What would be the chance of adding the ability to detect and spy on ICMP packets? I know it isn't common but (as I am sure you know) some tools will use oversize ICMP packets to tunnel data. Being able to spy on this sort of activity would help, especially if the activity log windo were to highlight any ICMP packet over a specifiable size. TIA
Hi Dan, for me PortExplorer is an easy to use network sniffer for everyone. If you wanna use a more sophisticated one, go for Ethereal, Nmap, CommView, Iris, PortPeeker, PacketX, Sniff'em or whatever. Especially look at the Ethereal or Nmap. Best regards, Patrice
Interesting thought Dan, let's see Jason's reactions. Patrice, did you also read the DCS pages and comparisons with other port-to-process mappers? For packet sniffers, depends on what you need
Hi Jooske, well, PortExplorer has many nice functions the others don't have, that's right. But as a network sniffer, I still prefer Ethereal! Yup, I'm a Linux fan, that's also a reason why I like it. Regards, Patrice
Hi Patrice, Yeah, I use Ethereal as well though I prefer snort and windump because their flexibility and wide availability. One thing I have been wanting to experiment with Ethereal is the stream reconstruction ability. I also use dsniff, ettercap, ngrep as well. That being said, the addition of ICMP parsing in PE would be a nice enhancement. When Jooske and I were assisting another user on the TDS General forum we could have used this (which was how I noticed it did NOT have that capability. See ya 'round
Hi Dan, o.k., I got your point! As I see you're a more experienced network sniffer. But all the tools you mentioned are based on Linux. Do you use Linux mostly? Regards, Patrice
Hey, I've used Linux some but not lately. I usually use the Win32 ports of those utilities with the winpcap driver. I also use OpenBSD quite a bit, especially for deploying Intrusion Detection Systems though I have, on occasion used Linux or Solaris for this. Have you used IPTraf? It can be very handy and runs well on Linux (though not on OpenBSD as it requires ncurses)
Hi Dan, no I haven't used that. I mostly use Ethereal and Nmap and I try to stick to those two tools. I'm really happy with Ethereal, Port Explorer is a nice addition to all that. Regards, Patrice
Hi guys, It would be easy to add ICMP sniffing if the Port Explorer LSP allowed it, but unfortunately it doesn't receive that traffic. A new driver would have to be written to intercept ICMP so it may not find its way into Port Explorer for a while, but it may someday. A lower level driver for Port Explorer has been on the cards for some time. -Jason-
Speaking of lower layers --- it would be nice to have a tool to communicate (check on) a networked firewall from a remote console (main computer). Port Explorer could add alarms (and Windows Tray lights) to status user on conditions of remote firewall. It would raise alarm event if activity on normally closed ports, but make alarm priority selectable so not to alarm on simple port scanning. Use 2 out of 2 coincidence logic to not raise alarm if few packets transfer.
Hi Rob, that wouldn't be that hard a thing to do (considering you already had written a firewall) but I don't know how big a market for that sort of thing would be. More firewalls are usually close to people and hence don't need remote monitoring from an application. Would be a nice idea to be able to remotely monitor active sockets on another machine though . -Jason-