ICMP for PE

Discussion in 'Port Explorer' started by Dan Perez, May 10, 2003.

Thread Status:
Not open for further replies.
  1. Dan Perez

    Dan Perez Guest

    What would be the chance of adding the ability to detect and spy on ICMP packets?

    I know it isn't common but (as I am sure you know) some tools will use oversize ICMP packets to tunnel data. Being able to spy on this sort of activity would help, especially if the activity log windo were to highlight any ICMP packet over a specifiable size.

    TIA
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Dan,

    for me PortExplorer is an easy to use network sniffer for everyone. If you wanna use a more sophisticated one, go for Ethereal, Nmap, CommView, Iris, PortPeeker, PacketX, Sniff'em or whatever. Especially look at the Ethereal or Nmap. ;)

    Best regards,

    Patrice
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Interesting thought Dan, let's see Jason's reactions.

    Patrice, did you also read the DCS pages and comparisons with other port-to-process mappers?
    For packet sniffers, depends on what you need :)
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Jooske,

    well, PortExplorer has many nice functions the others don't have, that's right. But as a network sniffer, I still prefer Ethereal! Yup, I'm a Linux fan, that's also a reason why I like it. ;)

    Regards,

    Patrice
     
  5. Dan Perez

    Dan Perez Guest

    Hi Patrice,

    Yeah, I use Ethereal as well though I prefer snort and windump because their flexibility and wide availability. One thing I have been wanting to experiment with Ethereal is the stream reconstruction ability.

    I also use dsniff, ettercap, ngrep as well.

    That being said, the addition of ICMP parsing in PE would be a nice enhancement. When Jooske and I were assisting another user on the TDS General forum we could have used this (which was how I noticed it did NOT have that capability.

    See ya 'round
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Dan,

    o.k., I got your point! As I see you're a more experienced network sniffer. ;) But all the tools you mentioned are based on Linux. Do you use Linux mostly?

    Regards,

    Patrice
     
  7. Dan Perez

    Dan Perez Guest

    Hey,

    I've used Linux some but not lately. I usually use the Win32 ports of those utilities with the winpcap driver.

    I also use OpenBSD quite a bit, especially for deploying Intrusion Detection Systems though I have, on occasion used Linux or Solaris for this.

    Have you used IPTraf? It can be very handy and runs well on Linux (though not on OpenBSD :( as it requires ncurses)
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Dan,

    no I haven't used that. I mostly use Ethereal and Nmap and I try to stick to those two tools. I'm really happy with Ethereal, Port Explorer is a nice addition to all that.

    Regards,

    Patrice
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi guys,

    It would be easy to add ICMP sniffing if the Port Explorer LSP allowed it, but unfortunately it doesn't receive that traffic. A new driver would have to be written to intercept ICMP so it may not find its way into Port Explorer for a while, but it may someday. A lower level driver for Port Explorer has been on the cards for some time.
    -Jason-
     
  10. Rob Potter

    Rob Potter Guest

    Speaking of lower layers --- it would be nice to have a tool to communicate (check on) a networked firewall from a remote console (main computer).

    Port Explorer could add alarms (and Windows Tray lights) to status user on conditions of remote firewall.

    It would raise alarm event if activity on normally closed ports, but make alarm priority selectable so not to alarm on simple port scanning. Use 2 out of 2 coincidence logic to not raise alarm if few packets transfer.
     
  11. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Rob, that wouldn't be that hard a thing to do (considering you already had written a firewall) but I don't know how big a market for that sort of thing would be. More firewalls are usually close to people and hence don't need remote monitoring from an application. Would be a nice idea to be able to remotely monitor active sockets on another machine though :) .

    -Jason-
     
Thread Status:
Not open for further replies.