer wise?

3. Regarding virtual interfaces i still have that dbt but will update the issue as per my recording?

Reg,
Neelima

 
Upvote 0 Downvote
hi Schoff,


Tell me in linux for promiscuous mode all the packets having group bit is set except the broadcast packets.So can you tell how do you locate which is the group bit and which is the broadcast bit.

There is also a concept of Group Bit set packet, which are rejected by the hardware filter in Normal mode of NIC.But the same packet is accepted by this filter in the Promiscuous mode of NIC. Can you explain what is this Group bit packet and why these opposite things happens?

There are various settings of Promiscuous mode then how do configure these settings of the NIC in this mode? Also let me know the settings to capture data in this mode?

Reg,
Neelima

 
Upvote 0 Downvote
I am going to have to research this one
Ill get back to you
 
Upvote 0 Downvote
Hi all,

Currently I experienced problem with my snort. I am running it no Fedora 2.0, and snort 2.2. It was working find few weeks ago until I updated the new rules set, and configuration files. Now, when I open up my ACID, I getting Sensors: 0 in the ACID and no alert been received. I check linux system log and it states that Snort is up and running. Is there any things else I need to check? Thanks in advance


Regards,


SL
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
734
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
569
Nitta84
Nitta84
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
265
tjbradford
tjbradford
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
215
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top